Robot Wars – How Botnets Work

by hakin9 [Published on 20 Oct. 2005 / Last Updated on 20 Oct. 2005]

One of the most common and efficient DDoS attack methods is based on using hundreds of zombie hosts. Zombies are usually controlled and managed via IRC networks, using so-called botnets. Let's take a look at the ways an attacker can use to infect and take control of a target computer, and let's see how we can apply effective countermeasures in order to defend our machines against this threat.

Robot Wars – How Botnets Work
by
Massimiliano Romano, Simone Rosignoli, Ennio Giannini
For hakin9

What you will learn...

  • what are bots, botnets, and how they work,
  • what features most popular bots offer,
  • how a host is infected and controlled,
  • what preventive measures are available and how to respond to bot infestation.

What you should know...

  • how malware works (trojans and worms in particular),
  • mechanisms used in DDoS attacks,
  • basics of TCP/IP, DNS and IRC.

The late nineties and the beginning of a new millennium brought a new strategy of attack against network systems. The notorious Distributed Denial of Services (DDoS) was born. Many important dotcoms felt the rage. The reason why such attacks are so widespread is mainly their simplicity and difficulties in tracking down the parties involved. This type of attacks, despite our vast experience and knowledge, still represent a severe threat today, and still give an attacker the edge. Let's see what these attacks are all about and let's look into the product of their evolution: botnet attacks.

Introduction to Bots and Botnets

The word bot is an abbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of a robot, or bot (as we will call them from now on) – an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread.

IRC

IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer).

An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user.

IRC bots are treated no different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them.

An important feature of such bots is the fact that they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet.

In recent past zombie (another name for bot–infected computers) networks were controlled with the use of proprietary tools, developed intentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also allows attackers to cover their identity with the use of simple tricks such as anonymous proxies or simple IP address spoofing. Thanks to this, server administrators have little chance to find the origin of an attack controlled in such a manner.

In most cases bots infect single user PCs, university servers or small company networks. This is because such machines are not strictly monitored, and often left totally unprotected. The reason for this is partially the lack of a real security policy, but mostly the fact that most PC users with an ADSL connection are completely unaware of the risks involved, and do not use protective software such as antivirus tools or personal firewalls.

Bots and their Applications

The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Let's look at the most common ones.

DDoS

Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition (as in the case of dotcom wars).

Distributed DoS Attacks (DDoS)

A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol).

Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol.

Spamming

Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.

Sniffing & Keylogging

Bots can also be effectively used to enhance the ancient art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to keylogging – capturing all the information typed in by the user (e–mails, passwords, home banking data, PayPal account info etc.).

Identity Theft

The abovementioned methods allow an attacker controlling a botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) putting the blame on someone else.

Hosting of Illegal Software

Last, but not least, bot–compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware ADSL user.

Hours could be spent talking about the possible applications of botnets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.

Different Types of Bots

Many types of ready–made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bots, outlining common features and distinctive elements.

GT–Bot

All the GT (Global Threat) bots are based on a popular IRC client for Windows called mIRC. The core of these bots is made up of a set of mIRC scripts, which are used to control the activity of the remote system. This type of bot launches an instance of the client enhanced with control scripts and uses a second application, usually HideWindow, to make mIRC invisible to the user of the host computer. An additional DLL file adds new features to mIRC in order for scripts to be able to influence various aspects of the controlled host.

Agobot

Agobot is probably one of the most popular bots used by crackers. It is written in C++ and released on a GPL licence. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot.

DSNX

The Dataspy Network X bot is also written in C++ and its source code is also available on a GPL licence. Adding new functionality to this bot is very easy thanks to its simple plug–in architecture.

SDBot

SDBot is written in C and also available on a GPL licence. Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features. Nevertheless, it is still very popular and available in different variants.

The Elements of an Attack

Figure 1 shows a structure of a typical botnet:


 Figure 1: Structure of a typical botnet

  • An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands.
  • The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
  • Bots run on compromised computers, forming a botnet.

A Practical Example

The activity of the attacker can be split into four different stages:

  • creation
  • configuration
  • infection
  • control

The creation stage is largely dependent on attacker skills and requirements. A cracker can decide whether to write their own bot code or simply extend or customise an existing one. A wide range of ready–made bots are available and highly configurable. This is made even easier via a graphical interface. No wonder this is the option most often used by script kiddies.

The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host. An attacker first enters data necessary to restrict access to the bots, secures the channel and finally provides a list of authorised users (who will be able to control the bots). In this stage the bot can be further customised, for example by defining the target and attack method.

