Walk With-[Geeks]-

Botnets

The main drivers for botnets are for recognition and financial gain.

The larger the botnet, the more ‘kudos’ the harder can claim to have

among the underground community. The bot herder will also ‘rent’ the

services of the botnet out to third parties, usually for sending out

spam messages, or for performing a denial of service attack against a

remote target. Due to the large numbers of compromised machines

within the botnet huge volumes of traffic (either email or denial of

service) can be generated. However, in recent times the volumes of

spam originating from a single compromised host have dropped in order

to thwart anti-spam detection algorithms – a larger number of

compromised hosts send a smaller amount of messages in order to evade

detection by anti-spam techniques.

Botnets have become a significant part of the Internet, albeit

increasingly hidden. Due to most conventional IRC networks taking

measures and blocking access to previously-hosted botnets,

controllers must now find their own servers. Often, a botnet will

include a variety of connections and network types. Sometimes a

controller will hide an IRC server installation on an educational or

corporate site where high-speed connections can support a large

number of other bots. Exploitation of this method of using a bot to

host other bots has proliferated only recently as most script kiddies

do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The

Dutch police found a 1.5 million node botnet and the Norwegian ISP

Telenor disbanded a 10,000-node botnet. In July 2010, the FBI

arrested a 23-year old Slovenian held responsible for the malicious

software that integrated an estimated 12 million computers into a

botnet. Large coordinated international efforts to shut down botnets

have also been initiated.It has been estimated that up to one quarter

of all personal computers connected to the internet may be part of a

botnet.


Botnet lifecycle



* Bot-herder configures initial bot parameters such as infection

vectors, payload, stealth, C&C details
* Register a DDNS
* Register a static IP
* Bot-herder launches or seeds new bot(s)
* Bots spread
* Causes an increase of DDoS being sent to the slave
* Losing bots to rival botnets

Types of attacks

* Denial-of-service attacks where multiple systems autonomously

access a single Internet system or service in a way that appears

legitimate, but much more frequently than normal use and cause the

system to become busy.
* Adware exists to advertise some commercial entity actively and

without the user's permission or awareness, for example by replacing

banner ads on web pages with those of another content provider.
* Spyware is software which sends information to its creators about a

user's activities – typically passwords, credit card numbers and

other information that can be sold on the black market. Compromised

machines that are located within a corporate network can be worth

more to the bot herder, as they can often gain access to confidential

information held within that company. There have been several

targeted attacks on large corporations with the aim of stealing

sensitive information, one such example is the Aurora botnet.
* E-mail spam are e-mail messages disguised as messages from people,

but are either advertising, annoying, or malicious in nature.
* Click fraud is the user's computer visiting websites without the

user's awareness to create false web traffic for the purpose of

personal or commercial gain.
* Access number replacements are where the botnet operator replaces

the access numbers of a group of dial-up bots to that of a slave's

phone number. Given enough bots partake in this attack, the slave is

consistently bombarded with phone calls attempting to connect to the

internet. Having very little to defend against this attack, most are

forced into changing their phone numbers (land line, cell phone,

etc).
* Fast flux is a DNS technique used by botnets to hide phishing and

malware delivery sites behind an ever-changing network of compromised

hosts acting as proxies.


Preventive measures


If a machine receives a denial-of-service attack from a botnet, few

choices exist. Given the general geographic dispersal of botnets, it

becomes difficult to identify a pattern of offending machines, and

the sheer volume of IP addresses does not lend itself to the

filtering of individual cases. Passive OS fingerprinting can identify

attacks originating from a botnet: network administrators can

configure newer firewall equipment to take action on a botnet attack

by using information obtained from passive OS fingerprinting. The

most serious preventive measures utilize rate-based intrusion

prevention systems implemented with specialized hardware.

Some botnets use free DNS hosting services such as DynDns.org, No-

IP.com, and Afraid.org to point a subdomain towards an IRC server

that will harbor the bots. While these free DNS services do not

themselves host attacks, they provide reference points (often hard-

coded into the botnet executable). Removing such services can cripple

an entire botnet. Recently, these companies have undertaken efforts

to purge their domains of these subdomains. The botnet community

refers to such efforts as "nullrouting", because the DNS hosting

services usually re-direct the offending subdomains to an

inaccessible IP address.

The botnet server structure mentioned above has inherent

vulnerabilities and problems. For example, if one was to find one

server with one botnet channel, often all other servers, as well as

other bots themselves, will be revealed. If a botnet server structure

lacks redundancy, the disconnection of one server will cause the

entire botnet to collapse, at least until the controller(s) decides

on a new hosting space. However, more recent IRC server software

includes features to mask other connected servers and bots, so that a

discovery of one channel will not lead to disruption of the botnet.

Several security companies such as Afferent Security Labs, Symantec,

Trend Micro, FireEye, Simplicita and Damballa have announced

offerings to stop botnets. While some, like Norton AntiBot

(discontinued), are aimed at consumers, most are aimed to protect

enterprises and/or ISPs. The host-based techniques use heuristics to

try to identify bot behavior that has bypassed conventional anti-

virus software. Network-based approaches tend to use the techniques

described above; shutting down C&C servers, nullrouting DNS entries,

or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control

embedded into the botnet itself. By being dynamically updateable and

variable they can evade having any single point of failure.

Commanders can be identified solely through secure keys and all data

except the binary itself can be encrypted. For example a spyware

program may encrypt all suspected passwords with a public key hard

coded or distributed into the bot software. Only with the private

key, which only the commander has, can the data that the bot has

captured be read.

Newer botnets have even been capable of detecting and reacting to

attempts to figure out how they work. A large botnet that can detect

that it is being studied can even DDoS those studying it off the

internet.

There is an effort by researchers at Sandia National Laboratories to

analyze the behavior of these botnets by simultaneously running one

million Linux kernels as virtual machines on a 4,480-node Dell high-

performance computer cluster.

- Leached from Ganja ツ and Wiki.


Later on i'll be posting some more info about Botnets. :)