Botnet Is Collection of Malicious Software Programs Or Robots, Or Bots, That Run Autonomously
Total Page:16
File Type:pdf, Size:1020Kb
INTRODUCTION
Botnet is collection of malicious software programs or robots, or bots, that run autonomously and automatically without knowledge of the user on the machine. Which will give the control to the bot creator called botheader/ botmaster, where the botheader will use the compromised system for the malicious purposes without users knowledge
Like many things on the Internet today, bots began as a useful tool without malicious overtones. Bots were originally developed as a virtual individual that could sit on an IRC channel and do things for its owner while the owner was busy elsewhere. IRC was invented in August of 1988 by Jarkko
Botnets today Botnets are collections of compromised machines under the control of a single entity, usually via a single controlling host—a botnet controller. Agobot/Phatbot is well-written, modular code supporting DoS attacks, spam proxying, ability to launch viruses, scan for vulnerabilities, steal Windows Product Keys, sniff passwords, support GRE tunnels, self-update, etc. Phatbot control channel is WASTE (encrypted P2P) instead of IRC. Other common bots: Korgobot, SpyBot, Optix Pro, rBot, SDBots, Toxbot. A majority of viruses contain backdoors/create botnets (MessageLabs, 2004 Annual Report). About 9% of spam is sent via botnets (MessageLabs, September 2005 Report) Bots refute the common argument that “there’s nothing on my computer that anyone would want” (usually given as an excuse not to bother securing the system).
Prime Targets/Victims The host connected to internet that are most desired by attackers, thereby most vulnerable to bots infection are less monitored, high bandwidth, home computers or university servers. High bandwidth: one of the most sorts after internet hosts by attackers are machines connected to internet by broadband access, giving attackers large cumulative attack bandwidth to target servers for DDoS or host pirated files or software.
Availability: The attacker prefers machines that are “always on”, highly available to carry out their commands round the clock.
Low user awareness & monitoring capability: Users with low internet security awareness & with limited resources to invest in access control devices are specially targeted for bots infection. Lack of updated operating system and/or application in addition to non-existence of access control devices like firewall gives the attacker the opportunity to break into system & maintain the bots over a long period of time without being identified or traced.
Location: The attacker target machines, which are geographically far away from their own location & with relatively low probability of law enforcement officers being able to trace the bots back to attacker.
The typical profile that fits the above criteria is that of a residential broadband connection or university servers those are connected to internet via broadband connection & are most of the time available i.e. ‘on’. The attackers generally target residential broadband connectivity providing ISP subnets or university subnets that have low or no access control devices,with minimal monitoring of internet connection. MALICIOUS USE OF BOTNET
Following are some of the malicious activity performed by attackers using bots & botnets. Distributed denial of service attacks: This is the foremost reason for using malicious IRC bots by attackers. The attacker could command its army of zombie machines through botnets, to send large size stream of UDP packets or large size stream of ICMP requests or flood TCP sync requests to target servers, against which the DDoS is directed.With hundreds or even thousands of bots at its command the attacker is able to choke the bandwidth of target server thus denying the server to cater legitimate service requests.
Secondary local infection: with installation of bots the attacker takes the complete control of victim machine, the attacker could further download & install key logger or trojan to gather valuable information from the infected host, like online banking passwords, credit card numbers or any other personal information stored on compromised machine.
Trade bandwidth: another interesting use of infected machine is trading of bandwidth of high speed bots (infected machine with “always on”, broadband connection to internet) between hacker communities.
Backdoor: bots are installed on compromised machines as backdoors to maintain access after the exploit, especially if there is already legitimate IRC traffic in the network. Attacker could configure the bots to use same remote TCP port as used by legitimate IRC traffic, thereby reducing the chances of detection by sys- admins.
Host illegal data: In a growing trend attackers are using the malicious bots to make victim machine part of file sharing networks & use their storage space to host illegal files, software, pirated movies, especially in case the infected host happens to be server with large storage space connected via a high speed internet link. The IRC bots (such as Iroffer) are designed specifically for file-sharing over IRC.
Additionally, tracking of actual attacker that installs malicious bot on victim machine and uses it for illegal activity is quite difficult & seldom pursued by ISPs or sys-admins. It might be clear from above, the destructive use of bots & botnet is restricted only by attacker’s imagination & could involve the infected machine into host of illegal activities.
ELEMENTS OF TYPICAL IRC BOT ATTACK Bots in its malicious mutation are used by attackers to infect victim machines after they have been compromised or the victim machine user is tricked into performing the installation. The bots on installation joins the configured IRC channel & waits for attackers command. The figure below shows typical IRC bot attack and the elements involved.
Bot Bot is typically an executable file, capable of performing a set of functions,each of which could be triggered by a specific command. A bot when installed on victim machine copies itself into a configurable install directory & changes system configuration to start each time system boots. For windows platform the bots may add its instance to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\, the typical size of a compressed bot is less than 15kb in size. An off-the- shelf bot generally used by less sophisticated attacker can be downloaded from warez site on internet & edited to include, desired remote IRC server to connect, remote TCP port to use for this connection, channel to join on that server and authentication password referred to as ‘key’ to gain access to attackers private channel. A more sophisticated attacker can even manipulate the bot characteristics like files created after installation and install directory where the bot files reside after installation. One important point to note is that bots are not the exploits for OS or application, they are the payload carried by worms or means used to install backdoor once a machine has been comprised.
