Botnets Case Study
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Botnets Case Study as PDF for free.
More details
- Words: 3,817
- Pages: 16
Torbec k
Botnets Computers have been a part of my life for around 30 years now, going all the way back to the late 1970s when very few people had access to them. As such I have had to deal with a lot of computer problems over the years from hardware and software issues to the occasional stupid user. For the most part my focus has always been on computer support doing everything working with home users and small business to setting up large business networks. However, a few years ago shortly before I started my undergrad program at DeVry University my focus switch to computer security. It seemed like the natural thing for me to do. Computer Security has become a major focus in the industry and I have always enjoyed tracking down and solving problems. Plus I had already spent a lot of time dealing with virus, worms, and the occasional hacker getting in to a system so how hard could it be. Heck, I even wrote a Trojan of my very own designed to destroy the work I did for a past employer who refuse to pay me for my work. By the way it worked. However, for the first time after making this switch and maybe even the first time in my 30 years of using computer I have come across something that really scares me. In fact working on group project on the subject, I realized that it scared me so much that I tossed aside the case study I had already
1
Torbec k
started because I needed to write more on the subject than I was going to be able to cover in the group project. So what is it that scares me so much? BOTNETS. The goal of this paper is to try and educate the reader not only on what Botnets are, but what they are used for, how they work, and how you can protect yourself from them. After all the only pay to break yourself from the fear of something is to really understand it.
So what is a botnet? A Botnet is a Robotic Network of computers controlled from single command and control system by a few or even just a single user. While there are legitimate uses for BOTNETs like distributed computing project (SETI@HOME) and creation of the databases used by search engines like Google and Microsoft Bing. The term today is mostly used to describe a network of compromised computers being used without the knowledge of the computers owner. As I will explain in more detail later in this paper, this network of compromised computers can consist of a few or even millions of computers, each of which is known as a Zombie or a node1.Together the Botnet is normally used for illegal purposes by the Botnets creator known as a “Bot Herder” or “Bot Master”. The Bot Herder uses a form of Malware known as a BOT Client to take control of vulnerable computers normally by taking advantage of a known 1
The term node can also referee to a group of Zombies.
2
Torbec k
vulnerability that has a patch available, but the patch has not yet been installed on the vulnerable computers. This Bot Client is not a Virus, Trojan, or a Worm, but a hybrid of all three. After he has control the Bot Herder use a Command and Control Center (C&C), normally another infected computer, to send orders to the other zombie computers. This C&C can use one of many or even multiple forms of communication to relay orders or retrieve information from each of the Zombies. I go in more detail on the types of C & C systems later in this paper.
What are Botnets Used For? In the past the creators of Botnets (Bot Herders) created the network to gain headlines and to prove to others that they could do it. It was more about bragging rights than anything else. However, today the Botnets are created for financial gain for both the Bot Herder and for the people they rent or sell the access to the network of Zombies (Dunham & Melnick, 2008). A Botnet can be used to do almost anything that requires a large amount of computing power or Internet bandwidth. In many ways its use only depends on the skills and motivation of the Bot Herder. However, based on research done by Universities and Computer Security companies the most common uses are list below (Schiller & Binkley, 2007). Distributed Denial-of-Service Attacks (DDoS) A Denial of Service Attack (DoS) is an attack on a computer system or network with the goal of denying the use of or access to a specific services or system. While this can be done with a single computer if it has enough
3
Torbec k
bandwidth, the system administrators can easy stop the attack because it is coming from a single source. However, using a Botnet an attacker can perform a Distributed Denial-of-Service Attack (DDoS) in which the Botnets Zombies are ordered to attack the target at a set date and time. Because the Zombies can be located all over the world this form of attack is very difficult to stop. Sending Spam SPAM is Unsolicited Commercial Email. We all get it and if you are like me you have noticed that your getting a great deal more SPAM now than ever before. In fact according to Symantec SPAM now accounts for 90.4 percent of all email (Whitney, 2009). This is an increase of almost 60% in a year. Botnets are major factor in this increase. Over the last few years SPAM had actually gone down. This was because new filtering technologies had been developed and Internet Service Providers (ISP) no longer would tolerate spammers user their (the ISP) networks to send the SPAM. However, with the growth of BOTNET the spammers don’t need to deal with the ISPs. In many ways BOTNETs are an ideal medium for spammers. Similar to with a DDoS Attack they offer a larger target that is hard to block. Because the
4
Torbec k
spammer is using the bandwidth of the Zombies they not only don’t have an ISP complaints to deal with, but they don’t have a large bandwidth bill either. In fact BOTNETs can not only be used to send SPAM, but they can also be used to collect email address from all the infected computers. Phishing Scams Phishing is the act of tricking someone into giving up confidential information or tricking them into doing something that they normally wouldn't do or shouldn't do. For example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing is many ways is related to SPAM, because the user normally receives an email asking them to do something, but in the case of Phishing this email is disguised to look like it is coming from a legitimate source like the users bank. This Phishing email normally informs the user that there is a problem that they need to take care of right away and if they click on the links in the email it will take them where they need to go to fix the problem. While the links may look like they are going to a legitimate source they are actually going to a Phishing Website that like the email is made to look like a legitimate source. Botnets are used in Phishing Scams in multiple ways. The first is for the sending of the Phishing emails, just like the way they are used for Spamming. The second is that one or more of the Zombies are turned in to web servers to host the Phishing Website.
5
Torbec k
Identity Theft Phishing Scams are not the only way that BOTNETs are used for identity Theft. They are also used to collect personal information from the victim’s computers. This can be done in multiple ways. The Bot Herder can simple order the Botnet Client to send back files retrieved from the victim’s computer or they can have the client itself monitor all traffic going in and out of the computer and send back that data. Many clients even have built in Keylogging software. Some of the newer Botnet Clients being used can not only make a screen capture (picture or video) of the victims computer, but the can turn on a users webcam and send back pictures of the victims home or office. In many ways Identity Theft is what scares me the most about Botnets. A great example of why it scares me is the resent story (May 2009) in which the University of California Santa Barbara Hijacked the “Torpig” Botnet. In the ten days the school had control of this relatively small Botnet (around 180,000 Zombies) they collected 70GB of data, including 10,000 bank accounts and credit card numbers. Pay-Per-Click Abuse Many internet sites including Google provide away for other websites to make money using advertisements or Affiliate programs. Google AdSense, which is the largest of such programs, reportedly pays out hundreds of millions every year to companies who have placed advertisements sold by Google on their own websites.
6
Torbec k
Google and its Affiliates make money based on the number of times that the advertisement is clicked on by a user. This can easily be taken advantage of by BOTNETs. To do so the Bot Herder, or someone they have rented the Botnet to, sets up a fake website. They then join the affiliate program like AdSense and place ads on the fake website and order the Zombies to start clicking on the advertisements. Some Zombies will even intercept the web code that identifies the affiliate from every site a user visits and replace it with their own affiliate id. While this is one of the newest forms of BOTNET attacks Google claims it is growing and they expect to lose millions to this form of attack over the next few years. Remote Login to Networks (Rlogin) Originally designed for Unix/Linux systems Remote Login (Rlogin) is the ability to connect to a network from a remote location and interact with the network as if the remote computer is the host computer. Many of the Botnet Clients have Rlogin built in to them giving the Bot Herder the ability bypass much of the victim’s network security and gain access to the network undetected. Attacking Other Botnets Competition can be both a good thing right? Not in the world of Bot Herders. According to the FBI there is currently a major turf war going on between the major botnet. Using their Zombies the Bot Herders are not only performing
7
Torbec k
DDoS attacks on each other’s Command & Control computers, but they are attempting to hijack large chunks of each other’s Zombies. Manipulating Online Polls/Voting Online polls are getting more and more attention now days. In fact many of the most popular reality shows use them as an option for users who don’t want to make repeated attempts to phone over the phone to vote for their favorite signer or dancer. To prevent manipulation of the voting most polling systems are designed to let votes only vote a set number of times. This is normally done by monitoring the IP address of the computer the vote is coming from. BOTNETS make it rather easy to beat this because they can send votes in from tens of thousands, hundreds of thousands, or even millions of computers. While it is still unconfirmed, several different security groups believe this happened in the most recent running of the reality show Dances with Stars. Reports are that one of the contestants, Steve Wozniak Cofounder of Apple Computer Corp, received a much larger percentage of web votes than he did phone votes. In fact report millions more making him and his partner the receiver of the most votes in total. This continued for several weeks until the producers of the show reduce the value of the points that could be earned from internet voting. Stealing Software Not only can many of the Botnet Clients download files from a victim’s computer, they can also retrieve serial numbers and activations codes for
8
Torbec k
the applications found on the victim’s computer. Botnets are also used in the trading of pirated software by using the infected computer as a host for downloading the software. Infecting More Zombies The final common use for BOTNETs is to infect more Zombies. This normally starts right from the start after a Zombie is under the control of the Bot Herder orders it to search for and infect more vulnerable computers. I will go in more deals on that later in this paper.
Why use a Botnet and not some other technology? So why would someone use a Botnet compared to other technologies? For the most part the answer to this question is for financial gain for both the Bot Herders and the Botnet Renters. Together BOTNET have enormous amounts of both computing power and bandwidth. In fact the larger networks can have as much computing power as a supercomputer and more bandwidth than many small countries. Another reason for using a BOTNET is that they make it very difficult to track the users of the BOTNET. This is because not only are the attacks coming from multiple locations around the world; it is a moving target because the BOTNET is expanding.
Building and Using a Botnet. Before going in to details on how to build and use a BOTNET I need to spend a little time introducing the cast of characters involved. Each of which plays a very important part in the BOTNET.
9
Torbec k
○ BOT HERDER: Sometimes also known as a “Bot Master”, the “Bot Herder” is the person responsible creating and managing the Botnet. ○ BOTNET CLIENT: Malware (Virus/Trojan/Worm) used to infect vulnerable computers and turning computer in to Zombie. ○ Zombie: Infected Computer now under control of “Bot Herder” ○ C&C: Command and Control Center used for two way communication with Zombies ○ Renter: Rents use of Botnet to send SPAM or for another use. Building the Botnet: Setup Stage
The first stage in building a BOTNET is the setup stage. During this stage the BOT Herder needs to both setup the Command and Control Center (C&C) and create the Malware “Bot Client” that is going to be used to infect vulnerable computers turning them in to Zombies. The C&C is the Bot Herders way of communicating with the Zombies. Not only is it used to send commands to the Zombies, put it also receives responses back from them. The responses can be everything from “Hello I infected a new computer”, to files and data retrieved from the infected computers. Sometimes the Herder will setup the C&C on a rented server at an internet host, but this is a little dangerous so normally the C&C is just another Zombie with a high speed internet connection. There are a lot of options in how C&C will communicate with the Zombies. Below is a list of the most common.
10
Torbec k
○ Direct Connection: With this form of C&C communicate directly with each other using and available TCP/IP port. Direct Connection was used a lot with early Botnets, but today it is easily detected. ○ Internet Relay Chat (IRC): IRC is a chat protocol which allows servers worldwide to link and allow for users to access them with special software and chat (via text) in real time. This is the most common way of handling the communication between the Zombies and the C&C because it is both easy to setup and allows for real time communications. However, the increasing use of Firewalls and advanced network monitoring by business and ISPs has force Herders to start looking for other options. ○ EMAIL: With this options all communications is handled using emails. When the Herder wants to send a command to a Zombie he simple instructs the Herder to send an email. That email goes to only a few of the Zombies who in turn forward the email to more of the Zombies. While this option may sound a little strange it kind of makes sense. After all many of the Zombies are already setup mail servers so they can send SPAM. However, the biggest problem with this option is that it is a lot slower. ○ WEB/FTP Retrieval: With WEB/FTP retrieval the commands are uploaded to a WEB or FTP Server that has been pre programmed in to the Zombies. At a set time and day the Zombie checks the server for it orders. While two way communication is possible it is as detectable as Direct Connection so this form of communication is normally used only for DDoS Attacks.