The infection stage involves using various techniques to spread the bots – both direct and indirect. Direct techniques include exploiting vulnerabilities of the operating system or services. Indirect attacks employ other software for the dirty work – they include using malformed HTML files exploiting Internet Explorer vulnerabilities, or using other malware distributed through peer–to–peer networks or through DCC (Direct Client–to–Client) file exchange on IRC. Direct attacks are usually automated with the use of worms. All worms have to do is search the subnets for vulnerable systems and inject the bot code. Each infected system then continues the infection process, allowing the attacker to save precious resources and providing plenty of time to look for other victims.

The mechanisms used to distribute bots are one of the main reasons for so–called Internet background noise. The main ports involved are the ones used by Windows, in particular Windows 2000 and XP SP1 (see Table 1). They seem to be the attackers' favourite target, because it is easy to find unpatched Windows computers or ones without firewalls installed. It is often the case with home PC users and small businesses, which overlook security issues and have an always-on broadband Internet connection.

Port

Service

42

WINS (Host Name Server)

80

HTTP (IIS or Apache vulnerability)

135

RPC (Remote Procedure Call)

137

NetBIOS Name Service

139

NetBIOS Session Service

445

Microsoft–DS–Service

1025

Windows Messenger

1433

Microsoft–SQL–Server

2745

 Bagle worm backdoor

3127

 MyDoom worm backdoor

3306

MySQL UDF (User Definable Functions)

5000

UPnP (Universal Plug and Play)

Table 1: List of ports associated with vulnerable services

The control stage involves actions after the bot is installed on the target host in a selected directory. In order to start with Windows, it updates the Windows registry keys, usually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. The first thing the bot does after it is successfully installed is connecting to an IRC server and joining the control channel with the use of a password. The nickname on IRC is randomly generated. The bot is then ready to accept commands from the master application. The attacker must also use a password to connect to the botnet. This is necessary, so that nobody else can use the supplied botnet.


Figure 2: Botnet hardening

IRC not only provides the means to control hundreds of bots, but also allows the attacker to use various techniques in order to hide his real identity. This makes it difficult to respond to attacks. Fortunately botnets, by their nature, generate suspected traffic, which is easily detectable due to known patterns. This helps IRC administrators in detection and intervention, allowing them to take the botnet down and report the abuse.

Attackers are forced to refine their C&C (Control and Command) techniques, which leads to botnet hardening. The bots are therefore often configured to connect to different servers using a dynamically mapped hostname. This way an attacker can easily move the bots to new servers, keeping them under control even after detection. Dynamic DNS services such as dyndns.com or no–ip.com are used for this task.

Dynamic DNS

A dynamic DNS (RFC 2136) is a system which links a domain name to a dynamic IP address. Users connecting to the Internet via modems, ADSL or cable usually don't have a fixed IP address. When such a user connects to the Internet, the ISP assigns an unused IP address chosen from a selected pool. This address is usually kept only for the duration of that specific connection.

This mechanism helps ISPs maximise the use of available IP pool, but penalises the users who need to make certain services available via the Internet on a permanent basis, but cannot afford a static IP. In order to solve this problem, dynamic DNS was created. Providers offering such a service use a dedicated program, which signals the DNS database every time the IP address of the user changes.

In order to hide the activity, the IRC channel is configured to limit access and hide activity. Typical IRC modes for botnet channels are: +k (a password is required to enter the channel), +s (the channel is not displayed on the list of public channels), +u (only operators are visible on the userlist), +m (only users with the +v voice status can send to the channel). Most expert attackers using personalised IRC servers encrypt all the communication with the channel. They also tend to use personalized variants of IRC server software, configured to listen on nonstandard ports and using a modified version of the protocol, so that a normal IRC client cannot connect to the network.

C&C in Practice – Agobot

Let's now have a look at a sample attack scenario, which will allow us to see the command and control process of a botnet clearly. Two computers were used for the task. The first one ran an IRC server based on UnrealIRCd 3.2.3 and two virtual Windows XP SP1 machines based on VMware Workstation (two potential infection targets). The second one was used by the master to control the botnet through Irssi, a text IRC client.

In order to make reverse engineering difficult, Agobot implements routines defending against the use of debuggers such as SoftICE or OllyDbg, and against the use of virtual machines such as VMware and Virtual PC. It was therefore necessary to hack the source code in order to bypass VMware protection, before the bot could be installed on our sample virtual systems.

Configuration

The first step was to configure the bot with the use of its simple graphical interface (see Figure 3). The information entered included name and port of the IRC server, name of the channel, a list of users with master passwords, and finally – filename and directory in which the bot is to be installed. Plugins have also been activated such as sniffing support and polymorphic engine. The result of this stage was a config.h file, fundamental for bot compilation.


