Monday, June 8, 2009

Botnets: The Silent Threat - Part II

Protocols used by Botnet
+ IRC (Most prevalent)
+ HTTP (Increasingly prevalent)
+ P2P
+ IM (Instant Messenger)

Categories of Botnets
+ Centralized CnC
In Centralized CnC model, the bot herder controls his/her bots through a single Command n Control Server. All zombie computers reach out to this central server to report their status & fetch instructions. As only single server is responsible for managing & controlling bots, the bot herder has to take into account parameters such as available bandwidth, high processing capacity, ISP restriction(s) etc. in order to use this Command n Control model.

Since this model works on a single Command n Control server, it is acutely vulnerable to being identified & taken down. In case the Command n Control Server is hit, the bots in the botnet will not be able to communicate with the CnC & the botherder loses control over his/her botnet army. 

Hence, it becomes crucial for the botmasters to define a different architecture for their botnet(s) which can ensure availability of their bots even if a certain Command n Control server is no longer available.

+ Distributed CnC
The Distributed CnC model enables a bot master to define a botnet structure where the communication is not dependent upon any single Command n Control server. In this model, the bot herder creates botnet segments. Each segment has 1 or more Command n Control servers. The bots communicate with & fetch instructions from their respective Command n Control servers & not from any single CnC. The botmaster only communicates with the Command n Control servers of the defined segments & sends control instructions further to the zombie computers using these CnCs.

In case a CnC server of a segment is no longer in use - due to ISP restrictions or getting disinfected - the bots in this segment can continue to attack & root vulnerable systems. These bots can also communicate with the other Command n Control server(s) of other segments. A bot from this segment can also start acting as the new Command n Control server. So, the botmaster can continue to control the zombie computers using this new CnC.

This also provides the botherder a layer of protection. In the event of zombie computers being identified by the security researchers or law enforcement, this distributed structure will make the task of finding the CnCs or the real bot owner very difficult as well as time consuming. 

The distributed CnC provides the botherder/botmaster the ability to keep a low profile. Instead of the botnet controling hundreds of thousands of bots, creating a high traffic & visibility over the wire as in Centralized CnC model, the distributed segments control only a few hundreds or even lesser of bots. 
This allows the botherder to rent out or sale portions of his/her botnet. One portion can be used for Denial of Service attacks, one could be used for Spamming, or another could be used by the botherder himself to attack & recruit more bots.

Applications of an Attack
The primary use of botnet is to launch Distributed Denial of Service attacks. A Distributed Denial of Service attack is when multiple systems send continuous, huge number of connection requests with spoofed/real IP addresses to the victim. The victim server / device / application accepts the connection requests initially & waits for the response from the source(s). As the number of zombies increase, the available bandwidth to attack a target - web server, db server, ecommerce website, firewall, edge router(s), etc. - increases manifolds. Soon the maximum connection that the victim can handle is reached & it can no longer accept even the valid requests, hence resulting in a Denial of Service. Since the infected systems can be placed anywhere geographically, this attack allows an attacker to be almost invisible to the victim. 

Botnets are also used by spammers to send mass mailers / spams out to the world. Since the infected systems are under complete control of the botmaster, these zombies are used as mail relay servers.

+Click Fraud
Click Fraud is one of the rapidly increasing potential domains where botnets are being used. A site owner uses Advertising programs on his/her site & when a visitor clicks on the Ad or completes a transaction using an Ad, a certain amount of $$$ is earned by the site owner. The higher the number of clicks on Ads, the more $$$ the site owner can make. So, here comes our botnet army. As botnets usually constitutes of hosts distributed geographically, a botherder programs his bots to go to the site & click on the Ads. Clicking on Ads can be scheduled for a specific time of day/week or duration, making the bot traffic to appear to be normal visitor clicks.

This is a profitable avenue for both the site owner and the botherder.

Keylogging is extremely useful in targeted attacks. As the zombie is in complete control, the bot herder can chose to enable key logging on it. This would provide the bot herder or an attacker to get system login credentials, application login credentials, remote server login information, trusted system login details, critical mails etc. - practically Everything required for further penetration.

+Identity Theft
Identity theft is another critical avenue which gives an attacker increased scope of successful targeted attack. A bot herder / attacker can fetch the user details, system details, can turn on the webcam attached to the zombie, take the photograph of the end-user & can use it for social engineering, gather critical user information such as banking login ID & passwords & use these to leverage further attacks. Considering the new social networking sites such Facebook (, LinkedIn (, Twitter ( etc., Identity theft attacks can be used to target other users from the same organization neatly.

+Hosting warez/Illegal sites
The bot herder can also chose to host ftp / http servers on the zombie hosts. A FTP server or a web server can installed quietly which would run in the background, hidden from the task manager & can serve warez, porn, malware etc.

