I'm fascinated by the phenomenon of botnets at the moment. So how do they work and how are they evolving? The basic picture:
This example illustrates how a botnet is created and used to send email spam.
- A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a trojan application -- the bot.
- The bot on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C).
- A spammer purchases access to the botnet from the operator.
- The spammer sends instructions via the IRC server to the infected PCs, causing them to send out spam messages to mail servers.
One startling discovery is that after every "Patch Tuesday", apparently hackers start to reverse engineer the problem fixed and develop an exploit for it. It will take days or even weeks before most users actually have these patches installed. This gives the attackers ample time to infect users and to increase the size of their botnets. This makes patching diligently important.
So these botnets are sold or rented to/for:
- send spam emails: Some botnets can send 1 billion mails per day and by the way, this spamming economy has become a billion dollar industry!
- send phishing emails (scams)
- steal cookies (cookies are often used as authentication method for some website!)
- steal serial codes (of games)
- send spam by IM (spim)
- as storage or distribution of (warez or music/videos)
- encrypt and ask for ransom for user data (ransomware)
- adware installation and clicks4hire schemes
- harvesting local e-mail addresses
Also, the use of DNS records with a low TTL (also called fast-flux DNS) keeps botnets longer in the air. Botherders also shifted to distributed C&C servers instead of a central one. Because disabling a C&C server was the easiest way to disable an army of thousands of zombies. If you cut off the head, you killed the beast. So they became a hydra.
According to Microsoft, their Malicious Software Removal Tool detected and removed about 16 million instances of trojans or bots between January 2005 and Mid 2006. This figures do not include those of Symantec or other anti-malware vendors.
If botherders want to change the payload or the communication method or new features of bots, they need to rewrite their code. How can this be avoided? Well, the next generation bots will be modular in nature and will have multiple layers like:
- control layer
- communication layer
- feature layer
- infection layer
The communication layer seeks to be channel independent: P2P, SMB, Skype, SIP, IM, social forums (e.g. myspace) can all be used. Especially skype has several advantages: popular client, supports encrypted traffic, NAT friendly, easy to use API and has firewall circumvention capabilities
For the infection layer, why not embed Metasploit? It has lots of exploits already. It's easy to plugin new ones.
As for the feature layer, some new functionality besides spam or DDoS:
- steal user credentials for action/online banking (makes OTP less usefull)
- packer/crypter to rebuild itself (an antivirus nightmare)
Some relevant articles:
The most recent Shadowserver Foundation graphs show an even higher rise since March. About 1.7 million for now. What can we do? Is the battle really lost? That's for my next post on botnets.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment