This article covers sophisticated botnet attacks, whereby the attacked computer system becomes an attacker itself. Systems administrators and senior technology management staff that are aware of the modus operandi of botnets are best qualified to prevent their entry into a secured network. The article also discusses how FOSS systems ought to be protected from such attacks.
The word botnet is derived from a network of robots. It is essentially a widespread collection of a large number of infected computer systems. Each infected system runs a piece of software program called a bot. As shown in Figure 1, there is a bot-master system, which keeps track of the total number of machines infected and the tasks they should perform. For carefully choreographed attacks that need orchestration between millions of such systems, another layer of bot-managers is created too. These perform the tasks of accepting commands from the master, spreading those commands to the bots, and also reporting the number of infected systems under them. The manager botnets also send software patches to fix bugs or improve functionality, very similar to a security patch management system.
The bot-masters are controlled by the crackers who created this army. However, since the crackers are in hiding, the master system and software running on it are always operating in stealth mode. In a few recent botnet attacks, the bot-master had delegated and rotated the master’s role between its bot-managers, thus making it extremely tough to detect. These role changes were further rotated based on the country they were present in. Usually, botnets are designed for a specific OS, and if they have to spread wider, botnets prefer Web code or the Java language to infect all possible OS platforms.
Now, let’s look into the internal operations of a typical bot. As shown in Figure 2, there are four main modules of a botnet. The command module sends commands to the child botnets, whereas the control module controls the ownerships, to decide who should listen to whom. The infection module carries the important responsibility of finding non-patched servers in the network, and infecting those with the most updated copy. The stealth module is essentially a set of software programs, which does crucial jobs such as disabling anti-virus software, achieving root access or kernel access, etc. It also ensures that its own footprint on the infected machine is invisible in terms of running processes and disk space, and also keeps a watch on new anti-virus software being installed. In some cases, the stealth module and control module work together to fetch their most recent patch from the master or manager, and seamlessly upgrade themselves. Some stealth modules are also capable of erasing themselves with a self-destruct mechanism, or shutting down the system to thwart aggressive detection techniques.
The way botnets interact with the master or manager is very interesting too. All bots are given a unique identification number, which is usually a product of the infected system’s configuration and location, but not necessarily the IP address of the system. The master always has the most updated count of the identification numbers used, and is capable of limiting or expanding the spread. Bots use a specific range of TCP ports; however, the exact port being used is picked randomly. It is always the duty of the botnet to report to the master or manager the TCP port number it plans to use. This reporting occurs on every reboot of the infected system. In most cases, the inter-bot communications are Base-64 or MD5 encrypted, while in some cases a self-signed digital certificate is used too.
The main purpose behind injecting a botnet into a system is to create an army of infected systems, also called zombies. The table below explains various types of botnets and the purpose behind injecting them into a network. The overall purpose behind such an attack is, ultimately, to disrupt computer systems or to steal data. Since a whole army of computer zombies are in action, unfortunately, the crackers can easily and quickly succeed in their evil mission; this is because planting a botnet attack is always a low-risk, high-profit job.
Botnet type Purpose
DoSBot DoS and Distributed DoS attack using Layer 3 to 7 protocols
SpamBot Email spamming by collecting address books
BrowseBot Gather user’s browsing trends and feed into advertisement network
AdSenseBot Same as BrowseBot but targeted at Google AdSense
ChatBot Collect chat transcripts to find user’s chatting trends
idBot Collect user ID and password information
CCBot Collect credit-card information from e-commerce portal screens
PollBot Manipulate online polls meant for products and services
BruteForceBot Attack websites with TCP and application layer attacks
NetBot Attack networks using Layer 2 and 3 protocols
How botnets are injected
In the early days of the Internet, a botnet code piece was developed to programmatically traverse through multiple websites, and to further gather and collate the contents to create meaningful data. While this method forms the heart of today’s search engines, it was tweaked at some point in the past by crackers to serve their purposes. Before discussing how botnets are injected, let’s understand why it is done. To make a website famous in a search engine, it is imperative to get lots of Web requests. This is especially true for websites that run advertisements and earn money for every click on a published advertisement. It is now possible to spread botnets across the networks, to access the page and programmatically click one or more advertisements on it. If such a campaign is carefully orchestrated, it is tough to figure out which click is legitimately initiated by a human being, and which one originates from botnet code. The website hosting firm, usually a cracker in such a case, can end up earning lots of money. In another type of attack called phishbots, an email campaign can be started to achieve similar results. This tells us that the effects of botnets go much beyond mere reputation or data loss.
