This article covers sophisticated botnet attacks, whereby the attacked computer system becomes an attacker itself. Systems administrators and senior technology management staff that are aware of the modus operandi of botnets are best qualified to prevent their entry into a secured network. The article also discusses how FOSS systems ought to be protected from such attacks.
By Prashant Pathak
via OpenSource4u
The word botnet
is derived from a network of robots. It is essentially a widespread collection
of a large number of infected computer systems. Each infected system runs a
piece of software program called a bot. As shown in Figure 1, there is a
bot-master system, which keeps track of the total number of machines infected
and the tasks they should perform. For carefully choreographed attacks that
need orchestration between millions of such systems, another layer of
bot-managers is created too. These perform the tasks of accepting commands from
the master, spreading those commands to the bots, and also reporting the number
of infected systems under them. The manager botnets also send software patches
to fix bugs or improve functionality, very similar to a security patch
management system.
The bot-masters
are controlled by the crackers who created this army. However, since the
crackers are in hiding, the master system and software running on it are always
operating in stealth mode. In a few recent botnet attacks, the bot-master had
delegated and rotated the master’s role between its bot-managers, thus making
it extremely tough to detect. These role changes were further rotated based on
the country they were present in. Usually, botnets are designed for a specific
OS, and if they have to spread wider, botnets prefer Web code or the Java
language to infect all possible OS platforms.
Now, let’s look
into the internal operations of a typical bot. As shown in Figure 2, there are
four main modules of a botnet. The command module sends commands to the child
botnets, whereas the control module controls the ownerships, to decide who
should listen to whom. The infection module carries the important
responsibility of finding non-patched servers in the network, and infecting
those with the most updated copy. The stealth module is essentially a set of
software programs, which does crucial jobs such as disabling anti-virus software,
achieving root access or kernel access, etc. It also ensures that its own
footprint on the infected machine is invisible in terms of running processes
and disk space, and also keeps a watch on new anti-virus software being
installed. In some cases, the stealth module and control module work together
to fetch their most recent patch from the master or manager, and seamlessly
upgrade themselves. Some stealth modules are also capable of erasing themselves
with a self-destruct mechanism, or shutting down the system to thwart
aggressive detection techniques.
The way botnets
interact with the master or manager is very interesting too. All bots are given
a unique identification number, which is usually a product of the infected
system’s configuration and location, but not necessarily the IP address of the
system. The master always has the most updated count of the identification
numbers used, and is capable of limiting or expanding the spread. Bots use a
specific range of TCP ports; however, the exact port being used is picked
randomly. It is always the duty of the botnet to report to the master or
manager the TCP port number it plans to use. This reporting occurs on every
reboot of the infected system. In most cases, the inter-bot communications are
Base-64 or MD5 encrypted, while in some cases a self-signed digital certificate
is used too.
The main purpose
behind injecting a botnet into a system is to create an army of infected
systems, also called zombies. The table below explains various types of botnets
and the purpose behind injecting them into a network. The overall purpose
behind such an attack is, ultimately, to disrupt computer systems or to steal
data. Since a whole army of computer zombies are in action, unfortunately, the
crackers can easily and quickly succeed in their evil mission; this is because
planting a botnet attack is always a low-risk, high-profit job.
Botnet type Purpose
DoSBot DoS and Distributed DoS attack using
Layer 3 to 7 protocols
SpamBot Email spamming by collecting address
books
BrowseBot Gather user’s browsing trends and feed into
advertisement network
AdSenseBot Same as BrowseBot but targeted at Google
AdSense
ChatBot Collect chat transcripts to find user’s
chatting trends
idBot Collect user ID and password
information
CCBot Collect credit-card information from
e-commerce portal screens
PollBot Manipulate online polls meant for
products and services
BruteForceBot Attack websites with TCP and application
layer attacks
NetBot Attack networks using Layer 2 and 3
protocols
How botnets are
injected
In the early
days of the Internet, a botnet code piece was developed to programmatically
traverse through multiple websites, and to further gather and collate the
contents to create meaningful data. While this method forms the heart of
today’s search engines, it was tweaked at some point in the past by crackers to
serve their purposes. Before discussing how botnets are injected, let’s
understand why it is done. To make a website famous in a search engine, it is
imperative to get lots of Web requests. This is especially true for websites
that run advertisements and earn money for every click on a published
advertisement. It is now possible to spread botnets across the networks, to
access the page and programmatically click one or more advertisements on it. If
such a campaign is carefully orchestrated, it is tough to figure out which
click is legitimately initiated by a human being, and which one originates from
botnet code. The website hosting firm, usually a cracker in such a case, can
end up earning lots of money. In another type of attack called phishbots, an
email campaign can be started to achieve similar results. This tells us that
the effects of botnets go much beyond mere reputation or data loss.
