Botnets
From CastleCopsWiki
| Caution | The article below is currently in beta and has not been reviewed for factual errors. |
Contents |
[edit] Introduction
Botnets, are extremely powerful and they can do a great deal of harm. That's why we need to know what they are and how we can protect our PCs from being part of a botnet. What is a botnet? Exactly what it sounds like: several types of bots all having the same controller(s) that can be used for example, to flood, i.e. DDoS a certain server, send spam, act as proxy name servers, proxy web servers, proxy image servers, perform email directory harvesting, etc..
A collection of bots form up a botnet. However what does a bot mean? A bot is the compromised machine that waits for commands from a certain controller. Bots are remotely controlled from a Command and Control (C&C) machine that is also a compromised machine used to protect the real IP of the controller. Most often, controllers connect the compromised machines to IRC for easier control.
On IRC, originally, bots acted just like computer robots. They were (and still are) used to automate some tasks in the IRC environment (like banning flooders). This was their original purpose, to run as a daemon process on legit machines (leased shell accounts) and would help the chatroom owners in keeping their channel nice and tidy. One of these "friendly-bots", is the well known Eggdrop. These bots could communicate between themselves (for example to synchronize in case of a large flood) thus forming what is called a botnet. Notice that originally botnets weren't used for nefarious purposes.
However, like many things, the two notions have degenerated. So, a bot in the "degenerated" version could be defined as a computer program installed without the owner's knowledge; running hidden, on a Windows or UNIX platform that connects to a pre-defined server and chat room and it waits for commands from a master. These are actually the compromised machines we mentioned earlier.
Conceptually, friendly and darkside botnets are similar, but they have quite distinct composition and application. Here are some key differences:
- Friendly bots are installed on bought or owned systems, while drones (one of the names we use for bad bots) are installed on hacked machines.
- Friendly channel bots are used for channel administrative tasks while drones are used to flood, DDoS, send spam and other bad deeds.
One note: the IRC protocol was not designed for these sort of actions! It is and has been a place for people to come and chat long before any instant messaging client, and some folks still find a certain appeal in chatting on the IRC. However, it is an unmoderated medium, due to the large number of users and also because private messages (messages between two chatters) and chatroom talk is not logged on the server-side. Sadly, due to that fact, it has become one of the fastest means of malware-spreading and slowly but surely the first darkside botnets were created.
[edit] IRC Basics
IRC is a text-based chatting protocol, created by Jarkko Oikarinen way back in 1988. As you can probably figure out, it was one of the first means of instantly communicating with another person through the Internet. Its principle is very simple: clients connect to a server that is running an IRCd (Internet Relay Chat Daemon) that accepts connections on a certain port range (generally 6667-6669). They connect using a dedicated client, the most popular being mIRC. Once they are connected to the server they can join chat rooms. Chat rooms are generally split into subjects of interest (#politics) or countries (#USA). Anyone can start his own chat room using whatever name he wishes, provided it is not already taken.
Users in chat rooms are split into 3 categories : Operators (the equivalent of moderators in forums) Voice (recognized channel members, friends of operators) and regular members. You can recognize them by the symbol they have in front of the nick in the nicklist (operators have @, voices have + and regular users don't have any sign).
For an extensive introduction to IRC, please read the IRC Primer.
[edit] Infection Cycle
This article concentrates on IRC botnets because they are the original incarnation of botnets and they have laid down the basic principle. In a nutshell the cycle is simple: The botnet controller exploits a vulnerability on the victim machine or the user click on an infected webpage, that installs a small program that creates a new connection to a pre-defined IRC server and a chatroom. While in that channel, the zombie connection (or drone as it is called sometimes) awaits for commands from a pre-defined host.
