Security Experts:

Botnets - Herds of Internet Creatures Running Amuck

Botnets

Remember the 1999 Sci-Fi classic movie, The Matrix, where Earth had been taken over by machines that created a simulated reality in order to control the human population? The human race deliberately created a sentient network of computers for the good of mankind. As energy became scarce, however, the computer network created a simulated reality to mentally enslave the human population; using human body heat and electrical activity as an energy source.

While historic symbolism runs rampant through the movie, the geeks among us most likely latched onto the comparison of the sentient network in the Matrix and where our own Internet is heading. With literally billions of computers connected to and communicating over the Internet, and a commercial (Siri anyone?) and government demand for artificial intelligence, one wonders how far off true sentience lies.

While our attention is immediately drawn to the Internet when we think about the benign-turned-evil Matrix, a more interesting comparison can be made to the current Internet plague of botnets. Far less conversationally visible than the computer network we call the Internet, a botnet is a self-replicating, self-defending, collection of malicious computers that is the basis of much of the cyber warfare we see today.

A larger botnet may be made up of tens of millions of bots (an infected computer), where each bot is unknowingly hosted on a personal computer. To reinforce this often missed fact, the computer from which you are reading this blog entry may be one of the hundreds of millions of personal machines (i.e., PCs, laptops, servers, Xboxes) that make up these botnet armies.

As I researched for this article, I found myself collecting a huge volume of fascinating data, with the chance of writing about only a fraction of it. I’ve picked the best of the best; I do believe you’ll be as fascinated with the botnet world as I am.

What Does A Botnet Look Like?

Your typical botnet is made up of many bots (infected computers), perhaps just a few thousand, sometimes as large as tens of millions. For an interesting size perspective, according to Wikipedia, one of the largest botnets, BredoLab, was a Russian-based botnet army, with over 30 million bots. The BredoLab botnet was taken down by authorities in an international operation in October 2010.

Compare the size of this BredoLab army with the 29 million total population of Indiana, Ohio and Illinois. Think about every man, woman and child in all three states calling you at 7:00 am, next Tuesday, each trying to sell you car insurance – this might give you an idea of how a website might feel as the BredoLab botnet launches a Distributed Denial of Service (DDoS) attack.

The bots, botnet troops, are snippets of software that hide within your computer (yes, your computer, not some server in the sky). The botnet commander (the guy in charge of the botnet) can instruct this army of bots to wait for a command to launch a DDoS attack, collect and transmit identify information or perform any number of other nefarious acts.

Oh, by the way, botnet herders and bots sometimes use Twitter and instant messaging (IM) to talk among themselves. That has to creep you out, thinking about a bot on your computer sending an IM message to its handler in Southeast Asia; perhaps just to update him on your checking account balance.

So, How Does One Join a Botnet Army?

Botnet infections are almost always a result of running malicious software. As they are called, these drive-by downloads are basically the same as a legitimate installation of software, but with the end result being the installation of an almost undetectable bot, hiding within your computer, that becomes a soldier in a botnet army.

Drive-by downloads sometimes occur when you click on a seemingly benign ‘free’ software product, but are more likely to happen when you enter a website that is silently distributing malware. Unfortunately, this distribution of malware is no longer limited to ‘unsavory’ websites, but can occur from any website where hackers have successfully taken advantage of vulnerabilities within the site.

The two best defenses against becoming a botnet recruit are a fully patched computer (browser and operating system) and a good anti-virus/anti-malware product. Your old, unpatched computer sitting in the corner with the expired anti-virus software will soon join the ranks of the undead and host a bot. Like most of us, you might want to leave it on all the time so it can stay in constant contact with the botnet command and control platform.

Botnet Armies at War

Any computer that can be infected with a bot is considered valuable. Botnets work best when their armies are large. When an already infected computer encounters yet another malware attack, the original bot and the usurper will often battle for dominance, with the superior bot ‘owning’ the PC.

An article in eWeek speaks about the well-established Zeus botnet and the newcomer botnet, SpyEye. TrendLabs Threat Response Engineer, Roland Dela Paz, said in a recent blog post, "EyeBot [SpyEye botnet] is still just a 'newbie,' but should the ZBot [Zeus botnet] criminal minds choose to respond, there is some potential for a bot war to ensue. However, at this stage, we cannot be certain what, if any response, the ZBot criminals are likely to make."