Figure 3: Agobot configuration interface

Command and Control

Once the bot has been compiled, the two test systems have been infected manually. The master computer has connected to the IRC server and joined the channel in order to be able to control and command the bot (see Figure 4):


Figure 4: Master server and channel connection

In order to gain control over the bots, authentication was needed. This was done by simply sending a command to the channel (see Figure 5):

.login FaDe dune


Figure 5: Username and password authentication

Then the first bot was asked for a list of all the running processes on the infected computer (Figure 6):

/msg FakeBot–wszyzc .pctrl.list


Figure 6: Master request response from the first bot

Then the second bot was asked for system information and cdkeys of the applications installed (Figure 7):

/msg FakeBot2–emcdnj .bot.sysinfo

/msg FakeBot2–emcdnj .harvest.cdkeys


Figure 7: Master request response from the second bot

We used simple functions in this example, but Agobot provides a very rich set of commands and functions. Some of them are listed in Table 2.

Command

Description

command.list

List of all the available commands

bot.dns

Resolves an IP/hostname

bot.execute

Runs an .exe file on a remote computer

bot.open

Opens a file on a remote computer

bot.command

Runs a command with system()

irc.server

Connects to an IRC server

irc.join

Enters a specific channel

irc.privmsg

Sends a private message to a user

http.execute

Downloads and executes a file through HTTP

ftp.execute

Downloads and executes a file through FTP

ddos.udpflood

Starts a UDP flood

ddos.synflood

Starts a Syn flood

ddos.phaticmp

Starts a PHATicmp flood

redirect.http

Starts a HTTP proxy

redirect.socks

Starts a SOCKS4 proxy

pctrl.list

List of processes

pctrl.kill

Kills the process

Table 2: Some of Agobot commands

How to Defend your Computers

Let's now take a look at methods of defence against infection and bot attack both from user's and administrator's point of view.

Defence Strategies for PC Users

As previously mentioned, bot infection is done mainly through worms, which browse the net looking for vulnerable machines. Therefore the first step is to keep your system updated, downloading patches and system updates for both the OS and all the applications accessing the Internet. Automatic updates are a good idea. Also, be careful with opening suspicious attachments in email. It's also wise to deactivate support for scripting languages such as ActiveX and JavaScript (or at least control their use). Finally, it is fundamental to use an antivirus/antitrojan and keep it updated. However, many bots are configured to evade antivirus controls, so a personal firewall is a valuable addition to security, especially if the computer is on 24 hours a day.

The main signs of bot presence are connection and system slowdown. A simple and efficient way to check for suspicious connections is the netstat tool (see Figure 8):

C:/>netstat –an


Figure 8: Netstat on an infected system

Netstat

Netstat is a very flexible tool available both for Windows and *NIX systems. Its main function is control of the active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *NIX system netstat displays all the open streams. It also uses output selection filters.

Possible connection states contain:

  • ESTABLISHED – both hosts are connected
  • CLOSING – the remote host is closing the connection
  • LISTENING – the host is listening for incoming connections
  • SYN_RCVD – a remote host has asked to start a connection
  • SYN_SENT – the host is starting a new connection
  • LAST_ACK – the host must send a report before closing the connection
  • TIMED_WAIT, CLOSE_WAIT – a remote host is terminating the connection
  • FIN_WAIT 1 – the client is terminating the connection
  • FIN_WAIT 2 – both hosts are closing the connection

Watch for ESTABLISHED connections to TCP ports in 6000–7000 range (usually 6667). If you find your computer compromised, disconnect from the Internet, clean the system, reboot and then check again.

Defence Strategies for Administrators

Administrators should always have up to date information on the latest vulnerabilities, and should read Internet security resources on a daily basis. A subscription to a mailing list such as Bugtraq is a good idea. Administrators should also attempt to educate their users and define security and privacy policies.

It is also necessary to study the logs generated by IDS and firewall systems, mail servers, DHCP and proxy servers. This can help spot any abnormal traffic, which could be a sign of bot presence in the network. Once such traffic is noticed, a sniffer comes in handy in order to identify the subnet and the computer generating it. All the above may seem obvious, but are often forgotten about.

It is also possible to use more sophisticated techniques to study and detect threats. One of these techniques is honeybots. Honeybots are machines built to become an easy target for attacks. Their role is to become infected and allow the administrator to pinpoint the source of the problem and study the attack method.

In conclusion, regardless of the tools at our disposal, the most efficient defence against botnet attacks lies in the user himself and in his awareness.

On the Net



About the Authors

Massimiliano Romano's main interests are computer science and networks. He works as a freelancer in one of the largest Italian mobile telephony companies. He spends much of his spare time on Ham Radio, studying and decoding digital radio signals.

Simone Rosignoli is a student of the University La Sapienza in Rome. He is currently completing a degree in Computer Science Technologies (Systems and Security). His interests range from programming to computer security.

Ennio Giannini works as a system analyst. He spends his free time experimenting in GNU/Linux environments. He is a strong supporter and promoter of Open Source.

See Also

Featured Links