Now some detail of the infection "methods". Firstly, by far the most prevalent method of spreading infections is having victims visit an infected webpage. Such a webpage usually contains a self-extracting archive that when run, extracts in a specified location and auto-runs the main executable file. That creates the IRC connection allowing the bot to attempt a connection to the given IRC server. Frequently, the bot relies on only one file (SDbots, Litmus etc.). Here is how spam look like on IRC, except that the actual webpage is blued out :
In the past, mIRC (the IRC client mentioned earlier) was target to many exploits, however they have been getting out of fashion as they had limited impact on the infected system and they could easily be removed.
A different type of bot, the type that exist on UNIX-based operating systems, are installed after getting access to the system via one of the known exploits or bruteforcing a password. A very common exploit used by script kiddies (another name for bot creators) is the awstats exploit, the statistics module of the Apache Webserver. Just as a curiosity, unix-platform bots are usually written in PERL.
[edit] Bot Controllers
You might ask yourself, who in the right mind would do this? Answer is quite simple : kids - teenagers, maybe 14 or 15. As for "Why do they do this?" the answers vary.
Some script kiddies flood and drop IRC networks just because some is using his online nickname and he wants to get it back (DDoS from these script kiddies can be directed to any host, so even your site can be a target). Some want to prove to their friends they have the most bots.
There have been cases in which a botnet controller sold access to the infected machines. Basically, they want to show off, they need feeling of power and authority. Of course, the next question that springs to mind is how can a 14 year old control thousands of servers? Because it is very simple to modify an already existing bot version so it will connect where you want it to and listen to what you want it to listen. It is open-source brought to the extreme.This is also an explanation as to why botnets are so many.
How does a drone know who is his drone controller? The host or the IP of the controller is coded into the Bot file/files. So when the bot controller connects and joins the channel, the drones recognize him. Lately, controllers do not rely solely on hosts, they also use passwords and a customized login syntax. They have evolved even further using encryption and creating customized algorithms for encrypting their passwords.
[edit] Bot Channels
A chatroom containing bots is as any other chatroom. The difference? Nicknames seen there are not actual users; they are those zombie connections mentioned above as being created by the bot. As seen in the screenshot below, on the right is the userlist on that channel. In this case, the Operators of the channel, which are the bot controllers, have voiced (+) the bots. A very small channel has been chosen as an example in order to avoid the risk of publishing a big botnet. That would alert the controllers and that's not good. Notice that the bots have extremely random nicknames; this is not always the case.
Most bots have a very long list of nicknames, real names from which they can pick from. Additionally, some kiddies even "teach" their bots to reply when they are messaged and even some bots that recognize given phrases and reply have been encountered.
The goal here is to make these bots look as human-like as possible such that they don't get banned from the network by the server operators. Of course almost all bots have the ability to spam a given webpage (that generally leads to the infected source)
To see the an arranged list of IPs on the channel, request a WHO on the channel. A full list of the channel users will be shown. Personal details have been blanked. Notice that some users listed have the host .users.undernet.org. That is because they are registered users on the network and they can hide their IP and only Server Operators can see their real host.
Of course, the bot controllers are not stupid enough to connect directly from their home IP. They use Internet hotspots in cafes or they generally connect through several proxies to obscure their original IP. The bot channels range from 10-15 bots to 10,000, even 15,000 bots. Now, one need only imagine what 15,000 bots requesting the main page of a website every two seconds could do.
[edit] Bot Types
The 2 main types depend on the operating system they run on : obviously we have the bots that run on Windows and the ones that run on Unix platforms. There are many differences between these 2 but the basics stay the same
- each connect a zombie client to a designated server and chat room and wait for commands. Windows-based bots you probably heard of already
- SDbots, GTbots, GAObots, Litmus, Optix and quite some other names and variations.
They are basically easy to remove from the infected machine and don't generally install more than one or two loading points and sometimes an NT service. However, people that do not have a good security policy are a very easy target. A very useful and popular tool used for IRC-related infections is Andy Manchesta's SDfix and another, more specific tool for bots found on the Undernet IRC Network that uses Merijn's BFU script, Cwean (beta).