+CD Keys
Another useful area of botnet use is to gather licensed product details. The bot herder can instruct his/her bots to look into the zombie hosts' registry to locate the serial numbers & licensing details of prevelant, popular applications & products such as Microsoft, Oracle, IBM etc.

Elements of an Attack
A bot is spread using the traditional infection vectors - virus, trojans, worms etc. The attacker uses these vectors to drop the bot executable as the payload in the vulnerable systems.

+ An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the Command n Control server in order to listen to further commands.
+ The Command n Control server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
+ Bots run on compromised computers, forming a botnet.

Stages of an Attack
1. Creation
+ Largely dependent on the skill & requirements of the attacker.
+ The attacker may chose to write a new bot code or may customize an existing one.
2. Configuration
+ Providing the IRC server & channel information.
+ Securing the communication::Bot Herder <-> CnC <-> Bots - passwords, encryption.
+ Securing botnets from other Bot Herders - Keys, allowed members.
3. Infection
+ Direct Techniques - Exploiting OS/Services vulnerabilities, using worms/virus.
+ Indirect Techniques - Web Attacks, Social Engineering, P2P, Trojans.
+ Each infected system continues the infection process.
4. Control
+ Involves actions after the bot is installed on the target host.
+ Windows registry key -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\.
+ Connects to the CnC & joins the control channel.
+ Bot is now ready to receive commands.

Detecting a Bot
+ A simple yet effective way to detect a bot is monitoring host traffic. This can be achieved using the 'netstat' utility:

netstat -an.

Netstat is a tool available both in Windows & *nix systems. The main function of this tool is provide information about active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *nix system netstat displays all the open streams. 

Possible connection states are:
ESTABLISHED – both hosts are connected
CLOSING – the remote host is closing the connection
LISTENING – the host is listening for incoming connections
SYN_RCVD – a remote host has asked to start a connection
SYN_SENT – the host is starting a new connection
LAST_ACK – the host must send a report before closing the connection
TIMED_WAIT, CLOSE_WAIT – a remote host is terminating the connection
FIN_WAIT 1 – the client is terminating the connection
FIN_WAIT 2 – both hosts are closing the connection

Watch for 'Established' connection on TCP ports in 6000-7000 range (IRC port: 6667). In case the system is compromised, take it off the network & take the necessary actions - anti-virus scan, etc.

+ Use Host Intrusion Detection Systems
A HIDS monitors the traffic originating from the host & creates a baseline i.e. a normal usage statistics. In case of a bot infection, an HIDS can watch for any deviation in traffic patterns & will report anomalies which can be used to identify bot infestation.

+ Control outbound network connection from the host
Applications such as Cisco Security Agent control the network connections initiated by any software, process or application from the host outbound. Host systems should be setup with control measures to monitor & restrict unauthorized outbound network access. If the bot cannot communicate with the Command n Control, the damage it can do is reduced significantly.

Defending against Botnets
+ Educate End-users: Do not click links in email or IM. Verify the pictures & videos sent in IM, verify the sender first & then only proceed. If the email/IM contains a URL, copy n paste the URL to access the URL.
+ Do not download untrusted software: Verify the source of the download. Use only reliable site(s) for download. Ensure that the software MD5 shown on the site & the one you download match.
+ Do not use Administrator account: Ensure least privilege for daily operations. 
+ Ensure HTTPS:// in the URL while doing any electronic transactions.
+ Disable Scripts by default: There is a firefox plugin - NoScript ( which ensures all scripts are disabled on all sites. Enable the scripts only for sites which are really needed.
+ Use Host-based firewall(s) & host-based IDS.
+ Use Anti-Virus software & keep the definitions updated.
+ Ensure regular timely patches for your OS.
+ Use sandbox environment(s) such as Sandboxie ( Sandboxing ensures an isolated space which prevents the programs (browsers, IM clients, email clients, any applications that access internet) from making permanent changes to other programs and data in your computer.
+ Shut down your system when not in use.
+ Report suspected botnet activity & spam.

Botnets are an interesting subject considering their utilization & the role they can play in a cyber war and / or controlling critical servers such as those of nucleus power plants, electric power stations, airlines, banks etc. of a nation. 

This brings us to the completion of this article on Botnets.

I hope you found the information useful. Please feel free to share your inputs/feedback.

Thank you for reading.

Thursday, June 4, 2009

Botnets - The Silent Threat

I had been planning for delivering a training. And I had to decide on a subject. So, here it is - Botnets.

Topics I will cover here:

+ What is a Botnet
+ Top Botnets
+ Why Botnet?
+ Elements
+ Features
+ Protocols used
+ Categories
+ Applications of an Attack
+ Elements of an Attack
+ Stages of an Attack
+ Detecting a Bot
+ Defending against Botnets

What is a Botnet
Botnet - bot-net - is a network of bots. A bot is a program which can perform autonomous actions in response to instructions. The bots reside on the systems which have certain vulnerabilities that are successfully exploited by an attacker. The objective of the bot is primarily to report to a central server controlled by the attacker & wait for further instructions.

