What are Botnets?

January 7, 2011, by | Start Discussion


Introduction
Recently, Indian Cinema experienced an unusual phenomenon of technology and imagination – “Ro ‘bot’s”. The superstar of the south was again at his best and we could see excellent combination of talent and technology.
But ever wondered, if this was to happen for real, what were the things which we saw had unusual strength? How could just they become “1-2-ka-4” in number (or even more)? Execute orders given to them with most accuracy? Re-evolve even after the destruction?
Well this was an absolute scenario which we might face in near future. And this could be possible by the evolution of current technology called “Bots” or “Botnets”. So what exactly are bots/botnets?
Before we actually see about Botnets, one needs to have an insight about the category to which they belong – Malwares.

Malwares are any malicious computer programs, which intentionally or unintentionally cause harmful, irritating, unrecoverable damages to one’s computer systems.  There are varied types into which a malware can be categoriesed, viz-
Viruses–file infectors, inserting/appending code in the original code and executes when the file is accessed.   
Worms – Self-replicating programs which propagate through networks.
Trojans – Programs which disguise as normal programs but, steal/sniff data of victim and send it to the attackers/infectors.
Rootkits – Sophisticated malware category, which is stealth to be detected and perform maximum damage.
Spyware – Fake / Copy of original programs, which are not harmful but disguise to open backdoors into the system for further attacks.
Ransomware – Normally termed as spywares, but are specifically used for money laundering and economical frauds.
And of course, the newly evolving technique of Bots/Botnets.

So what exactly are Botnets?
A bot can be a single system infected with malicious software/code and a collection of bots form a botnet which is controlled by the commands of the botnet controller.
The above description contains some specific terminologies which need to be understood in order to understand the working of botnets.
A botnet starts with malicious code written by the attacker. The attacker infects a single system/server with the code. This in turn is used by the attacker as Command and Control (C&C) center for further infection. The attacker here is often termed as “Botmaster”.

The Botmaster tries to install the malicious code in the users system by wooing them to access/download a fake file. Once the system is infected with the code, it tries to infect other systems connected to it. The
infected systems are known as “Zombies”. Thus the infection is spread exponentially into the computer systems and an army of zombies is created


All the Zombies are connected to the attacker by a Command and Control Center (C&C). Attacker can send any commands to all systems to which the connection has been established using this.All this happens with absolute no knowledge to the user.

When a botnet is being considered, some of the important aspects which are involved are,

  • Botnet Control Methodology,
  • Zombie Control Techniques,
  • Propagation Techniques,
  • Target Exploits and Attack Techniques,
  • File Delivery and
  • Deception Strategies used.

All the above points define the architecture of a Botnet.

Botnet Control Methodology :

When an Attacker writes a code to deploy botnet, attacker first needs a control mechanism to find his victim, deploy the botnet and to have control on the infected systems.  When botnets were first deployed, the only mechanism which was used was (Internet Relay Chat) IRC Servers. IRC servers were one of the most vulnerable and easy to use Control mechanisms used by attackers to start a botnet. Attackers used to setup an IRC server and woo users to join into it. Once a user joins in, attackers infected his/her system and deploy their stub for the botnet. Thus the infected system is now turned into a Zombie. Most of the analyzed botnets till date used IRC based C&C mechanism. For E.g., SDBot, Agobot, etc.
But to create more sophisticated botnets attackers have already slowly moved on to P2P services, Dynamic DNS services, HTTP C&C, etc. One of the major advantages of these is that many organizations may not allow IRC connections into their network, but almost all, allow services like HTTP.

Zombie Control Mechanism :

To control the zombies, attacker decides his own commands and protocols. Using these, attackers control the infected systems (zombies). Many known bots have their own set of commands to change the passwords, download a file to the victims computer, upload the logs of victim and to gather victims sensitive information. Attackers change the passwords/ deploy a backdoor so that the access can be maintained for the next time. Attackers disable the antivirus software in order to avoid detection/removal from the system.

Propagation Techniques :

As mentioned earlier, once a system gets infected with the botnet, it itself can infect other machines connected to it.
For e.g., if one system gets infected, it tries to infect other systems connected to it. Thus there are now total two systems spreading the botnet.

Thus the botnet spreads exponentially. (Remember the movie scene where snake kind of thing spirals out from nowhere.) Attackers use different mechanism for the propagation. Attackers send emails to users and ask them to click on a malicious URL or to download a greeting/joke file.
An automated code tries to perform a vertical or horizontal scan to find out open ports across a single address or a range of addresses.

Target Exploits and Attack Techniques :

Most of the systems which fall prey to botnets are often unpatched systems. Attackers try to exploit known vulnerabilities of a system. A specific botnet can be designed to exploit a specific vulnerability. In such cases, attacker only makes changes to the malwares it drops into victims system. These kind of botnets have the same basic architecture and hence are variants of their previous.

File Delivery :

By now it is quite clear, that every botnet involves some kind of malware which is deployed onto victim machine. When a system has been compromised, attacker acquires sufficient rights and sends/downloads malwares into the victim machine. Attacker may use utilities provided by IRC server for download/upload purpose.
Attacker may also use HTTP/FTP protocols to send/receive files depending upon the system vulnerabilities.

Deception Strategies :

Since long IRC base bots could be used without any stopping into a botnet. But with the increase in awareness among the people about the botnets, it has been easy to detect compromised machines. Hence attackers have started to come up with more and more sophisticated techniques to avoid detection. Common methods used were,

  • disabling any AV programs found onto the systems,
  • disguise as a legitimate program,
  • delete system logs, etc.

Now attackers are even trying to hide into a system using rootkit technology. Rootkits are the most stealth and undetectable malwares. Attackers have been trying to incorporate this kind of technology to avoid detection.

All work and no play makes jack a dull boy  –
   

With all its strategies, techniques and its spread, what does a botnet do?

Typically botnets evolved with a view to demonstrate programming skills of its creator. 
But with its technological advances, botnets are now a lethal weapon for cyber criminals and hackers. Botnets are now used for,

  • DDoS
  • Spamming
  • Phishing
  • Financial Frauds
  • Identity Theft
  • Cheating in online games /polls
  • Click Frauds
  • Espionage

Botnets cause a significant amount of loss to an organization which has been plagued by a botnet.Once a system/network gets infected by the botnet it no longer belongs to the user/owner. The attacker can have full control of the system and can perform all kinds of malicious activities using the system. If current scenario of terrorism is taken under consideration, botnets can be an important weapon to affect a country’s stability and infrastructure.
According to recent observations, around 10000bot nodes are created per hour. Also as stated in the Wikipedia page for Botnet, up to one quarter of all personal computers connected to the internet may be a part of some or other botnet. There have been many attempts to bring down as many botnets as possible.
But as the old saying goes “Prevention is better than cure”, its always better to avoid getting infected than to detect and remove it after infection. You never know how much amount of damage has been done till its detection.

  • Standard methods of computer security should strictly be followed in an organization.
  • Keep users well acquainted with the best security practices to follow at the workplace.
  • Even though Content Security products like AVs, IDS, IPS may not be able to detect the new emerging threats, its still a best practice to keep them updated.

And of course,

Pushkar aka- push is a Security evangelist, Working with Content Security and Anti-Virus Product Company.

Leave a Reply