UNIX platform bots are just in part bots made especially for evil purposes (like I mentioned earlier, mostly coded in PERL). Others are bots that run on Unix platforms but are intended for channel management tasks, like keeping operator status or protecting channels from text floods.
These bots are modified and are installed on hacked machines, sometimes under the cover of a rootkit that masks the presence of the bot files and the IRC connection it creates. Anti-rootkit applications exist for unix as well, which make detection easier, for example rootkit hunter and chkrootkit.
Depending on where they connect, we can split botnets that are formed on public networks or rouge, private IRC servers. The ones created on public networks (like Quakenet, Dalnet or Undernet) have the advantage of being relatively hard to detect, because of the large number of real users connecting, however, the server operators will terminate any botnet activity. There is an aspect to retain here. IRC servers create a large bandwidth usage and generally need to be hosted by an ISP, and as you might figure out, that would be very expensive. However, thanks to large ISP companies, IRC servers are generally sponsored; the catch is, ISPs will not tolerate DDoS coming from already a big bandwidth consumer - the catch is server operators are often afraid of banning bots from their servers afraid of retaliations from the bots controller, that may lead to the server loosing sponsorship.
Privately hosted botnets have the extremely big advantage that the network administrators are one and the same with the bot controllers. This means that none besides them have any network-wide privileges. In terms of disadvantages, to get a private hosting, you would need to host your IRC daemon on a server; that involves IPs, billing etc. that could provide (or not) some indication on the identity of the bot controller.
[edit] Future of botnets
The fact that connecting the infected PC to the IRC creates some evidence that might alert the PC owner, script kiddies have tried to find a way that will leave no trace (or a harder to detect one) : first, they have tried creating an application that will hide the actual bot window (on Windows systems) - it is known as the HideWindow trojan and is now widely detected by most antivirus software. Rootkit technology was a step up the ladder for the script kiddies that found an even harder to remove way of hiding their code. However, connecting the compromised machine to the IRC is the biggest mistake the drone controllers do.
Sadly, even they have realized that, and have created a new type of botnet, the peer-to-peer botnet. This is in the opinion of many, myself included, a great threat. Why is that, you might ask; well it's pretty simple. We all know how popular P2P programs are and how fast malware travels across P2P networks. What the controller does is share his bot source as a file with a very appealing name (pictures of a celebrity, a recently appeared movie etc..) and the bot will spread as wildfire. A simple double-click is enough to get infected and the infected machine shares also the bot source and so on. Bottom line is it gets pretty big pretty fast. Another advantage of peer-to-peer botnets would be the lack of a centralized system; thus the compromised machines are not all in one place (like on IRC) and you cannot pinpoint the controller as he joins the P2P network just as another peer. For more information on the subject, please refer to this report
[edit] How do I know I have been infected?
You need to focus on the third column. You will see the remote hosts your computer has an active connection and the remote port. You will notice I have an ESTABLISHED connection with an Undernet server on port 6667; that is a very common port for IRC, however you can find any ports in the range 6667-7000.
[edit] What can I do to help?
Thought you'd never ask! You have just a few precaution methods to follow, that may seem very easy but they do go a long way :
- Practice a good security policy. Use an antivirus and a firewall. Scan your computer regularly.
- For IRC users, the rule that has been told for eons, DO NOT CLICK ON URLS and DO NOT RECEIVE FILES FROM ANYONE.
Sounds easy? It is! YOUR computer could be used to flood other servers if you do not follow those simple 2 rules. This is very real and you can do something about it!
If you think you have been infected, there are places to get help. On IRC, you can find help on any network you are by joining #help. Undernet has a specialized channel that deals with malware called #dmsetup and Dalnet has its own called #nohack. Join and ask for help.
On the web you can get help right here on Castlecops.com, following the steps at our Malware Removal and Prevention procedure