The infected system is also known as a zombie. Why? Because these exploited systems work normally & the users / owners do not see any changes in the activity or performance of the systems. The Zombie rises only when commanded by its Control server. As soon as it receives the command(s), it springs into action & starts serving his master dutifully.

Top Botnets
With every passing year, there have been several botnets that were identified as the Top contenders of their times. The severity & efficiency of these botnets is usually measured by the bot's defending controls against reverse-engineering and/or prevention & the rate of increase of their bot network.

These are only a few botnets that have shown the power of the human mind & the efficiency of a smart botnet:
Sl. No. Name Botnet Size Spam Capacity
1. Conficker 10,000,000+ 10 billion/day
2. Kraken 495,000 9 billion/day
3. Srizbi 450,000 60 billion/day
4. Bobax 185,000 9 billion/day
5. Rustock 150,000 30 billion/day
It would be interesting to realize that these are just a very, very small tip of the iceberg. Conficker had been on hunting spree for so long even after it was identified. There are many which haven't even yet been found, and remember with each passing moment that a system is on the Internet, the possibility of it being successfully hit increases.

Why Botnet?
So why would someone use a Botnet if systems can be exploited remotely, with new & old attack vectors improving with technology - viruses, worms, trojans, client-side exploitation, web attacks and what not?

True, the attack vectors are present & they can do their job neatly. But in order to fully utilize the individual systems exploited via these vectors, these systems must be under some sort of centralized or intelligent control. The botnet is a consistenly increasing network of infected systems that is under direct control of the attacker. With one command from anywhere in the world, for example, an enterprise can be brought down to its knees.

That's the true power of botnet.

Elements of Botnet
+Bot herder
A bot herder is the creator of the botnet. The bot herder controls the bot remotely usually using IRC or HTTP. The bot herder ensures security over his bots, tracks progress & maintaines the CnC.

+Command n Control (CnC)
Command n Control usually runs on an IRC or HTTP server. This is primarily responsible for tracking & updating bots and sending attack launch instructions to bots.

A bot or a bot code is the program / malicious payload which resides on & controls the host and performs the instructions sent by the CnC.

Features of A Bot
Just like any other executable, a bot has a source code. The source code defines the structure & the function(s) that a bot can perform.

Some of the functions integrated in a bot are:

1. Hidden presence - hidden from task manager, process explorer, anti-virus, IDS, host firewalls.
2. Killing Anti-Virus processes.
3. Killing rival bots - yes, the war is all around!!
4. Covert communications - using http or irc or IM protocols to communicate with the CnC.
5. Auto Run
6. Automatic Update

The bot usually have a modular structure. It enabled the bot writer or the bot herder to dynamically add or update or remove the functions or exploit codes to the bot source code. After this modification, the bot source code is compiled & built to generate the new version. And with a single command through CnC, all the bots can update the changes immediately.

Part II: coming up...

CISSP: My Study Plan

I sat for the CISSP exam on May 16, 2009. The exam was not easy, but I was prepared. And had the positive energy to complete it successfully. It was a long exam - 6 hours. Equally mentally exhaustive as much as physically demanding. Add to that the constant slight buzzing sound (read noise!!) of something in the hall.

All these in place, I took the whole 6 hours & completed & checked, rechecked the question paper & checked, rechecked the bubbles in the answer sheet. Someone must be wondering why would I check & recheck the question paper.
Please read on to know why.

My Study Resources:

+ Clement's CISSP introductory video (
+ Shon Harris All-in-One (AIO) 4th Edition
+ ISC2 Official CBK Guide (
+ Shon Harris CISSP CBT/DVD (
+ CISSP forum
+ CISSP Quizzer
+ Notes/Aide Memoire available on CISSP forum
+ CISSP Gold Edition Questions & Answers
+ Shon Harris AIO Quiz (in the CD)

Time Duration for Preparation:

January last week - March end 2009 -> 3-5 hours after work. Weekends -> 5-6 hours - slowly tasting the subject matter & letting it seep in.
April 2009 - May 15, 2009 - > 7-9 hours every day - Time to pace up & complete the preparation.
During this time, I completed 2 other certifications & 1 training that definitely helped me be comfortable with the domain content.

My Study Plan (in that order):

+ Finished Shon Harris CBT/DVD
+ Completed one 100-question quiz for each domain as I completed the domain from SH CBT
+ Read Shon Harris AIO 4th edition
+ Complete Q&A at the end of each AIO Chapter.
+ Revise each domain through Notes/Aide Memoire available at CISSP forum.
+ Read forum posts, questions & responses, the reasoning behind the solution!
+ Complete Full Length quizzes for individual domain(s)
+ Read OIG
+ Complete Gold Edition Advanced Sample Q&A
+ Complete 10 Full Length quizzes (group of 3 & 4 domains)
+ Read my notes

Important points that will help you:


+ Be mentally prepared before you begin preparation.