11
Torbec k
○ Peer-to-Peer Networks: Peer-to-Peer communications is very similar to WEB/FTP Retrieval except that the encrypted orders are placed on a Peerto-Peer Network (like Kazaa). The one advantage with this option over WEB/FTP Retrieval is that it offers two way communications. Peer-to-Peer is quickly on its way to catching up with IRC, but it is still not real time. ○ Preset (Time/Date): Preset is another older option and is really not a form of communication, because the orders are pre programmed in to the Bot Client which has the Zombie just sit and wait for a set time and date to activate the orders. Preset is normally only used for DDoS Attacks. ○ Social Networks: I could not find anything that directly talked about the use of Social Networks with BOTNETs. However, as someone who uses several different social networks including Facebook and Twitter it only make sense that this new form of Internet Communication is going to be used by BOTNETS in the future if it is not already being done. Now that the Bot Herder has the C&C online they need to turn their attention to the Bot Client. The Client is a form of Malware (kind of a Virus/Trojan/Worm hybrid) used to infect vulnerable computers and turning computer in to Zombie. The Bot Herder really has two options when it comes to the Client. The first is to write a Botnet Client from scratch. This option takes a real expert because they need to not only write the client to handle the control of the Zombie, but they need to understand and know how to take advantage of vulnerability. The second option is to customize one of the
12
Torbec k
many Bot Clients available on the internet. This option is really the better option for most Bot Herders because they are already designed to take advantage of known vulnerabilities (using plug-ins for each), and the Herder and had modules for the features they want to include. Infection Stage
Now that the Setup Stage is done it is time to start creating Zombies. The first thing the Bot Herder does is to create the first Zombie by infecting a single computer on the internet with the Botnet Client. Once infected the Zombie reports back to the C & C telling it that it has infected a computer and asks what it should do next. The Bot Herder monitors the C & C looking for the new Zombie to report back, once it has he orders the Zombie (using the C & C) to look for and infect additional computers. As each new Zombie reports back it receives the same order to search and infect additional vulnerable computers. After there are enough Zombies the Herder can start using the Botnet and making money from it. Using the Botnet: The first step in using the BOTNET is todivide it in to two groups. The details of how the divided up the network really depends on what they plan on doing with Botnet. Are they going to keep the network and us it themselves, rent out its use, or sell it outright? However, most of the time the network is broking up in to two groups, the Zombies with the fastest connections are reserved for attacks (sending SPAM, Phishing, etc) while the Zombies with
13
Torbec k
slower connections are used to continue to build the network or for DDoS Attacks. Once the BOTNET is divided it is time to start using the network. To do so the herder follows the following steps. 1. Herder sends orders to C & C. 2. C & C either forward orders to Zombies or waits for Zombies to pick up the orders. 3. Zombies receive orders and it goes to work.
How to Protect Yourself It is possible to protect yourself from a Botnet by following the same steps as you already should be following to protect yourself from Virus, Works, and Trojans and using a little Common Sense. Below is a list of steps that both home and business users should be doing. ○ Install a Firewall ○ Install an Antivirus and Keep Definitions up-to-date. ○ Install all Security Fixes and Updates. ○ Be careful when clicking on links in emails, Instant Messages, and on Social Networking Websites. ○ Only Install Software that is Absolutely Necessary ○ Avoid File Sharing Networks, such as Kazaa and Limewire. ○ Don’t Open Email Attachments. Business should also: ○ Install an Infusion Detection System
14
Torbec k
○ Educate Users on how to protect themselves and the network resources. ○ Block Email Attachments. ○ Block user Installation of Software.
Conclusion While I do fear them, I am not the type to sit back and hide from my fears. So I have decide to create a website to help educate people on the dangers of BOTNETs and I am even going to try to write my own so I can gain even more knowledge on how they work. I hope that by reading my paper you have gained a little insight on the danger of BOTNETS and maybe understand why I have a general fear of what they can do. It is not the DDoS attacks or even the SPAM that I fear, but the potential for BOTNETS to be used on a massive scale for Identity Theft.