Victim machine: Victim machine is the compromised internet host on which the malicious bot is installed after the attacker has exploited an application or operating system vulnerability or has duped the user into executing a malicious program. Once infected the target host are also referred to as Zombies.
Attacker: is the one that configures the bot, it comprises a machine to install a malicious bot, controls & directs the bots once it joins the designated IRC channel. Control channel: is a private IRC channel created by the attacker as rendezvous point for all the bots to join once they are installed on infected machine & are online, it comprises of a channel name & a password ‘key’ to authenticate.
IRC Server: is a server providing IRC services, this could be a legitimate public service provider like DALNET etc. or another attacker’s compromised machine.
Botnet: All the bots once connected to control channel form a botnets i.e. network of bots, awaiting the attacker command. BOTNET COMMAND AND CONTROL (C&C) TECHNIQUES
Once bot malware is recruited on the victim machines, the botmaster has to discover these bot malware infected machines. Once discovered, the botmaster needs to control these victim machines through some form of communication to carry out the desired operations. One simple possible method of communication between bots and botmaster is through a direct control message communication link. However, such a direct link can easily locate the botmaster and as such this type of communication is not used. Instead several organized command languages and control protocols called botnet Command and Control (C&C) techniques are used to operate botnets remotely. Communication between bots and the C&C machine is the weakest link in a botnet, without which the victim cloud does not behave as a coordinated network. C&C system of botnets is unique and unlikely to change among bots and their variants, however; attackers are continuing to adapt and look for new botnet communication channels. In this section we discuss three different categories of command and control techniques namely centralized, peer to peer and random.
Centralized Command & Control (C&C) Technique This C&C technique uses a central high bandwidth host called C&C server to forward messages between various bots. The C&C server in a botnet is a compromised computer that runs certain network services like IRC, HTTP, etc and which rallies the commands issued by the botmaster to each host in the botnet that join the C&C server channel. Botnets use various mechanisms to protect their communications which include the use of passwords set by the botmasters. The centralized C&C is most predominant C&C technique and many bots including AgoBot, RBot, SDBot, SpamThru and Zotob use this C&C technique. There are several advantages of using centralized C&C techniques out of which easy availability and greater productivity are most predominant. A great amount of resources are available online to create a C&C based botnet that include IRC server and IRC bot scripts, simple CUI and GUI customization interfaces, etc. Centralized C&C allows controlling of as many bots as possible and thus maximizes the profit of the botmaster. Small message latency and lack of adequate countermeasures in fighting against botnets especially on unprotected and unmonitored networks have also motivated the botnet operators to use centralized C&C technique. The only drawback of centralized C&C technique is that C&C server is the weakest point in the entire botnet link as all communication passes through this single point. Once the central location is discovered, the entire botnet can be easily neutralized.
P2P Command & Control (C&C) Technique
The peer to peer C&C technique uses P2P communication with no real central server to forward messages between botnets which makes it more resilient to failures in the network(Cooke & et al – 2005). Unlike centralized C&C technique, P2P C&C technique is much harder to discover and destroy; even if one or more bots are neutralized, the botnet still continues to operate. Further, an anonymous P2P technique may be used to make it even more difficult to detect. However the botnet size supported by P2P systems is generally very low in comparison to centralized systems, which makes profit oriented botmasters to avoid using P2P technique. Also the propagation latency and guaranteed message delivery is lacking in P2P systems. Some examples of botnets that use P2P C&C technique include Phatbot and Sinit.
Random Command & Control (C&C) Technique
The idea of random C&C technique has been presented by Evan Cooke (Cooke & et al –2005), however no botnet has been reported to have used this C&C technique. In this C&C technique no bot can know about the existence of more than one other bot thus making the detection of the botnet very difficult. A botmaster or a bot can send an encrypted message randomly which may be intercepted by other bot and a conversation could begin. In this command and control technique message latency is very high, however; unlike other command and control techniques it lags guaranteed message delivery. BOTS INFECTION & CONTROL PROCESS
Attackers using the bots, customizing it as per their need, exploiting the victim host, infecting it with malicious bot & controlling the bots to attack the other targets or use it as zombies to above discussed means.
Coding/Editing: the process starts by depending on attacker’s skills, by either editing known bots available on the internet warez sites or writing own code with primary configurable component being, IRC server where the bot will connect once installed on victim machine, remote IRC TCP service port to connect, private channel name to join, password or key to authenticate the bots access to that private channel. Additionally, depending on the specific bot used, the attacker may change the location & name of file that is placed on directory of infected machine. Further the attacker may choose to use dynamic or multiple channels that a bots joins so that to maintain access to their botnet army in case they are banned from a specific IRC server. To achieve this, the attackers generally use service providers like dyndns.com or no-ip.com to associate dynamic ip mapping to IRC server for bots to join.
