Botnets: Battling the Borg of the Internet
Corey Nachreiner, CISSP
Network Security Analyst
November 2007
Botnets: The Borg of the Internet
• Alien race that forcefully assimilated others into their collective.
• All controlled remotely by one leader, the hive queen.
One of the Enterprise’s biggest threats.
Why Talk About Botnets?Bot Statistics Suggest Assimilation
• In 2006, Microsoft’s Malicious Software Removal Tool (MSRT) found backdoor trojans on 62% of the 5.7 million computers it scanned. The majority of these were bots.
• Commtouch found, 87% of all email sent over the Internet during 2006 was spam. Botnets generated 85% of that spam.
• Commtouch’s GlobalView™ Reputation Service identifies between 300,000 and 500,000 newly active zombies per day, on average.
• ISPs rank zombies as the single largest threat facing network services and operational security*.
* Worldwide Infrastructure Security Report, Arbor Networks, September 2007.
Agenda
Future of Botnets
Bot Powered Attacks
Bot Harvesting 101
Blackhat Bot Creation
What is a Botnet?
Avoid Assimilation: Botnet Defense
What is a Botnet?
What is a Botnet?Botnet Lingo Defined
A Botnet is a network of compromised computers under the control of a remote attacker. Botnets consist of:
• Botherder
The attacker controlling the malicious network (also called a Botmaster).
• Bot
A compromised computers under the Botherders control (also called
zombies, or drones).
• Bot Client
The malicious trojan installed on a compromised machine that connects it to the Botnet.
• Command and Control Channel (C&C)
The communication channel the Botherder uses to remotely control his or
her bots.
What is a Botnet?Visualizing a Botnet
What is a Botnet?The C&C Makes a Big Difference
• Theoretically, a botherder can use any communication or networking protocol he likes for his C&C server.
• Today, botherders primarily rely these three protocols for their C&C:
• Internet Relay Chat (IRC) Protocol
• Hyper-Text Transfer Protocol (HTTP)
• Peer-to-Peer (P2P) networking protocols.
What is a Botnet?Internet Relay Chat (IRC) Botnets
Until recently, IRC-based botnets were by far the most prevalent type exploited in the wild.
Benefits of IRC to botherder:
• Well established and understood protocol
• Freely available IRC server software
• Interactive, two-way communication
• Offers redundancy with linked IRC servers
• Most blackhats grow up using IRC.
What is a Botnet?Internet Relay Chat (IRC) Botnets (cont.)
Botherders are migrating away from IRC botnets because researchers know how to track them.
Drawbacks:
• Centralized server
• IRC is not that secure by default
• Security researchers understand IRC too.
Common IRC Bots:
• SDBot
• Rbot (Rxbot)
• Gaobot
What is a Botnet?HTTP Botnet Diagram
HTTP Post Command
to C&C URL
Polling MethodRegistration Method
What is a Botnet?HTTP Botnets
Botherders are shifting to HTTP-based botnets that serve a single purpose.
Benefits of HTTP to botherder:
• Also very robust with freely available server software
• HTTP acts as a “covert channel” for a botherder’s traffic
• Web application technologies help botherders get organized.
Drawbacks:
• Still a Centralized server
• Easy for researchers to analyze.
Recent HTTP Bots:
• Zunker (Zupacha): Spam bot
• BlackEnergy: DDoS bot
What is a Botnet?P2P Botnet Diagram
What is a Botnet?P2P Botnets
P2P communication channels offer anonymity to botherders a and resiliency to botnets.
Benefits of P2P to botherder:
• Decentralized; No single point of failure
• Botherder can send commands from any peer
• Security by Obscurity; There is no P2P RFC
Drawbacks:
• Other peers can potentially take over the botnet
P2P Bots:
• Phatbot: AOL’s WASTE protocol
• Storm: Overnet/eDonkey P2P protocol
Blackhat Bot Creation
Blackhat Bot CreationThree Steps to Building a Bot Client
The best way to understand malware is to see real world examples in action.
Steps include:
• Find bot source code
• Configure and compile the source code
• Pack & crypt the bot client (optional)
Blackhat Bot Creation1) Find Source Code
IRC bot source code is easy to find
• Just Google it.
• Underground forums sell / trade / share IRC botnet source.
