Tuesday, 1 May 2012
Botnets Explained - Part 1
Do you like this story?
Botnets
The main drivers for botnets are for recognition and financial gain.
The larger the botnet, the more ‘kudos’ the harder can claim to have
among the underground community. The bot herder will also ‘rent’ the
services of the botnet out to third parties, usually for sending out
spam messages, or for performing a denial of service attack against a
remote target. Due to the large numbers of compromised machines
within the botnet huge volumes of traffic (either email or denial of
service) can be generated. However, in recent times the volumes of
spam originating from a single compromised host have dropped in order
to thwart anti-spam detection algorithms – a larger number of
compromised hosts send a smaller amount of messages in order to evade
detection by anti-spam techniques.
Botnets have become a significant part of the Internet, albeit
increasingly hidden. Due to most conventional IRC networks taking
measures and blocking access to previously-hosted botnets,
controllers must now find their own servers. Often, a botnet will
include a variety of connections and network types. Sometimes a
controller will hide an IRC server installation on an educational or
corporate site where high-speed connections can support a large
number of other bots. Exploitation of this method of using a bot to
host other bots has proliferated only recently as most script kiddies
do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The
Dutch police found a 1.5 million node botnet and the Norwegian ISP
Telenor disbanded a 10,000-node botnet. In July 2010, the FBI
arrested a 23-year old Slovenian held responsible for the malicious
software that integrated an estimated 12 million computers into a
botnet. Large coordinated international efforts to shut down botnets
have also been initiated.It has been estimated that up to one quarter
of all personal computers connected to the internet may be part of a
botnet.
Botnet lifecycle
* Bot-herder configures initial bot parameters such as infection
vectors, payload, stealth, C&C details
* Register a DDNS
* Register a static IP
* Bot-herder launches or seeds new bot(s)
* Bots spread
* Causes an increase of DDoS being sent to the slave
* Losing bots to rival botnets
Types of attacks
* Denial-of-service attacks where multiple systems autonomously
access a single Internet system or service in a way that appears
legitimate, but much more frequently than normal use and cause the
system to become busy.
* Adware exists to advertise some commercial entity actively and
without the user's permission or awareness, for example by replacing
banner ads on web pages with those of another content provider.
* Spyware is software which sends information to its creators about a
user's activities – typically passwords, credit card numbers and
other information that can be sold on the black market. Compromised
machines that are located within a corporate network can be worth
more to the bot herder, as they can often gain access to confidential
information held within that company. There have been several
targeted attacks on large corporations with the aim of stealing
sensitive information, one such example is the Aurora botnet.
* E-mail spam are e-mail messages disguised as messages from people,
but are either advertising, annoying, or malicious in nature.
* Click fraud is the user's computer visiting websites without the
user's awareness to create false web traffic for the purpose of
personal or commercial gain.
* Access number replacements are where the botnet operator replaces
the access numbers of a group of dial-up bots to that of a slave's
phone number. Given enough bots partake in this attack, the slave is
consistently bombarded with phone calls attempting to connect to the
internet. Having very little to defend against this attack, most are
forced into changing their phone numbers (land line, cell phone,
etc).
* Fast flux is a DNS technique used by botnets to hide phishing and
malware delivery sites behind an ever-changing network of compromised
hosts acting as proxies.
Preventive measures
If a machine receives a denial-of-service attack from a botnet, few
choices exist. Given the general geographic dispersal of botnets, it
becomes difficult to identify a pattern of offending machines, and
the sheer volume of IP addresses does not lend itself to the
filtering of individual cases. Passive OS fingerprinting can identify
attacks originating from a botnet: network administrators can
configure newer firewall equipment to take action on a botnet attack
by using information obtained from passive OS fingerprinting. The
most serious preventive measures utilize rate-based intrusion
prevention systems implemented with specialized hardware.
Some botnets use free DNS hosting services such as DynDns.org, No-
IP.com, and Afraid.org to point a subdomain towards an IRC server
that will harbor the bots. While these free DNS services do not
themselves host attacks, they provide reference points (often hard-
coded into the botnet executable). Removing such services can cripple
an entire botnet. Recently, these companies have undertaken efforts
to purge their domains of these subdomains. The botnet community
refers to such efforts as "nullrouting", because the DNS hosting
services usually re-direct the offending subdomains to an
inaccessible IP address.
The botnet server structure mentioned above has inherent
vulnerabilities and problems. For example, if one was to find one
server with one botnet channel, often all other servers, as well as
other bots themselves, will be revealed. If a botnet server structure
lacks redundancy, the disconnection of one server will cause the
entire botnet to collapse, at least until the controller(s) decides
on a new hosting space. However, more recent IRC server software
includes features to mask other connected servers and bots, so that a
discovery of one channel will not lead to disruption of the botnet.
Several security companies such as Afferent Security Labs, Symantec,
Trend Micro, FireEye, Simplicita and Damballa have announced
offerings to stop botnets. While some, like Norton AntiBot
(discontinued), are aimed at consumers, most are aimed to protect
enterprises and/or ISPs. The host-based techniques use heuristics to
try to identify bot behavior that has bypassed conventional anti-
virus software. Network-based approaches tend to use the techniques
described above; shutting down C&C servers, nullrouting DNS entries,
or completely shutting down IRC servers.
Newer botnets are almost entirely P2P, with command-and-control
embedded into the botnet itself. By being dynamically updateable and
variable they can evade having any single point of failure.
Commanders can be identified solely through secure keys and all data
except the binary itself can be encrypted. For example a spyware
program may encrypt all suspected passwords with a public key hard
coded or distributed into the bot software. Only with the private
key, which only the commander has, can the data that the bot has
captured be read.
Newer botnets have even been capable of detecting and reacting to
attempts to figure out how they work. A large botnet that can detect
that it is being studied can even DDoS those studying it off the
internet.
There is an effort by researchers at Sandia National Laboratories to
analyze the behavior of these botnets by simultaneously running one
million Linux kernels as virtual machines on a 4,480-node Dell high-
performance computer cluster.
- Leached from Ganja ツ and Wiki.
Later on i'll be posting some more info about Botnets. :)
Subscribe to:
Post Comments (Atom)
0 Responses to “Botnets Explained - Part 1”
Post a Comment
If you're having issues. Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.
Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!
Thanks for reading,
Admin