The process mentioned above is only possible when enough security measures are not in place. For example, a machine not running anti-virus software, or running with old or dated anti-virus definitions can fall prey to this process easily. Similarly, an un-patched or improperly patched system or network can expose a lot of vulnerabilities that can be exploited. In case of the network perimeter defence, leaving security holes in a firewall configuration worsens the situation. As for servers, implementing insecure policies or measures that do not harden the server OS, or leaving application exploits unfixed, can cause damage. While dealing with Linux distros, exploits such as buffer overflows and remote command execution are usually used. Typical rudimentary methods such as sending phishing emails, spyware attachments, etc, are used to increase the spread. It is very important to remember that infecting one machine in a network is enough, because that machine, acting as a zombie, can easily replicate the botnet code to other machines in the same network.
At this point, it is important to mention a few notorious botnets that are still tough to detect.
Conficker: Originally thought to be a virus, Conficker had built-in software routines that could allow the infected machine to be controlled remotely, making it a bot threat. While it was written for Windows OS, a few variants were later created to infect UNIX and Linux systems too. It used the hidden file share vulnerability of Windows to get into the machine, and then turn it into a zombie to spread the infection further. With an infection count of over 10 million machines across the globe, Conficker is still found in systems that are improperly configured, or not protected by a strong perimeter defence system.
Mariposa: This botnet used spyware and malware as a vehicle to inject machines and install a payload of command and control centre modules. The purpose of Mariposa was to run in stealth mode, and keep an eye on passwords and credit card numbers being typed on the machine. It was also programmed to intercept browser requests and lure users to pages hosting updated copies of the botnet itself, as well as advertisement pages.
Srizbi: This botnet was specifically designed to create billions of spam email messages every day. It spread mainly via pirated and free software downloaded on the Net, turning multiple machines into zombies. It had a very small footprint, which made detection very difficult. It had a different control module by which an infected server would be the owner controlling the zombie army, while other infected servers simply kept a watch on it, and would take over if the controller server failed or shut down. Srizbi is known to have created massive email spam attacks, causing denial of service on mail servers.
BredoLab: This is the most recent botnet army, which infected over 20 million machines worldwide. While the main purpose was to create massive email spam, this botnet also incorporated spyware and viruses in its payload. It is known to infect various Linux distros, and deploy root-kits on those to run in stealth mode. It was dismantled by law authorities, but is believed to still exist in the form of variants.
Protecting FOSS systems
As we learnt, botnets exploit all possible vulnerabilities and create their own eco-system for malicious purposes. While botnets are difficult to detect and tackle, there are a few preventive mechanisms that all network administrators should adopt in their infrastructure. The first and foremost is the perimeter defence system. A properly configured router and firewall must be in place, and the firewall should be configured with auto-updating anti-spam filters. As for physical security, disabling USB and CD drives would help to a great extent. It is important for Linux administrators to know that Linux distros are not secure from botnets, though the percentage of infection is somewhat lower than Windows machines. For FOSS systems, performing a rigorous routine check for root kits and malware is a must. Linux systems, which typically host Web servers and FTP farms, are usually the first targets to deploy the payload. Strengthening and locking file systems is advised too.
Attackers who plan to inject a botnet can use simple methods of breaking into authentication systems, via SSH protocol or over the Web. Thus, using a strict and complex password scheme is very important. The common practice of running unnecessary services on a production Linux server should be discouraged, as it opens up stray ports that are left unmonitored and thus become a back-door for attackers. Just to summarise, cyber security is all about processes and practices, rather than just products. Hence, understanding how botnets attack is imperative for systems administrators to devise a security strategy based on their particular network scenarios.