HTTP botnet kits are harder to find
P2P bot source is rare commodity
I’ll focus on recent IRC bot source code
Blackhat Bot CreationA Quick Tour of IRC Bot Source
• Very Organized
• Modular design
• Script kiddie ready
Blackhat Bot Creation2) Configuring Your Bot Client
Blackhat Bot Creation3) Pack & Crypt Bot Client
Bot Harvesting 101
Bot Harvesting 101From Zero to Zombie Army in Three Steps
1. Prepare your C&C Channel
2. Draft your first zombie recruit
3. Leverage that zombie to help recruit more.
Bot Harvesting 101Preparing Your C&C
"By failing to prepare you are preparing to fail."— Benjamin Fanklin
The Basics
• Install your IRC Server
• Make sure its settings match your bot client
• Join your bot channel first to gain “ops.”
Extra Credit
• Modify your IRC server and channel to protect your botnet.
Bot Harvesting 101Drafting Your First Zombie Recruit
Like making your first million, drafting that first zombie victim is always the hardest.
Time to dust off your “l33t H@x0r” skills…
• Spam bot client attached to email
• Seed it as a fake, P2P music download
• Manually exploit remote vulnerabilities
• Host bot client of malicious Drive-by Download site
• Etc…
Bot Harvesting 101Drafting Your First Zombie Recruit
DEMO: Recruiting our first victim with a Drive-by Download
Bot Harvesting 101Leverage Your Bot to Recruit an Army
It only takes one seed to start a forest.
Now you have your first bot, you can leverage it to automate the attack
process and recruit more victims. Some popular automated harvesting
attacks include:
• Scan for local files shares
• Send malicious, booby-trapped spam
• SPIM
• Seeding fake P2P shares
• Hosting a malicious web sites
• Scanning for USB shares
• Automated vulnerability scanning (Massscan)
Bot Harvesting 101Scanning for Well-Known Vulnerabilities
Some common exploits in IRC bots:
• Windows DCOM RPC Interface buffer overflow
• Windows LSASS buffer overflow
• MS SQL Server buffer overflow
• Windows UPnP buffer overflow
• Windows Workstation service buffer overflow
• MS Webdav buffer overflow
• Windows ASN.1 integer overflow
• Windows Server Service (NetAPI) buffer overflow
• Symantec AV Remote Management buffer overflow
• RealVNC password bypass vulnerability
Botherder can add new exploits as they come out
Bot Harvesting 101Scanning in Action
Video DEMO:
What happens if a botherder named “Spike” leverages his first bot to scan a network of unpatched machines?
Bot Powered Attacks
Botnet Powered AttacksThe Ultimate Blended Threat
Botnets are like the Swiss Army knife of the malware world andbotherders have many blades to choose from.
You can separate a botnets many attacks into two general categories:
1. Attacks targeted toward the bot-infected victims
2. Attacks targeted toward others on the Internet
Botnet Powered AttacksTargeting Your Bots
• Install more malware
• Adware
• Spyware
• Ransomware
• Steal sensitive data
• CD Keys
• Emails and email addresses
• Various login credentials
• Password storage files
• Any file on the victim’s machine
• Enable various network services
• HTTP server
• FTP / TFTP server
• Sock proxy
• HTTP or HTTPS proxy
• Man-in-the-Middle (MitM) attacks.
• Redirect TCP traffic
• Redirect GRE traffic (PPTP VPN)
• Gain backdoor access
A: Once he has control of your computer, a botherder can do anything you can.
Q: A botherder has full control of each bot machine. What can you do to them?
Botnet Powered AttacksTargeting Your Bots (cont.)
• Spy on victims
• Keylog
• Packet sniff
• Capture screenshots
• Capture webcam images and video
Video DEMO:
Spike exploits Rxbot spying techniques.
(i.e. stupid script kiddie tricks)
Botnet Powered AttacksTargeting the World
With full control of a massive army of machines, the only limit to a botherder’s attack potential is his imagination.
• Distributed Denial of Service (DDoS) Attacks
• BlueSecurity
• Estonia
• Extortion of small businesses
• Spamming
• Email spam
• SPIM
• Forum spam
Botnet Powered AttacksTargeting the World (cont.)
• Phishing
• Use bots as malicious phishing web servers
• Use bots to spam phishing emails
• Click Fraud / Poll Manipulation
• ID Theft
• And more…
The Future of Botnets?