15
Torbec k
Works Cited Botnets - Wikipedia. (n.d.). Retrieved June 15, 2009, from Wikipedia: http://en.wikipedia.org/wiki/Botnet Dunham, K., & Melnick, J. (2008). Malicious Bots: An Inside Look into the CyberCriminal Underground of the Internet. Auerbach Publications. Gage, D., & Nash, K. S. (2006, April 6). Security Alert: When Bots Attack. Baseline Magazine . Roddel, V. (2009, April 13). Computer Infectors and Spam. Retrieved June 14, 2009, from Bright Hub: http://www.brighthub.com/internet/securityprivacy/articles/4276.aspx Schiller, C., & Binkley, J. (2007). Botnets: The Killer Web App. Syngress. Whitney, L. (2009, May 26). Report: Spam now 90 percent of all e-mail. Retrieved June 14, 2009, from CNET: http://news.cnet.com/8301-1009_3-10249172-83.html
16
Botnets Computers have been a part of my life for around 30 years now, going all the way back to the late 1970s when very few people had access to them. As such I have had to deal with a lot of computer problems over the years from hardware and software issues to the occasional stupid user. For the most part my focus has always been on computer support doing everything working with home users and small business to setting up large business networks. However, a few years ago shortly before I started my undergrad program at DeVry University my focus switch to computer security. It seemed like the natural thing for me to do. Computer Security has become a major focus in the industry and I have always enjoyed tracking down and solving problems. Plus I had already spent a lot of time dealing with virus, worms, and the occasional hacker getting in to a system so how hard could it be. Heck, I even wrote a Trojan of my very own designed to destroy the work I did for a past employer who refuse to pay me for my work. By the way it worked. However, for the first time after making this switch and maybe even the first time in my 30 years of using computer I have come across something that really scares me. In fact working on group project on the subject, I realized that it scared me so much that I tossed aside the case study I had already
1
Torbec k
started because I needed to write more on the subject than I was going to be able to cover in the group project. So what is it that scares me so much? BOTNETS. The goal of this paper is to try and educate the reader not only on what Botnets are, but what they are used for, how they work, and how you can protect yourself from them. After all the only pay to break yourself from the fear of something is to really understand it.
So what is a botnet? A Botnet is a Robotic Network of computers controlled from single command and control system by a few or even just a single user. While there are legitimate uses for BOTNETs like distributed computing project (SETI@HOME) and creation of the databases used by search engines like Google and Microsoft Bing. The term today is mostly used to describe a network of compromised computers being used without the knowledge of the computers owner. As I will explain in more detail later in this paper, this network of compromised computers can consist of a few or even millions of computers, each of which is known as a Zombie or a node1.Together the Botnet is normally used for illegal purposes by the Botnets creator known as a “Bot Herder” or “Bot Master”. The Bot Herder uses a form of Malware known as a BOT Client to take control of vulnerable computers normally by taking advantage of a known 1
The term node can also referee to a group of Zombies.
2
Torbec k
vulnerability that has a patch available, but the patch has not yet been installed on the vulnerable computers. This Bot Client is not a Virus, Trojan, or a Worm, but a hybrid of all three. After he has control the Bot Herder use a Command and Control Center (C&C), normally another infected computer, to send orders to the other zombie computers. This C&C can use one of many or even multiple forms of communication to relay orders or retrieve information from each of the Zombies. I go in more detail on the types of C & C systems later in this paper.
What are Botnets Used For? In the past the creators of Botnets (Bot Herders) created the network to gain headlines and to prove to others that they could do it. It was more about bragging rights than anything else. However, today the Botnets are created for financial gain for both the Bot Herder and for the people they rent or sell the access to the network of Zombies (Dunham & Melnick, 2008). A Botnet can be used to do almost anything that requires a large amount of computing power or Internet bandwidth. In many ways its use only depends on the skills and motivation of the Bot Herder. However, based on research done by Universities and Computer Security companies the most common uses are list below (Schiller & Binkley, 2007). Distributed Denial-of-Service Attacks (DDoS) A Denial of Service Attack (DoS) is an attack on a computer system or network with the goal of denying the use of or access to a specific services or system. While this can be done with a single computer if it has enough
3
Torbec k
bandwidth, the system administrators can easy stop the attack because it is coming from a single source. However, using a Botnet an attacker can perform a Distributed Denial-of-Service Attack (DDoS) in which the Botnets Zombies are ordered to attack the target at a set date and time. Because the Zombies can be located all over the world this form of attack is very difficult to stop. Sending Spam SPAM is Unsolicited Commercial Email. We all get it and if you are like me you have noticed that your getting a great deal more SPAM now than ever before. In fact according to Symantec SPAM now accounts for 90.4 percent of all email (Whitney, 2009). This is an increase of almost 60% in a year. Botnets are major factor in this increase. Over the last few years SPAM had actually gone down. This was because new filtering technologies had been developed and Internet Service Providers (ISP) no longer would tolerate spammers user their (the ISP) networks to send the SPAM. However, with the growth of BOTNET the spammers don’t need to deal with the ISPs. In many ways BOTNETs are an ideal medium for spammers. Similar to with a DDoS Attack they offer a larger target that is hard to block. Because the
4
Torbec k
spammer is using the bandwidth of the Zombies they not only don’t have an ISP complaints to deal with, but they don’t have a large bandwidth bill either. In fact BOTNETs can not only be used to send SPAM, but they can also be used to collect email address from all the infected computers. Phishing Scams Phishing is the act of tricking someone into giving up confidential information or tricking them into doing something that they normally wouldn't do or shouldn't do. For example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing is many ways is related to SPAM, because the user normally receives an email asking them to do something, but in the case of Phishing this email is disguised to look like it is coming from a legitimate source like the users bank. This Phishing email normally informs the user that there is a problem that they need to take care of right away and if they click on the links in the email it will take them where they need to go to fix the problem. While the links may look like they are going to a legitimate source they are actually going to a Phishing Website that like the email is made to look like a legitimate source. Botnets are used in Phishing Scams in multiple ways. The first is for the sending of the Phishing emails, just like the way they are used for Spamming. The second is that one or more of the Zombies are turned in to web servers to host the Phishing Website.