Cybercrime BotnetsThe next time you visit your favorite celebrity gossip site, imagine an invisible mini cyber war on your very own 4-year old Dell desktop. The Zeus bot that you picked up a few months ago (from that other celebrity site you visit) has been happily collecting and passing on your keystrokes. You may have also vicariously participated in the DDoS attack on the Department of Defense a few months ago.

As soon as you hit the new celebrity site, your horribly under-protected computer will be exposed to new malware that wants to install the EyeBot bot. The two bots duke it out for a few micro-seconds, you now have a new, silent friend.

The Zeus netbots army is now down by one, from an estimated total of 3.6 million bots in the US. The EyeBot is one bot stronger.

What Do Bots Do When They’re Not Sleeping?

Botnets are almost always designed and deployed for evil reasons. When not hiding in the recesses of your hard drive, the botnets and the army of bots within are instructed by the 'bot herder' (human in charge, at least for now) to go forth and wreak havoc on the world. A few of the waking hours activities (from The Honeypot Project) are noted below.

1. Distributed Denial-of-Service Attacks -  Often botnets are used for Distributed Denial-of-Service (DDoS) attacks. A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.

2. Spamming - With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk email (spam). Some bots also implement a special function to harvest email addresses. Often that spam you are receiving was sent from grandma's old Windows computer sitting at home.

3. Sniffing Traffic  - Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords.

4. Keylogging - With the help of a keylogger it is very easy for an attacker to retrieve sensitive information. An implemented filtering mechanism (e.g. "I am only interested in key sequences near the keyword 'paypal.com'") further helps in stealing secret data. And if you imagine that this keylogger runs on thousands of compromised machines in parallel, you can imagine how quickly PayPal accounts are harvested.

5. Spreading new malware - In most cases, botnets are used to spread new bots. A botnet with 10,000 hosts, which acts as the start base for the mail virus, spreads rapidly and thus causes more harm.

6. Manipulating online polls/games - Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. Online games can be manipulated in a similar way.

A Great Botnet Story

An Associated Press report spoke about a botnet storage site in the Ukraine, containing harvested data from 160k infected computers. Reported amongst this data was:

"One Southern California 22-year-old could be seen registering a domain name with GoDaddy.com, changing his Yahoo e-mail password and ordering a meal online from Pizza Hut. His credit card number, birth date, telephone number, address and passwords are now all in criminals' hands, though it's unclear what, if anything, criminals have done with the information."

 

Botnet for Rent

For a few rare exceptions, botnets are all about money and huge profits. But, lest we think about botnet cyber crime lords hiding in dank apartments in the Ukraine; let’s look at the thriving business of renting out a botnet’s army to anyone who might, for example, need to run a DDoS attack on a competitor’s website.

So, from the comfort of your Fort Wayne, Indiana home you could be a botnet herder for a day – think how surprised the local Dairy Queen will be when their website goes down.

A report from Panda Labs in 2010 said the average cost to rent a botnet for 24 horus was $67. The number of bots and the assorted bandwidth is more than large enough to take down any website except the very largest.

And, like any services business, you can even visit a few message boards that will provide feedback on the quality of rented botnet services. Capitalism at its finest.

Vision of the Future

Let’s revisit the futuristic Matrix and see if we can draw any more interesting analogies between its network of sentient computers and the botnet armies that surround us today.

Consider the more sophisticated botnets that now span the Internet. Each botnet is self-aware, sometimes reacting to threats with its own DDoS attacks on the enemy, almost always able to morph or replicate itself when needed. Bots from opposing botnet armies will fight for territory (a prime PC) and will reach out to nearby computers to establish new footholds. Finally, and perhaps the most ominous, a botnet, once instructed by its herder to start on a mission, will continue to operate without human intervention.

I don’t think we’ve duplicated the Matrix yet (would I know if we have?). But when we do, I predict it will not come from a desire to improve mankind but rather from the already corrupt minds of cyber criminals, extending their reach into the personal computers the masses use on a daily basis.

view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.