+ Share your plan with your family or friends or both. At a point in time of preparation, you may find yourself face-to-face with high work load at office, unexpected but important official/unofficial events, & may lose focus/direction from the task. This is the time your family/friends will be of great help.

Remember, it is extremely important to keep yourself motivated to go on.

+ Book the exam after 2 weeks of preparation. This will help you understand what you have to complete & how long can it take for you to prepare.


+ Complete all domains. No matter how many years you have been in the industry, you should always complete all the domains.

+ Think from the Management perspective. Remember this is not a 100% technical exam. You need to know technical stuff but it tests your decision-making using your knowledge of technical concepts.

+ Do quizzes from different sources. And know the reason why the correct answer is correct & the incorrect answer is incorrect.

+ Use google & wikipedia for reading on topics.

+ Use CISSP forum.

+++Day before the Exam+++

+ Organize all the documents required for the exam day & keep it in your bag - Admission Ticket, ID cards - Driving Licence / Passport, Company ID etc.

+ Ensure that you have 2 HB #2 pencils, 2 dust-free erasors, a sharpner, 2 pens (not required though) & a jacket / a light woolen-wear for the exam - temperature may be too cold or tool warm for you to feel comfortable.

+ Eat a healthy, heavy breakfast. Take at least 1 water bottle, some energy bars or preferably energy drinks with you. Believe me you will need these in the Exam and you will not like to move your a$ even a bit out of the hall after looking at the question paper!!

+ Do NOT Smoke before or during the exam. You must be relaxed all this while and smoking isn't going to help you.

+ The CISSP Exam is as mentally exhaustive as it is physically demanding. Therefore relax on the day before the exam.

+++Day of Exam+++

+ First Rule of tackling this Exam - Attempt All Questions.

+ Read through 25 questions first and then take the second round answering them.

+ Eliminate the choices & then apply the concepts on the final 2 choices - from the Management perspective.

+ Mark the 25 answers against the respective 25 questions - in the question sheet. Once you have completed 25 questions, start filling in the bubbles on the answer sheet.

+ Be very careful while filling in the answer sheet. You will agree it's been a long time when you last filled those bubbles with a pencil. Your fingers will start aching if you decide to fill in 50/100 questions in one go. So choose to complete 25/30 questions in one go.

+ Mark the questions you are unsure of, or finding tough to answer or taking too long to answer. Come back to them once you are done with all other questions.

+ Once you complete all questions, go to the first page & start reviewing the questions you marked above. You should be able to solve them now. If not, refer to the Ist rule of tackling this exam above.

+ After you have completed all questions including marked ones, it's time to review. Go to the first page of the question sheet & start reviewing each question one-by-one.

+ By this time, after review, you will have most certainly changed some of your answers. Do a review now of your answer sheet to make sure that you filled 'correct answers in the correct bubble.'

+ After you submit the Answer sheet, go & get fresh. Wash your face to get freshen up, & go eat something. I am sure you will be damn hungry by now.

+++Post Exam+++

+ Catch up with your family, friends.
+ Relax & enjoy coz you have done your part.
+ The most important of all: Think Positive.

Best Regards.

Congratulations!! You passed the CISSP examination.

Finally, the much-awaited mail arrived this early morning at 1:02 am. It went straight to the archive & got labeled to ISC2. I didn't noticed & had slept waiting for it yesterday. And as I opened my eyes & logged on, I hurried to check if there is any email there looking for me. Ah, there it was - 1 unread in ISC2.

Suddenly, the excitement turned to nervousness & the mouse pointer stopped before it could click on the label. It was there & I wouldn't click on it. I stopped there for a moment. Unsure if I must open it now that it's here. So I chanted on the higher energy & opened the email. Many successful candidates had shared that the Pass mail has a word 'Congratulations' in the subject line. Well, my mail didn't had one! So, a bit anguished, I decided to look for the 'Areas of Improvement' in the mail body. And what did I find:
Dear Karn Ganeshen:
Congratulations! We are pleased to inform you that you have passed the Certified Information Systems Security Professional (CISSP®) examination - the first step in becoming certified as a CISSP.


So there I sat on my bed, Joyous & all smiles. This has been THE most exhaustive preparation AND the most exhaustive exam I've taken till now. The 5 months preparation had been demanding, & took consistent efforts & hard work. And today, I love every moment of all the nights spent since January 2009.

I will be sharing my study plan & resources used for preparation in my next post. I hope it will be useful for you.

Best Regards.


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.