5
Torbec k
Identity Theft Phishing Scams are not the only way that BOTNETs are used for identity Theft. They are also used to collect personal information from the victim’s computers. This can be done in multiple ways. The Bot Herder can simple order the Botnet Client to send back files retrieved from the victim’s computer or they can have the client itself monitor all traffic going in and out of the computer and send back that data. Many clients even have built in Keylogging software. Some of the newer Botnet Clients being used can not only make a screen capture (picture or video) of the victims computer, but the can turn on a users webcam and send back pictures of the victims home or office. In many ways Identity Theft is what scares me the most about Botnets. A great example of why it scares me is the resent story (May 2009) in which the University of California Santa Barbara Hijacked the “Torpig” Botnet. In the ten days the school had control of this relatively small Botnet (around 180,000 Zombies) they collected 70GB of data, including 10,000 bank accounts and credit card numbers. Pay-Per-Click Abuse Many internet sites including Google provide away for other websites to make money using advertisements or Affiliate programs. Google AdSense, which is the largest of such programs, reportedly pays out hundreds of millions every year to companies who have placed advertisements sold by Google on their own websites.
6
Torbec k
Google and its Affiliates make money based on the number of times that the advertisement is clicked on by a user. This can easily be taken advantage of by BOTNETs. To do so the Bot Herder, or someone they have rented the Botnet to, sets up a fake website. They then join the affiliate program like AdSense and place ads on the fake website and order the Zombies to start clicking on the advertisements. Some Zombies will even intercept the web code that identifies the affiliate from every site a user visits and replace it with their own affiliate id. While this is one of the newest forms of BOTNET attacks Google claims it is growing and they expect to lose millions to this form of attack over the next few years. Remote Login to Networks (Rlogin) Originally designed for Unix/Linux systems Remote Login (Rlogin) is the ability to connect to a network from a remote location and interact with the network as if the remote computer is the host computer. Many of the Botnet Clients have Rlogin built in to them giving the Bot Herder the ability bypass much of the victim’s network security and gain access to the network undetected. Attacking Other Botnets Competition can be both a good thing right? Not in the world of Bot Herders. According to the FBI there is currently a major turf war going on between the major botnet. Using their Zombies the Bot Herders are not only performing
7
Torbec k
DDoS attacks on each other’s Command & Control computers, but they are attempting to hijack large chunks of each other’s Zombies. Manipulating Online Polls/Voting Online polls are getting more and more attention now days. In fact many of the most popular reality shows use them as an option for users who don’t want to make repeated attempts to phone over the phone to vote for their favorite signer or dancer. To prevent manipulation of the voting most polling systems are designed to let votes only vote a set number of times. This is normally done by monitoring the IP address of the computer the vote is coming from. BOTNETS make it rather easy to beat this because they can send votes in from tens of thousands, hundreds of thousands, or even millions of computers. While it is still unconfirmed, several different security groups believe this happened in the most recent running of the reality show Dances with Stars. Reports are that one of the contestants, Steve Wozniak Cofounder of Apple Computer Corp, received a much larger percentage of web votes than he did phone votes. In fact report millions more making him and his partner the receiver of the most votes in total. This continued for several weeks until the producers of the show reduce the value of the points that could be earned from internet voting. Stealing Software Not only can many of the Botnet Clients download files from a victim’s computer, they can also retrieve serial numbers and activations codes for
8
Torbec k
the applications found on the victim’s computer. Botnets are also used in the trading of pirated software by using the infected computer as a host for downloading the software. Infecting More Zombies The final common use for BOTNETs is to infect more Zombies. This normally starts right from the start after a Zombie is under the control of the Bot Herder orders it to search for and infect more vulnerable computers. I will go in more deals on that later in this paper.