Injecting a
botnet is usually a very well-thought-out and strategic approach taken by the
cracker. The process usually starts by infecting one or more systems, which are
then responsible for replicating the malicious code in other machines, and
eventually they cross the boundaries of the network to spread the infection to
a wider global arena. In order to infect one system, the attacker needs to rely
on multiple methods of intrusion. A very commonly used option is to lure a browser
to a website with malicious JavaScript code, or a page written in a low-level
scripting language such as Python. This script is merely a bootstrap, which
executes and creates a stealth resource space on the machine. The script then
connects to one or more Web pages of the same website, which contain the real
payload of a botnet. The payload files are then downloaded and kept hidden
under a stealth space. This payload contains all the modules explained above,
which take control of the machine, and the machine is said to be infected at
this point. Enhanced botnets do not require the machine to be rebooted, and are
capable of turning the machine into a zombie the moment they are downloaded.
Another famous injection method is to put the botnet’s malicious code in the
form of installable files on a USB drive, and inject the code on a machine that
allows easy physical access and is vulnerable or insecure. There are a few
advanced methods, such as forcing a user to run a script sent as an attachment,
or hiding the code in a music file and distributing it using peer-to-peer
shares.
The process
mentioned above is only possible when enough security measures are not in
place. For example, a machine not running anti-virus software, or running with
old or dated anti-virus definitions can fall prey to this process easily.
Similarly, an un-patched or improperly patched system or network can expose a
lot of vulnerabilities that can be exploited. In case of the network perimeter
defence, leaving security holes in a firewall configuration worsens the
situation. As for servers, implementing insecure policies or measures that do
not harden the server OS, or leaving application exploits unfixed, can cause
damage. While dealing with Linux distros, exploits such as buffer overflows and
remote command execution are usually used. Typical rudimentary methods such as
sending phishing emails, spyware attachments, etc, are used to increase the
spread. It is very important to remember that infecting one machine in a
network is enough, because that machine, acting as a zombie, can easily
replicate the botnet code to other machines in the same network.
Famous botnets
At this point,
it is important to mention a few notorious botnets that are still tough to
detect.
Conficker:
Originally thought to be a virus, Conficker had built-in software routines that
could allow the infected machine to be controlled remotely, making it a bot
threat. While it was written for Windows OS, a few variants were later created
to infect UNIX and Linux systems too. It used the hidden file share
vulnerability of Windows to get into the machine, and then turn it into a
zombie to spread the infection further. With an infection count of over 10
million machines across the globe, Conficker is still found in systems that are
improperly configured, or not protected by a strong perimeter defence system.
Mariposa: This
botnet used spyware and malware as a vehicle to inject machines and install a
payload of command and control centre modules. The purpose of Mariposa was to
run in stealth mode, and keep an eye on passwords and credit card numbers being
typed on the machine. It was also programmed to intercept browser requests and
lure users to pages hosting updated copies of the botnet itself, as well as
advertisement pages.
Srizbi: This
botnet was specifically designed to create billions of spam email messages
every day. It spread mainly via pirated and free software downloaded on the
Net, turning multiple machines into zombies. It had a very small footprint,
which made detection very difficult. It had a different control module by which
an infected server would be the owner controlling the zombie army, while other
infected servers simply kept a watch on it, and would take over if the
controller server failed or shut down. Srizbi is known to have created massive
email spam attacks, causing denial of service on mail servers.
BredoLab: This
is the most recent botnet army, which infected over 20 million machines
worldwide. While the main purpose was to create massive email spam, this botnet
also incorporated spyware and viruses in its payload. It is known to infect
various Linux distros, and deploy root-kits on those to run in stealth mode. It
was dismantled by law authorities, but is believed to still exist in the form
of variants.
Protecting FOSS
systems
As we learnt,
botnets exploit all possible vulnerabilities and create their own eco-system
for malicious purposes. While botnets are difficult to detect and tackle, there
are a few preventive mechanisms that all network administrators should adopt in
their infrastructure. The first and foremost is the perimeter defence system. A
properly configured router and firewall must be in place, and the firewall
should be configured with auto-updating anti-spam filters. As for physical security,
disabling USB and CD drives would help to a great extent. It is important for
Linux administrators to know that Linux distros are not secure from botnets,
though the percentage of infection is somewhat lower than Windows machines. For
FOSS systems, performing a rigorous routine check for root kits and malware is
a must. Linux systems, which typically host Web servers and FTP farms, are
usually the first targets to deploy the payload. Strengthening and locking file
systems is advised too.
Attackers who
plan to inject a botnet can use simple methods of breaking into authentication
systems, via SSH protocol or over the Web. Thus, using a strict and complex
password scheme is very important. The common practice of running unnecessary
services on a production Linux server should be discouraged, as it opens up
stray ports that are left unmonitored and thus become a back-door for
attackers. Just to summarize, cyber security is all about processes and
practices, rather than just products. Hence, understanding how botnets attack
is imperative for systems administrators to devise a security strategy based on
their particular network scenarios.
About The Author:
Prashant
Pathak has experience of over 20 years in the field of IT hardware,
networking, Web technologies and IT security. For the past 11 years, he has
worked at Merrill Lynch, New York. He handled technology verticals such as
solution architecture, operations and support, cyber security etc., and led a
global team supporting mission-critical business applications running on a
finance trading platform. Recently, Prashant started his own firm, Valency Networks,
in India.
Also Read : Wireless Attacks, Explained and Cryptographic Attacks, Explained