Low Profile Botnets

October 6, 2011, by | Start Discussion

 The term ‗Botnet‘ was sited frequently in headline news last year. It continues to dominate the ever changing threat landscape of cyberspace. Whether it is Conficker, Aurora, NightDragon or the latest ShadyRAT attacks, Botnets continue to haunt cyberspace.

With millions of such "Zombie" machines under its control, it is not difficult to see the criminal appeal of Botnets. From stealing your credit card or banking details to spamming, espionage, extorting money through DDoS (distributed denial-of-service) attacks – all that and more can now be carried out with just a few mouse clicks – thanks to DIY Botnet kits like Zeus/SpyEye.

Some of the Botnets attacks had reached such a large scale that it prompted the security industry to take up new initiatives to tackle such a problem on global scale. There was an industry-wide collaboration to share information about such threats. Botnet tracking websites like http://www.abuse.ch/ were set to monitor the Bots Control servers and ISP‘s were notified to take down such bot controlling servers. But not all Botnets are created equally and many with great potential do not spread as widely and become as popular. Some may even spread and yet remain under the radar by being silent, waiting for instructions to show their potential. While others that have a small Internet footprint might be useful as prototypes for future variants with more damaging consequences. As with the security industry, the bad guys also learn and resort to new tactics to make sure they stay one step ahead in this multi-million dollar underground market. There are many low profile ―Bot‖ malwares that may not infect on mass scale but do use some smart techniques to evade the detection.

A few days back, I stumbled upon one such interesting piece of malware – Win32/Mofksys.A, which according to Microsoft is a worm type of malware that spreads via network shares, removable drives, and by email. Initially it may seem as just another malware, but interestingly it is using Google‘s Code pages to host its Command and Control (C&C) infrastructure. Once executed, apart from doing all the nasty stuff, one of the activities of this worm is to fetch its configuration and component files. These are being stored with extension as .gif on Google Code servers.

While this is not new, using public services like Twitter, Facebook or Google for hosting the C&C is a great way to ensure that the controls channels stay low on the radar as well as away from content filtering software thus ensuring longevity of the malware. Another Trojan Win32.Katusha, a variant belonging to the famous Rouge or Fake Antivirus malware family, cleverly uses a

Figure 1: Win32/Mofksys worm using Google code pages


Figure 2: Katusha Trojan using DNS TXT Queries

DNS TXT query to hide its communication with its control servers and so does the latest Morto worm which is an ‗old school‘ worm designed to spread using Remote Desktop (RDP).

A DNS TXT record is rarely used DNS type which was designed to store human readable information for SPF (sender policy framework) records and to prevent emails from being faked or spoofed. Instead, the malware authors found an interesting way to make use of this facility by using it for their C&C. It allows text (up to 100 bytes) to be sent as part of DNS response which is good enough for the malware authors to send encoded commands to its bots.

Figure 3: Morto Worm using DNS TXT Query as a C&C channel

Normally, all perimeter devices like firewalls/IPS‘s would be configured to guard and inspect HTTP traffic but blindly allow any type of DNS queries to be sent out.

Using this technique allows the malware author to control vitually any machine even behind highly secured networks. Malware authors are quick to latch on to such ideas even if they are discussed casually on security forums.

Figure 4: Forum discussions on using DNS TXT Query for malware delivery

However, not all bot-authors are skilled professionals and sometimes, inexperienced script kiddies can cook up a decent sized Botnet with the help of few scripts, in hours. As is the case with backdoor Win32/Penepe.A which isn‘t more than a bunch of utilities and a VB script put together in a self-extracting archive to make the affected system act as a proxy.

Figure 5: Win32/Penepe – a self extracting archive of utilities

After digging a bit deeper into their server, I was surprised to find more than 400 active systems communicating with the C&C server, which is a pretty high number for such a trivially constructed bot.
So, not everything needs to be as sophisticated as a Conficker or a Zeus Trojan. Malware authors will always find new and innovative ways to make money and stay ahead in the arms race. With social networks and smart phones making their way in the cyber space and adding to the chaos, I would say this is just the beginning of Botnet (r)evolution!

A Threat research enthusiast who has been involved in the field of Network & Information security for more than 8 years with a career span that includes working on designing complex security solutions, Malware/Threat Research and performing security assessments. He extends his passion for Network Security through his blog - http://hypersecurity.blogspot.com/

Leave a Reply