Why use a Botnet and not some other technology? So why would someone use a Botnet compared to other technologies? For the most part the answer to this question is for financial gain for both the Bot Herders and the Botnet Renters. Together BOTNET have enormous amounts of both computing power and bandwidth. In fact the larger networks can have as much computing power as a supercomputer and more bandwidth than many small countries. Another reason for using a BOTNET is that they make it very difficult to track the users of the BOTNET. This is because not only are the attacks coming from multiple locations around the world; it is a moving target because the BOTNET is expanding.
Building and Using a Botnet. Before going in to details on how to build and use a BOTNET I need to spend a little time introducing the cast of characters involved. Each of which plays a very important part in the BOTNET.
9
Torbec k
○ BOT HERDER: Sometimes also known as a “Bot Master”, the “Bot Herder” is the person responsible creating and managing the Botnet. ○ BOTNET CLIENT: Malware (Virus/Trojan/Worm) used to infect vulnerable computers and turning computer in to Zombie. ○ Zombie: Infected Computer now under control of “Bot Herder” ○ C&C: Command and Control Center used for two way communication with Zombies ○ Renter: Rents use of Botnet to send SPAM or for another use. Building the Botnet: Setup Stage
The first stage in building a BOTNET is the setup stage. During this stage the BOT Herder needs to both setup the Command and Control Center (C&C) and create the Malware “Bot Client” that is going to be used to infect vulnerable computers turning them in to Zombies. The C&C is the Bot Herders way of communicating with the Zombies. Not only is it used to send commands to the Zombies, put it also receives responses back from them. The responses can be everything from “Hello I infected a new computer”, to files and data retrieved from the infected computers. Sometimes the Herder will setup the C&C on a rented server at an internet host, but this is a little dangerous so normally the C&C is just another Zombie with a high speed internet connection. There are a lot of options in how C&C will communicate with the Zombies. Below is a list of the most common.
10
Torbec k
○ Direct Connection: With this form of C&C communicate directly with each other using and available TCP/IP port. Direct Connection was used a lot with early Botnets, but today it is easily detected. ○ Internet Relay Chat (IRC): IRC is a chat protocol which allows servers worldwide to link and allow for users to access them with special software and chat (via text) in real time. This is the most common way of handling the communication between the Zombies and the C&C because it is both easy to setup and allows for real time communications. However, the increasing use of Firewalls and advanced network monitoring by business and ISPs has force Herders to start looking for other options. ○ EMAIL: With this options all communications is handled using emails. When the Herder wants to send a command to a Zombie he simple instructs the Herder to send an email. That email goes to only a few of the Zombies who in turn forward the email to more of the Zombies. While this option may sound a little strange it kind of makes sense. After all many of the Zombies are already setup mail servers so they can send SPAM. However, the biggest problem with this option is that it is a lot slower. ○ WEB/FTP Retrieval: With WEB/FTP retrieval the commands are uploaded to a WEB or FTP Server that has been pre programmed in to the Zombies. At a set time and day the Zombie checks the server for it orders. While two way communication is possible it is as detectable as Direct Connection so this form of communication is normally used only for DDoS Attacks.
