Monday, June 8, 2009

Botnets: The Silent Threat - Part II

Protocols used by Botnet
+ IRC (Most prevalent)
+ HTTP (Increasingly prevalent)
+ P2P
+ IM (Instant Messenger)

Categories of Botnets
+ Centralized CnC
In Centralized CnC model, the bot herder controls his/her bots through a single Command n Control Server. All zombie computers reach out to this central server to report their status & fetch instructions. As only single server is responsible for managing & controlling bots, the bot herder has to take into account parameters such as available bandwidth, high processing capacity, ISP restriction(s) etc. in order to use this Command n Control model.

Since this model works on a single Command n Control server, it is acutely vulnerable to being identified & taken down. In case the Command n Control Server is hit, the bots in the botnet will not be able to communicate with the CnC & the botherder loses control over his/her botnet army. 

Hence, it becomes crucial for the botmasters to define a different architecture for their botnet(s) which can ensure availability of their bots even if a certain Command n Control server is no longer available.

+ Distributed CnC
The Distributed CnC model enables a bot master to define a botnet structure where the communication is not dependent upon any single Command n Control server. In this model, the bot herder creates botnet segments. Each segment has 1 or more Command n Control servers. The bots communicate with & fetch instructions from their respective Command n Control servers & not from any single CnC. The botmaster only communicates with the Command n Control servers of the defined segments & sends control instructions further to the zombie computers using these CnCs.

In case a CnC server of a segment is no longer in use - due to ISP restrictions or getting disinfected - the bots in this segment can continue to attack & root vulnerable systems. These bots can also communicate with the other Command n Control server(s) of other segments. A bot from this segment can also start acting as the new Command n Control server. So, the botmaster can continue to control the zombie computers using this new CnC.

This also provides the botherder a layer of protection. In the event of zombie computers being identified by the security researchers or law enforcement, this distributed structure will make the task of finding the CnCs or the real bot owner very difficult as well as time consuming. 

The distributed CnC provides the botherder/botmaster the ability to keep a low profile. Instead of the botnet controling hundreds of thousands of bots, creating a high traffic & visibility over the wire as in Centralized CnC model, the distributed segments control only a few hundreds or even lesser of bots. 
This allows the botherder to rent out or sale portions of his/her botnet. One portion can be used for Denial of Service attacks, one could be used for Spamming, or another could be used by the botherder himself to attack & recruit more bots.

Applications of an Attack
The primary use of botnet is to launch Distributed Denial of Service attacks. A Distributed Denial of Service attack is when multiple systems send continuous, huge number of connection requests with spoofed/real IP addresses to the victim. The victim server / device / application accepts the connection requests initially & waits for the response from the source(s). As the number of zombies increase, the available bandwidth to attack a target - web server, db server, ecommerce website, firewall, edge router(s), etc. - increases manifolds. Soon the maximum connection that the victim can handle is reached & it can no longer accept even the valid requests, hence resulting in a Denial of Service. Since the infected systems can be placed anywhere geographically, this attack allows an attacker to be almost invisible to the victim. 

Botnets are also used by spammers to send mass mailers / spams out to the world. Since the infected systems are under complete control of the botmaster, these zombies are used as mail relay servers.

+Click Fraud
Click Fraud is one of the rapidly increasing potential domains where botnets are being used. A site owner uses Advertising programs on his/her site & when a visitor clicks on the Ad or completes a transaction using an Ad, a certain amount of $$$ is earned by the site owner. The higher the number of clicks on Ads, the more $$$ the site owner can make. So, here comes our botnet army. As botnets usually constitutes of hosts distributed geographically, a botherder programs his bots to go to the site & click on the Ads. Clicking on Ads can be scheduled for a specific time of day/week or duration, making the bot traffic to appear to be normal visitor clicks.

This is a profitable avenue for both the site owner and the botherder.

Keylogging is extremely useful in targeted attacks. As the zombie is in complete control, the bot herder can chose to enable key logging on it. This would provide the bot herder or an attacker to get system login credentials, application login credentials, remote server login information, trusted system login details, critical mails etc. - practically Everything required for further penetration.

+Identity Theft
Identity theft is another critical avenue which gives an attacker increased scope of successful targeted attack. A bot herder / attacker can fetch the user details, system details, can turn on the webcam attached to the zombie, take the photograph of the end-user & can use it for social engineering, gather critical user information such as banking login ID & passwords & use these to leverage further attacks. Considering the new social networking sites such Facebook (, LinkedIn (, Twitter ( etc., Identity theft attacks can be used to target other users from the same organization neatly.

+Hosting warez/Illegal sites
The bot herder can also chose to host ftp / http servers on the zombie hosts. A FTP server or a web server can installed quietly which would run in the background, hidden from the task manager & can serve warez, porn, malware etc.

