Thursday, June 4, 2009

Botnets - The Silent Threat

I had been planning for delivering a training. And I had to decide on a subject. So, here it is - Botnets.

Topics I will cover here:

+ What is a Botnet
+ Top Botnets
+ Why Botnet?
+ Elements
+ Features
+ Protocols used
+ Categories
+ Applications of an Attack
+ Elements of an Attack
+ Stages of an Attack
+ Detecting a Bot
+ Defending against Botnets

What is a Botnet
Botnet - bot-net - is a network of bots. A bot is a program which can perform autonomous actions in response to instructions. The bots reside on the systems which have certain vulnerabilities that are successfully exploited by an attacker. The objective of the bot is primarily to report to a central server controlled by the attacker & wait for further instructions.

The infected system is also known as a zombie. Why? Because these exploited systems work normally & the users / owners do not see any changes in the activity or performance of the systems. The Zombie rises only when commanded by its Control server. As soon as it receives the command(s), it springs into action & starts serving his master dutifully.

Top Botnets
With every passing year, there have been several botnets that were identified as the Top contenders of their times. The severity & efficiency of these botnets is usually measured by the bot's defending controls against reverse-engineering and/or prevention & the rate of increase of their bot network.

These are only a few botnets that have shown the power of the human mind & the efficiency of a smart botnet:
Sl. No. Name Botnet Size Spam Capacity
1. Conficker 10,000,000+ 10 billion/day
2. Kraken 495,000 9 billion/day
3. Srizbi 450,000 60 billion/day
4. Bobax 185,000 9 billion/day
5. Rustock 150,000 30 billion/day
It would be interesting to realize that these are just a very, very small tip of the iceberg. Conficker had been on hunting spree for so long even after it was identified. There are many which haven't even yet been found, and remember with each passing moment that a system is on the Internet, the possibility of it being successfully hit increases.

Why Botnet?
So why would someone use a Botnet if systems can be exploited remotely, with new & old attack vectors improving with technology - viruses, worms, trojans, client-side exploitation, web attacks and what not?

True, the attack vectors are present & they can do their job neatly. But in order to fully utilize the individual systems exploited via these vectors, these systems must be under some sort of centralized or intelligent control. The botnet is a consistenly increasing network of infected systems that is under direct control of the attacker. With one command from anywhere in the world, for example, an enterprise can be brought down to its knees.

That's the true power of botnet.

Elements of Botnet
+Bot herder
A bot herder is the creator of the botnet. The bot herder controls the bot remotely usually using IRC or HTTP. The bot herder ensures security over his bots, tracks progress & maintaines the CnC.

+Command n Control (CnC)
Command n Control usually runs on an IRC or HTTP server. This is primarily responsible for tracking & updating bots and sending attack launch instructions to bots.

A bot or a bot code is the program / malicious payload which resides on & controls the host and performs the instructions sent by the CnC.

Features of A Bot
Just like any other executable, a bot has a source code. The source code defines the structure & the function(s) that a bot can perform.

Some of the functions integrated in a bot are:

1. Hidden presence - hidden from task manager, process explorer, anti-virus, IDS, host firewalls.
2. Killing Anti-Virus processes.
3. Killing rival bots - yes, the war is all around!!
4. Covert communications - using http or irc or IM protocols to communicate with the CnC.
5. Auto Run
6. Automatic Update

The bot usually have a modular structure. It enabled the bot writer or the bot herder to dynamically add or update or remove the functions or exploit codes to the bot source code. After this modification, the bot source code is compiled & built to generate the new version. And with a single command through CnC, all the bots can update the changes immediately.

Part II: coming up...

No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.