The Future of Botnets?Storm: A Sign of Things to Come
What started as an indistinct, unimpressive email worm, has grown into one of the more successful botnets ever seen.
Short History:
• Started as basic email worm
• Uses smart social engineering techniques
• Didn’t appear “wide-spread” early on
• However, Storm was quietly recruiting zombie machines
“230 dead as storm batters Europe.”
The Future of Botnets?Storm: A Sign of Things to Come
What’s futuristic about Storm:
• First real successful P2P Botnet
• Changes tactics and technology regularly, Polymorphic.
• Mature kernel rootkit technology
• Incorporates “Attack back” logic
• Uses “Fast Flux DNS” to hide.
The Future of Botnets?What’s Futuristic About Storm
How big is the Storm botnet:
• Estimates range from 160,000 to 50 million?
• Brandon Enright says Storm is dwindling
• No one really knows for sure.
Latest developments:
• Storm being segmented with 40-byte keys
• Neuters AV rather than killing it
• Sending Pump and Dump stock spam
• Recent Halloween ecard.
Avoid Assimilation: Botnet Defense
Avoid Assimilation: Botnet DefenseResistance is Not Futile
Three categories of Botnet Defense:
1. Keeping bot clients off your network
2. Bot detection and mitigation
3. Protecting your network from external botnet attacks.
Avoid Assimilation: Botnet DefensePreventing Bot Infections
Protecting your network from a botnet’s many attack vectors requires “Defense in Depth.”
• Use a Firewall
• Patch regularly and promptly
• Use AntiVirus (AV) software
• Deploy an Intrusion Prevention System (IPS)
• Implement application-level content filtering
• Define a Security Policy and share it with your users systematically
USER EDUCATION IS VITAL!
Avoid Assimilation: Botnet DefenseBot Search and Destroy
There is no infallible defense, so prepare for the worst.
• Egress filter with your firewall
Egress filtering allows you to muzzle some bots by preventing them from reaching their C&C.
• Monitor your network traffic regularly
• Establish a recognized baseline
• Use graphically traffic monitors
• “Ourmon” is a nice free tool that can help you detect bots.
• Stay current with botnet evolutions.
Avoid Assimilation: Botnet DefenseSurviving External Botnet Attacks
Even if you succeed at keeping bot infections off your network, you still have to contend with external botnets targeting you for attack.
How do you survive Distributed Denial of Service attacks?
• DDoS mitigation products only work so well
• Multiple ISP connections only help a little
• In the end, we need ISPs to help solve this problem.
How do your survive Spam and Phishing emails?
• Some spam blocking products well
• Commtouch offers a unique solution.
Avoid Assimilation: Botnet DefenseShare Your Knowledge
We will only defeat the ever-changing botnet threat if we come together as a security community, and share our information as far and wide as possible.
Download WatchGuard’s free botnet educational series:
FTP: ftp.watchguard.com
Login: botnetvideos
Password: Fr3e_V1de0s
or
FTP://botnetvideos:[email protected]
References:
1) Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. Botnets: The Killer Web App. Syngress Publishing, 2007.
2) Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007
3) Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat DC, March 2007.
4) Dr. Jose Nazario. Analyzing and Understanding Botnets. Arbor Networks, 2007.
5) Arbor Networks. Worldwide Infrastructure Security Report. September 2007.
6) Phillip Poras, Hassen Saidi, Vinod Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm. SRI International, October 2007.
7) Frank Boldewin. Peacomm.C: Cracking the nutshell. September 2007.
8) Andre Fucs, Augusto Paes de Barros, Victor Pereira. New Botnet Trends and Threats. Blackhat, Europe 2007.
9) Commtouch. Q3 2007 Email Threats Trend Report. October 2007.
10)Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007
11)Gadi Evron. Estonia: Information Warfare and Lessons Learned. Blackhat, Las Vegas 2007.
12)Matthew Braverman of the Microsoft Antimalware team. Malicious Software Removal Tool: Progress Made, Trends Observed. Microsoft, November 2006.
13)Dr. Alan Solomon, Gadi Evron. The World of Botnets. Virus Bulletin, September 2006.
14)Paul Baucher, Thorsten Holz, Markkus Kotter, Georg Wicherski. Know Your Enemy: Tracking Botnets. Honeynet Project. March, 2005
Q&A…
Thank You!