+CD Keys
Another useful area of botnet use is to gather licensed product details. The bot herder can instruct his/her bots to look into the zombie hosts' registry to locate the serial numbers & licensing details of prevelant, popular applications & products such as Microsoft, Oracle, IBM etc.

Elements of an Attack
A bot is spread using the traditional infection vectors - virus, trojans, worms etc. The attacker uses these vectors to drop the bot executable as the payload in the vulnerable systems.

+ An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the Command n Control server in order to listen to further commands.
+ The Command n Control server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
+ Bots run on compromised computers, forming a botnet.

Stages of an Attack
1. Creation
+ Largely dependent on the skill & requirements of the attacker.
+ The attacker may chose to write a new bot code or may customize an existing one.
2. Configuration
+ Providing the IRC server & channel information.
+ Securing the communication::Bot Herder <-> CnC <-> Bots - passwords, encryption.
+ Securing botnets from other Bot Herders - Keys, allowed members.
3. Infection
+ Direct Techniques - Exploiting OS/Services vulnerabilities, using worms/virus.
+ Indirect Techniques - Web Attacks, Social Engineering, P2P, Trojans.
+ Each infected system continues the infection process.
4. Control
+ Involves actions after the bot is installed on the target host.
+ Windows registry key -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\.
+ Connects to the CnC & joins the control channel.
+ Bot is now ready to receive commands.

Detecting a Bot
+ A simple yet effective way to detect a bot is monitoring host traffic. This can be achieved using the 'netstat' utility:

netstat -an.

Netstat is a tool available both in Windows & *nix systems. The main function of this tool is provide information about active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *nix system netstat displays all the open streams. 

Possible connection states are:
ESTABLISHED – both hosts are connected
CLOSING – the remote host is closing the connection
LISTENING – the host is listening for incoming connections
SYN_RCVD – a remote host has asked to start a connection
SYN_SENT – the host is starting a new connection
LAST_ACK – the host must send a report before closing the connection
TIMED_WAIT, CLOSE_WAIT – a remote host is terminating the connection
FIN_WAIT 1 – the client is terminating the connection
FIN_WAIT 2 – both hosts are closing the connection

Watch for 'Established' connection on TCP ports in 6000-7000 range (IRC port: 6667). In case the system is compromised, take it off the network & take the necessary actions - anti-virus scan, etc.

+ Use Host Intrusion Detection Systems
A HIDS monitors the traffic originating from the host & creates a baseline i.e. a normal usage statistics. In case of a bot infection, an HIDS can watch for any deviation in traffic patterns & will report anomalies which can be used to identify bot infestation.

+ Control outbound network connection from the host
Applications such as Cisco Security Agent control the network connections initiated by any software, process or application from the host outbound. Host systems should be setup with control measures to monitor & restrict unauthorized outbound network access. If the bot cannot communicate with the Command n Control, the damage it can do is reduced significantly.

Defending against Botnets
+ Educate End-users: Do not click links in email or IM. Verify the pictures & videos sent in IM, verify the sender first & then only proceed. If the email/IM contains a URL, copy n paste the URL to access the URL.
+ Do not download untrusted software: Verify the source of the download. Use only reliable site(s) for download. Ensure that the software MD5 shown on the site & the one you download match.
+ Do not use Administrator account: Ensure least privilege for daily operations. 
+ Ensure HTTPS:// in the URL while doing any electronic transactions.
+ Disable Scripts by default: There is a firefox plugin - NoScript ( which ensures all scripts are disabled on all sites. Enable the scripts only for sites which are really needed.
+ Use Host-based firewall(s) & host-based IDS.
+ Use Anti-Virus software & keep the definitions updated.
+ Ensure regular timely patches for your OS.
+ Use sandbox environment(s) such as Sandboxie ( Sandboxing ensures an isolated space which prevents the programs (browsers, IM clients, email clients, any applications that access internet) from making permanent changes to other programs and data in your computer.
+ Shut down your system when not in use.
+ Report suspected botnet activity & spam.

Botnets are an interesting subject considering their utilization & the role they can play in a cyber war and / or controlling critical servers such as those of nucleus power plants, electric power stations, airlines, banks etc. of a nation. 

This brings us to the completion of this article on Botnets.

I hope you found the information useful. Please feel free to share your inputs/feedback.

Thank you for reading.


  1. Unbelievable. How can you talk to the topic of malware, and botnets in particular, without addressing mechanisms for the bot to survive on a system? (rootkits, etc).

  2. Thanks for your feedback.

    You are correct. Survival mechanisms play a crucial role in the botnet life cycle.

    However, the scope of botnet hardening, bot security vis-a-vis anti-malware controls on the host / rival bots & ensuring anonymity / survival via root-kits is a related but distinct phase of botnet operation which is an extensive, separate subject altogether.

    The objective of this article has been to discuss the fundamental concepts of a botnet operation & I've covered the details from this aspect.

    Best Regards.



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.