The reign of bots

Paladion
By Paladion

June 1, 2006

I have often wondered how attackers get enough systems to mount Distributed Denial of Service attacks. How do they manage to time and control these attacks? In a typical Distributed Denial of Service (DDoS) attack, thousands of systems attack a victim and take it offline. Attackers first compromise a large number of machines and then setup backdoors on them. The backdoors listen for commands from their masters - they perform a coordinated attack at their master’s bidding. This network of compromised systems, working under a central command is called a ‘botnet’

I have often wondered how attackers get enough systems to mount Distributed Denial of Service attacks. How do they manage to time and control these attacks?

In a typical Distributed Denial of Service (DDoS) attack, thousands of systems attack a victim and take it offline. Attackers first compromise a large number of machines and then setup backdoors on them. The backdoors listen for commands from their masters - they perform a coordinated attack at their master’s bidding. This network of compromised systems, working under a central command is called a ‘botnet’.

In this article, we look this well coordinated network of zombie machines that have set alarm bells ringing on the Internet. In addition to DDosS attacks, botnets are used in a range of attacks today. We shall survey those too.

The Bot basics

“Bots” are short for robots. Bots or robots, in Internet parlance, are small utility programs that automate tasks, usually over the network. Bots have been around for a long time. System administrators first used bots to automate a number of mundane and repetitive activities. An example is a program that checks if the content of a website has changed and reports that to the website administrator.

Internet Relay Chat (IRC) a popular channel for chat uses bots to perform various activities. IRC bots are programmed to understand commands issued in the IRC channel and respond to it. For instance, when a user issues a command for the ‘message of the day’ (motd), there’s a bot working behind the scenes fetching and displaying the message.

Over time, bots have changed in nature. Their malicious capabilities have increased.  Today, there are bots of varying functionality and complexity. Some of the bots are coded in a modular fashion to enable other users to add functionality. Most bots are very simple and coded in C or C++. Perl or python are also used for creating bots. Note that bots themselves do not compromise a system. They are deployed after a machine has been compromised. Let’s turn to that next.

Roll out the Bots

A botnet is a network of victims with backdoors that can be remotely controlled. Most commonly, worms or virus are used to compromise the systems and deploy the backdoor or Trojan. A recent case was the use of the Beagle worm to install a botnet. Social engineering is another method, inviting innocent users to click on links that downloads and install a backdoor. The bots are often embedded inside popular downloads like picture viewers and underground file sharing software. Bots also find their way into through software cracks, downloadable music and porn.

Today home users are the most targeted segment for bots, thanks to the huge increase in the number of broadband connections. Home PCs are easy targets as many run Microsoft Windows, are rarely patched, and seldom use a firewall. Further, home users invest less time in securing their machines, and their security awareness is lesser. With the increase in broadband connections, we are seeing an increase in botnets too.

Control’em remotely

Once the bots are delivered to compromised machines, the bot originator want a mechanism to control these bots to act on his instructions. A command and control structure and protocol are required to achieve this. An IRC channel is the most commonly used structure. Once a bot is delivered, it connects to pre-defined IRC servers and waits for instructions. The bot might also download other files and updates from the server.

Where IRC is not used, the bot originator creates a simple control protocol for managing the bots. However, familiarity with IRC commands make IRC a favorite controlling structure with bot originators. IRC control channels also blend in with other IRC traffic, and is less likely to be detected as a botnet control traffic.

Increasing the power

A typical botnet consists of several ten thousand compromised machines, with multiple servers for redundancy! It is this staggering number that makes botnet a powerful force to reckon with. And it isn’t easy to destroy one even after it’s been detected. Responding to a botnet attack is difficult because these systems are spread across numerous organizations and home PCs. Stopping a few systems won’t break the botnet.

Botnets are also used to deliver updated new bots. This is quite easy, as today’s bots can download a file via HTTP and execute it. Thus, once a bot is installed on a compromised machine, the botnet operator can update the bots, adding more capability over time.

Botnet Attacks

Apart from DDoS, botnets are used for other attacks too. Botnets are increasing in reach and complexity. They are now involved in stealing sensitive information, identity theft, click-through frauds, and spam networks.

Distributed denial of service attacks

With the power of number, it is very easy for a botnet to create denial of service by choking the victim’s bandwidth. This is done by flooding the target with a large number of requests, TCP SYN packets or UDP packets. Even with a botnet of few thousand machines on broadband connections, an attacker can completely bring down the services of large organizations.

Bots also use application level attacks to cause denial of service. A common strategy is to request pages that retrieve a lot of data from the database. Even a few hundred bots requesting large queries can completely bring down a website.

Recursive HTTP-flood attacks, where the bots follow all links on a site recursively,  are another DDoS strategy.

Spam Networks

Some botnets specialize in spamming. They participate in spam networks in three ways. First, the large size of a botnet enables attackers to send massive amounts of bulk spam. Secondly, some bots implement a special function to harvest email-addresses from websites. Finally, we are seeing botnets involved in phishing – they either create and supply phishing mails, or deploy fake sites to trick phishing victims. All three attacks rely on the anonymity provided by the botnet.

Information capture

Some botnets are connected to packet sniffers, keyloggers installed on victims. These botnets pick up data such as usernames, passwords and other critical information useful for identify theft.  The botnet can sit undetected for a long period. When some useful information is captured, it is relayed to the botnet operators. With thousands of compromised machines, a lot of sensitive information can be picked up over time.

Click-through Frauds

A number of websites run various polls or Pay-per-Click advertising To prevent abuse, these websites usually restrict the number of clicks received from the same IP address. The botnet operators can use the botnet to click on these advertisements and polls. With a large network of bots, they can abuse the Pay-per-click scheme and destroy the credibility of the website.

Just plain nuisance

We have seen botnet operators create nuisance for websites just for fun. Filling lots of junk in feedback forms is the most common example. Palisade, for example, receives many of these visitors each day.

Defending against Bots

The news isn’t very good. There is no simple solution to destroy botnets. So long as vulnerable systems exist on the internet, botnets have an environment to thrive. Here are three areas to look at to protect against the menace of botnets:

  1. Increasing user awareness
  2. Improving network and server level controls
  3. Better patch management

Additional Reference


Tags: Features

About

Paladion