The figure shows a single instance of bot infection, the process is replicated over large number of hosts to create army of bots or zombie machines. The attacker, attempts to infect the victim machines with bots through either exploiting some operating system/application vulnerability or trick the user into executing a malicious program leading to bots installation. Typical way for attacker infecting mass group of internet hosts is to use exploit code of recently disclosed vulnerability, use it to gain access to victim machine and install bots as backdoor to maintain that access. The described process could be automated by using a directed worm that will scan a target subnet for known vulnerability, exploit the largely un-patched systems & infect them with malicious bot. Other way is to exploit unpatched web applications & trick the user into executing some malicious program or virus leading to bots infection. User could install an IRC client with trojan inside that while doing all legitimate tasks of IRC client also installs a bot on user machine. After the bot installs on victim machine it copies itself to install directory & updates the registry keys in case of windows platform. In next stage, the bot attempts to connect to IRC server with a randomly generated nick name i.e. the unique name or handle representing that bot in attacker’s private channel. The bot uses the ‘key’, authentication password to join the attacker’s private IRC channel. Further many times the attackers use public IRC servers for these activity & could be banned by IRC administrators, thus loosing their botnet army. To avoid this, attacker sometimes use service providers like dyndns.com or no -ip.com to dynamically map their bots with multiple IRC servers.Once the bot is installed on victim machine , it joins the attackers channel with unique nick name, as part of attacker’s botnet army awaiting instructions Often as these bots join the IRC channel the attacker will log into them with a complex and sometimes encrypted access password, ensuring that the bots cannot be controlled by others and making it harder for someone to hijack the botnet. After the access has been accepted the attacker may direct & remotely control the action of large number of infected zombies via this botnet to stage attack against other targets or use it for other described malicious activities. Described above is the process for a single instance of bot infection & control, the process could be replicated over large number of hosts to create army of bots or zombie machines. BOTNET PREVENTION, DETECTION AND DISRUPTION
Botnets present significant new challenges for the Internet community as the attackers come up with new and improved tools. Protection against falling victim to a botnet and detecting the location of botmaster is very challenging owing to various facts that include i) the mechanism used in constructing and maintenance of botnets and that used in its possible attack are independent of each other, ii) Every Zombie in a botnet is a source of attack and iii) Botnets remain in a silent state until they are leveraged to launch a specific attack (Strayer & et al – 2006).
Preventing a system on Internet from falling victim to a botnet requires a high level of awareness about online security and privacy. Besides this, the system must be kept up to date by installation of various Operating System updates and patches. Use of pirated software, games, and other illegal material available online are always a source of malicious code and thus presents a grave security threat and as such users should restrict themselves from accessing such web sites. Further, software firewalls and antivirus/anti-spyware programs should be installed and periodically updated on systems to prevent them from being infected. The use of CAPTCHA tests has been suggested for website and other services for prevention against bots and other malicious agents.
Detecting the bot activity on a system or on a network is dominant to the study of botnets.The use of honeypot has been the most popular method of setting a trap to detect botnet activity. Honeypot is generally an isolated and protected system that appears to be part of a network and having valuable information stored on it. It allows itself to be infected by a bot and become part of botnet. The honeypot is next used to capture the bot malware and detect the bot controller. Various reactive and proactive techniques have been suggested to detect and identify botnets. Detection of botnet by monitoring the network and host activity in terms of number of users per channel service ports used or abnormal ratio of invisible to visible users, etc have been suggested. In examination of flow characteristics such as bandwidth, duration and timing is suggested for detection of botnet C&C activity. suggests use of secondary bot behavior such as propagation and attack for detecting botnets. In three metrics namely relationship, response and synchronization have been proposed for detecting botnets through analyzing their behavior.
On detecting a botnet immediate mitigation goals are to neutralize the zombie by removing the bot infection and more importantly to disrupt the C&C Server of the entire botnet. Disrupting the botnet C&C server is significant because bot infected system is only part of very large zombie army controlled by C&C Server and thus disrupting this controller will reutilize the entire botnet. MERITS AND DEMERITS
Merits:
. A botnet can be used as a distributed denial of service weapon. . Multiserver support to track a large number of botnets in parallel . Support for SOCKS proxies to be able to conceal the IP we are running the botnet monitoring software
. Modular design to be flexible
Demerits
. Botnet-hosted sites are typically very slow and hard to access
. Part of the problem is that zombies are usually domestic PCs using dynamically-allocated IP addresses. Home users often shut their machines down for hours at a time. When a machine shuts down or disconnects, it will often be given a different dynamic IP address when it reconnects and the original IP address may be either unused or assigned to a machine that is not compromised. CONCLUSION
Increasing number of Internet users and its commercial character naturally bring in proportionate number of criminal minded people to the scene who pose potential threats to legitimate users, Internet infrastructure and timeliness of services offered by it. The aim of this paper is to document Internet Security threats so that general understanding about the malicious users and the malware is increased. The paper presents a detailed study of technology involved in the design and control of botnets and threats posed by them. The main focus of this paper is Botnet which enfolds all other attacks in one way or the other.