Malware Ecosystem: Botnet Introduction
Since the proliferation of viruses and other forms of malware, we've begun to see the beginnings of some frightening software behavior. Self-replication, self-preservation, and active attacks in response to attempts at detection—the malware ecosystem is starting to sound like a science fiction movie. Unfortunately, its real, and today's malware is actively evolving at alarming rates.
In this series of articles, we will explore today's most intriguing manifestation of advanced malware: the botnet. After this introduction to botnets, we will examine the client side, the server side, and finally some of the more interesting uses of the power a botnet provides.
A botnet is a group of computers that have been compromised, and run a remote control bot application. The bot herder will send commands to the droves of compromised systems, which will gleefully obey. Everyone knows what a botnet is by now, so let's move along.
Well-connected computers are generally the largest targets for botnet operators looking to expand their portfolios. University systems and even high speed broadband-connected PCs are constantly under attack, but these aren't the old school attacks of a few years ago, where a human was attempting some exploit. These are automated scanning and exploitation tools that run from existing botnets. Nobody on the Internet is exempt from these probes, but if a computer is compromised on a high-speed connection, it will fetch a higher price.
Bots are extremely valuable on the open market. Remember the attack on six of the root DNS servers back in February 2007? The DDoS was actually an advertisement; they didn't want to take down the Internet. Without a functioning Internet infrastructure, botnets aren't very useful. Bot herders (or maybe just one), decided to show the world how powerful they had become. Mass media happily obliged and provided tons of free advertising in the form of "the Internet is in danger" reports. If you're in the business of selling DDoS services, or extorting companies yourself, nothing could be sweeter than getting validated by, well, everyone.
Denial of service attacks aren't as useful as they once were, but apparently the threat is still capable of producing some extortion dollars. The biggest usage of botnets is for spam. Spam is still big business, even though people say they're fed up with spam. Similar to the existence of DDoS attacks, spam must exist because it's profitable. The use of blacklists and other dynamic spam fighting mechanisms have encouraged spammers to use botnets to send spam from millions of computers at a time. We'll get into the details of botnet spamming in the next installment of this series.
Botnets are also used for hosting Web sites for phishing attacks, which were likely initiated from a large spamming campaign on the same botnet. Bot herders quickly realized that Web sites hosted on compromised Web servers didn't last long because others on the Internet are quite good at reporting phishing sites. Herders took to finding a reliable bot client, and just hosting the site on the compromised machine. There haven't been any reports of dynamic DNS or proxy server involvement in hosting phishing or drug sales sites, but if these sites start getting identified too quickly (i.e. automatically by a smarter browser), botnets will easily adapt.
Last but not least in the laundry list of tricks, bot clients also act as a springboard for further attacks on neighboring computers. This is especially troublesome.
Many people wonder why Internet service providers can't just block "bot activity." The problem is that botnet command and control channels are no longer just IRC. Many corporate networks took to blocking IRC data to stop bot clients from calling home, effectively rendering the bot useless to the operator. The presence of IRC traffic was easily used to identify infected machines, as well. It took surprisingly long, but botnet developers have begun hiding their tracks.
Imagine if botnets started using HTTP, and encrypting their own data. We wouldn't be able to detect the presence of infection if antivirus software is unaware of a new virus, and we wouldn't even be able to cut off the command and control mechanism. Of course, botnet developers have started doing this.
Going one step beyond simply encrypting the data and making the old simple methods of detections useless, botnets have also begun using peer-to-peer technology. We may have thought that the whole command and control requirement for botnet existence was silly, but the fact is that it worked, and it worked extremely well. To continue expanding in the midst of botnets being spotlighted in mainstream media, botnets, of course, evolved. Peer-to-peer HTTPS traffic, completely indistinguishable from other Internet traffic—they've raised the bar quite high, this time.
Once one user on a network ignorantly becomes exploited, the bot client is running and as any security researcher will tell you, every host on that subnet should be considered hostile. If a bot herder does in fact has a 0-day exploit, neighboring hosts will certainly fall. Even without such a magic bullet, the fact remains that the local subnet is a very dangerous place to have an attacker. They can run man-in-the-middle attacks, masquerade as another host (including a router), and successfully execute every possible network-based attack you've ever heard about.
If a botnet cannot be detected, and we aren't foolish enough to think that antivirus companies are ever ahead of the real innovators, then there's only one thing left to conclude. We must get better at both operating system security and network security. That's not a dig at Microsoft; this is not just a Windows problem. Come back next week to find out why.