Botnets

1
Botnets

• Adam Champion
• Derick Chan
• Matt Brand

2
What are Botnets?

• A botnet is
• A collection of software robots, or bots, which
  run autonomously
• A network of computers that uses distributed
  computing software
• A collection of compromised computers running
  bots via worms, Trojan horses, or backdoors under
  a command-and-control (CC) infrastructure that
  uses Internet Relay Chat (IRC) servers

3
How Botnets Work

• Botnet originator (bot herder, bot master) starts
  the process
• Bot herder sends viruses, worms, etc. to
  unprotected PCs
• Direct attacks on home PC without patches or
  firewall
• Indirect attacks via malicious HTML files that
  exploit vulnerabilities (especially in MS
  Internet Explorer)
• Malware attacks on peer-to-peer networks
• Infected PC receives, executes Trojan application
  ? bot
• Bot logs onto CC IRC server, waits for commands
• Bot herder sends commands to bots via IRC server
• Send spam
• Steal serial numbers, financial information,
  intellectual property, etc.
• Scan servers and infect other unprotected PCs,
  thereby adding more zombie computers to botnet

4
Communication with Bots

• Without bot communication, botnet would not be as
  useful or dynamic
• IRC servers are not best choice for bot
  communication
• Simpler protocol could be used
• However,
• IRC servers freely available, simple to set up
• Attackers usually have experience with IRC
  communication

5
Botnet, Bot Life Cycles

• Botnet Life Cycle
• Bot herder configures initial parameters
  infection vectors, payload, stealth, CC details
• Bot herder registers dynamic DNS server
• Bot herder launches, seeds new bots
• Bots spread, grow
• Other botnets steal bots
• Botnet reaches stasis, stops growing
• Bot herder abandons botnet, severs traces thereto
• Bot herder unregisters dynamic DNS server

• Bot Life Cycle
• Bot establishes CC on compromised computer
• Bot scans for vulnerable targets to spread
  itself
• User, others take bot down
• Bot recovers from takedown
• Bot upgrades itself with new code
• Bot sits idle, awaiting instructions

Source http//en.wikipedia.org/wiki/Botnet
6
Overview of Botnet Use

• Bots, botnets have many benign applications
• Search engine spiders that index websites
• Opponents in multiplayer games (e.g., Quake)
• However, malicious uses outweigh benign ones
• Malicious bot becoming redundant term, like
  malicious hacker

7
Malicious Botnet Uses

• Launch DDoS attacks against websites
• Facilitate extortion attempts
• Perpetrate click fraud by automatically
  clicking on ads
• Send large quantities of spam
• Record users keystrokes
• Collect user passwords, credit card numbers
• Steal business information, intellectual property
• Obtain, store, propagate warez

8
Brief History of Botnets, part 1

• First malicious use in early 2000s
• IRC users plagued by Global Threat bots (GT Bots)
  
• GT Bots disguise themselves as legitimate mIRC
  clients, hide in Windows system directories
• Social engineering involved, e.g., IRC ads to
  download software to protect yourself against
  viruses
• Bot herders used them to launch DDoS attacks
• 2001 Steve Gibsons site GRC.com suffered 3Mbps
  UDP, ICMP packet flooding attacks from
  Wicked-run botnet
• He blocked attack with packet filters on routers
• ISPs, law enforcement didnt helpnot enough
  damage!
• He tracked down original bot author on IRC to
  stop attack

9
Brief History of Botnets, part 2

• Botnet-driven (D)DoS attacks continue
• 2004 Gambling sites attacked, threatened by
  extortionists
• 2005 Bots spread adult spam with keylogger
  program
• 300,000 LexisNexis, credit-card accounts
  compromised
• Many victims did not (and do not) report attacks

10
The Tale of Blue Security

• Israeli security firm Blue Security made benign
  bot, Blue Frog, that sent opt-out messages to
  spammers
• 500,000 users signed up for the program
• 2006 one spammer launched DDoS attacks against
  Blue Frog servers, Blue Security itself
• Blue Security re-routed website to blog,
  bluesecurity.typepad.com
• Spammer launched DDoS attack against Six Apart
  (TypePads owner) and Tucows (Blue Securitys DNS
  provider)
• Blue Security came back online with aid of
  Prolexic, which protected gambling sites from
  extortionists DDoS attacks
• Spammer launched new DDoS attack against Blue
  Security
• Company forced out of business

11
2006 The Year of the Zombies

• 21-year-old Jeanson Ancheta receives 57-month
  Federal prison sentence for running botnet that
  infected over 400,000 computers
• 21-year-old Christopher Maxwell receives 37-month
  Federal prison sentence plus 3 years probation
  for running botnet that infected hundreds of
  thousands of computers
• Spam skyrockets in late 2006 due to botnets
• Symantec claims over 4.5 million compromised
  machines in first half of the year

12
2007 Year of the Botnet?

• Vint Cerf, co-inventor of TCP/IP, claims 100 to
  150 million of 600 million Internet-connected
  computers are part of a botnet
• Microsoft considers botnets 1 threat to its
  business, held secretive conference in January to
  address the threat
• Experts believe spam, viruses, spyware will
  converge
• Botnets play an increasing role in threat
  landscape
• Examples phishing spam delivered via botnets,
  spam via IM, VoIP delivered via botnets

13
Difficulties Taking Down Botnets

• No sure-fire way to take down a botnet
• Uninformed users can easily have an infected
  machine and not know it
• Hard to catch and prosecute, especially
  internationally
• Akin to Whac-A-Mole
• So many out there that only the big ones get
  dealt with, e.g., Ancheta and Maxwells botnets

14
Common-Sense Precautions

• Beware of files sent from unknown users
• Keep anti-virus and anti-spyware programs
  up-to-date and use them regularly
• Get critical application and OS updates
• Disconnect from network when not in use
• Be wary of HTML e-mails
• Send/receive mails as plaintext instead

15
Sandboxing

• Programs placed in a sandbox are restricted from
  making system changes or accessing personal
  information
• Use on high risk applications such as instant
  messengers and browsers
• Ex
• Amusts 1-Defender
• DropMyRights
• SandBoxIE

16
Network Monitoring

• Identify normal network behavior, then monitor
  any anomalous activity
• Is there traffic to servers outside the country?
• IRC chat traffic on high number ports?
• Only a means of detection, not removal
• Honeypots, honeynets may aid research and
  takedown efforts

17
Reverse Engineering

• Disassemble botnet code
• Can identify controllers IP address
• Locate system weaknesses
• Safely remove botnets
• Requires good knowledge of disassemblers,
  assembly language, and other low level concepts

18
DNS Management

• Botnets use DNS hosting services to point to IRC
  channels
• Domains are hardcoded into the bot
• Taking down the subdomains used by bots, you can
  cripple entire nets
• Nullrouting
• However, requires knowledge of which DNS host and
  domain name to take down
• Less effective than in past due to extremely
  redundant, distributed CC servers

19
The Future

• Botnets are becoming more modular, and thus
  resistant to takedown
• Becoming polymorphic as well
• Security evolving towards a holistic approach of
  combating botnets, phishing scams, etc.
• Unified security suites, like Symantecs Norton
  360, gain traction in the marketplace
• We are moving towards more open-source threat
  evaluation