11
Torbec k
○ Peer-to-Peer Networks: Peer-to-Peer communications is very similar to WEB/FTP Retrieval except that the encrypted orders are placed on a Peerto-Peer Network (like Kazaa). The one advantage with this option over WEB/FTP Retrieval is that it offers two way communications. Peer-to-Peer is quickly on its way to catching up with IRC, but it is still not real time. ○ Preset (Time/Date): Preset is another older option and is really not a form of communication, because the orders are pre programmed in to the Bot Client which has the Zombie just sit and wait for a set time and date to activate the orders. Preset is normally only used for DDoS Attacks. ○ Social Networks: I could not find anything that directly talked about the use of Social Networks with BOTNETs. However, as someone who uses several different social networks including Facebook and Twitter it only make sense that this new form of Internet Communication is going to be used by BOTNETS in the future if it is not already being done. Now that the Bot Herder has the C&C online they need to turn their attention to the Bot Client. The Client is a form of Malware (kind of a Virus/Trojan/Worm hybrid) used to infect vulnerable computers and turning computer in to Zombie. The Bot Herder really has two options when it comes to the Client. The first is to write a Botnet Client from scratch. This option takes a real expert because they need to not only write the client to handle the control of the Zombie, but they need to understand and know how to take advantage of vulnerability. The second option is to customize one of the
12
Torbec k
many Bot Clients available on the internet. This option is really the better option for most Bot Herders because they are already designed to take advantage of known vulnerabilities (using plug-ins for each), and the Herder and had modules for the features they want to include. Infection Stage
Now that the Setup Stage is done it is time to start creating Zombies. The first thing the Bot Herder does is to create the first Zombie by infecting a single computer on the internet with the Botnet Client. Once infected the Zombie reports back to the C & C telling it that it has infected a computer and asks what it should do next. The Bot Herder monitors the C & C looking for the new Zombie to report back, once it has he orders the Zombie (using the C & C) to look for and infect additional computers. As each new Zombie reports back it receives the same order to search and infect additional vulnerable computers. After there are enough Zombies the Herder can start using the Botnet and making money from it. Using the Botnet: The first step in using the BOTNET is todivide it in to two groups. The details of how the divided up the network really depends on what they plan on doing with Botnet. Are they going to keep the network and us it themselves, rent out its use, or sell it outright? However, most of the time the network is broking up in to two groups, the Zombies with the fastest connections are reserved for attacks (sending SPAM, Phishing, etc) while the Zombies with
13
Torbec k
slower connections are used to continue to build the network or for DDoS Attacks. Once the BOTNET is divided it is time to start using the network. To do so the herder follows the following steps. 1. Herder sends orders to C & C. 2. C & C either forward orders to Zombies or waits for Zombies to pick up the orders. 3. Zombies receive orders and it goes to work.
How to Protect Yourself It is possible to protect yourself from a Botnet by following the same steps as you already should be following to protect yourself from Virus, Works, and Trojans and using a little Common Sense. Below is a list of steps that both home and business users should be doing. ○ Install a Firewall ○ Install an Antivirus and Keep Definitions up-to-date. ○ Install all Security Fixes and Updates. ○ Be careful when clicking on links in emails, Instant Messages, and on Social Networking Websites. ○ Only Install Software that is Absolutely Necessary ○ Avoid File Sharing Networks, such as Kazaa and Limewire. ○ Don’t Open Email Attachments. Business should also: ○ Install an Infusion Detection System
14
Torbec k
○ Educate Users on how to protect themselves and the network resources. ○ Block Email Attachments. ○ Block user Installation of Software.
Conclusion While I do fear them, I am not the type to sit back and hide from my fears. So I have decide to create a website to help educate people on the dangers of BOTNETs and I am even going to try to write my own so I can gain even more knowledge on how they work. I hope that by reading my paper you have gained a little insight on the danger of BOTNETS and maybe understand why I have a general fear of what they can do. It is not the DDoS attacks or even the SPAM that I fear, but the potential for BOTNETS to be used on a massive scale for Identity Theft.
15
Torbec k
Works Cited Botnets - Wikipedia. (n.d.). Retrieved June 15, 2009, from Wikipedia: http://en.wikipedia.org/wiki/Botnet Dunham, K., & Melnick, J. (2008). Malicious Bots: An Inside Look into the CyberCriminal Underground of the Internet. Auerbach Publications. Gage, D., & Nash, K. S. (2006, April 6). Security Alert: When Bots Attack. Baseline Magazine . Roddel, V. (2009, April 13). Computer Infectors and Spam. Retrieved June 14, 2009, from Bright Hub: http://www.brighthub.com/internet/securityprivacy/articles/4276.aspx Schiller, C., & Binkley, J. (2007). Botnets: The Killer Web App. Syngress. Whitney, L. (2009, May 26). Report: Spam now 90 percent of all e-mail. Retrieved June 14, 2009, from CNET: http://news.cnet.com/8301-1009_3-10249172-83.html
16
Related Documents
Botnets Case Study
May 2020 0
Botnets
November 2019 1
Case Study
April 2020 41
Case Study
May 2020 38
Case Study
June 2020 28