Searching for Botnet Command & Controls

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

This'll surely stop them, or not.

[LordOfTheNoobs]

As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?

Query string

[Jordan+Catalano]

Just filter traffic looking for the string "Sarah Connor".

What I don't understand

Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

• Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.
• Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.
• Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

Re:What I don't understand

[Afecks]

Many of them lack the skills required to do this. Most botnet operators don't make their own bots. The ones that do are the ones you'll never hear about.

Re:What I don't understand

[MustardMan]

Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.

Re:What I don't understand

[qwijibo]

They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.

Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.

I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.

I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.

Re:What I don't understand

[Alioth]

This is why when I hear about our various governments wanting to sniff everyone's email as a pointless waste of time. A spam run is even better than a numbers station (http://en.wikipedia.org/wiki/Numbers_station) because it's a lot more subtle (unlike a numbers station which you can tell where it is and when a new one pops up, it's obvious, and just like a numbers station there's no way to tell from a message hidden in spam who the intended recipient is).

Any terrorist worth his salt who wants to signal terror cells over the internet can easily just use a spam run to do the job, and have the message hidden in the spam's "hash busters" (which are routine these days) and a one time pad to decrypt the message at the other end.

Good luck

[dknj]

As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?

Re:Good luck

[asuffield]

a lot of these botnet creators employ "features" such as

Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.

Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.

Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.

But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.

None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.

Can't be bothered

[archeopterix]

Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples: [snip]

Like they actually need to. If the effort described in the article takes off, then perhaps it will become necessary. For now, the botnets thrive without going to such great lengths.

I'd like to report a huge Botnet...

[Dareth]

It is run by this Taco guy...

He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.

Most ingenious! And I bet he profits handsomely from it too!

Re:What?

[moro_666]

Sometimes when i open my older mailboxes (which sadly have no spamcheckers) and need a calculator to count the spam messages, i really feel like i'd rather disable the hacker himself, literally.

  I really don't need V!@gr@ nor do i want to buy any other drugs really cheap. And i really don't need the emails that advertise them. Reading e-mail is as private for me as sex is for some other people, if i don't advertise my software products next to your bed while you're having sex, i'd also expect you not to climb into my mailbox to advertise yours.

  Isn't it time to dump the current e-mail system as it is and move on to something else that's really private and personal ? Sure you can have zillion filters installed but sometimes the filters take out stuff that you need and sometimes they let in stuff that you don't need, they are not perfect. I do understand that by the time the e-mail protocol was invented, the inventors themselves couldn't imagine spamfarms all over the world sending fake emails but around 30-40 years have passed , maybe it's time to let it go ?

  Sure we can't dump the current e-mail mess in one day, but an alternative solution that would slowly take stuff over and be non-anonymous would make very many of us really really happy. If sending out mail would only be authorized to organizations and identified persons, it would make the network a lot cleaner.

  PS. I know it's just a dream and utterly non-realistic in the currect circumstances ... but it would still be nice :)

It's a development I can verify

[Opportunist]

When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

And this business is growing.

Re:What is ..?

[tomhudson]

It's a Perl script that says "Hello, World!"

... so it IS line noise :-)

FTFA:

Operating under the theory that if you kill the head, the body will follow ... find and disable the command-and-control infrastructure that powers millions of zombie drone machines

Here you go: One Microsoft Way Redmond, WA 98052 Phone: (425) 882-8080 Fax: (425) 706-7329.

P2P is no good way for trojans

[Opportunist]

For many reason

First, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.

Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.

Third, the spread is too slow through P2P. The chance that an antivirus or security company has a copy of the virus and can work out an antivirus signature or removal kit (not to mention in depth analysis) BEFORE it has spread widely enough is simply too big.

Re:P2P is no good way for trojans

[99BottlesOfBeerInMyF]

I'm not sure you're understanding the previous poster. He/she is talking about control networks for botnets, not about distribution mechanisms. Bots and worms can be coded to look for particular filenames on P2P and get their commands from that source. Then they look for the next filename in their list. This is used to direct the bots, not to compromise them.

Worst, it wouldn't help a bit

[Opportunist]

So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!

Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.

Futile. The only chance is to cut the machines from the 'net that contain those trojans.

Enforcement? Hello?

[mabu]

The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.

Honeyclients

[SparcPlug]

I think these folks are headedd in the right direction when it comes to destroying botnets.

From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits Drives client application to connect to servers
Any changes made to honeyclient system are unauthorized - no false positives!
We can detect exploits without prior signatures


What can honeyclients do for you?
Allows proactive monitoring of malicious servers
Allows discovery of client 0-day
This can be extended beyond just HTTP clients
Any other client-server based protocol will work

It's not that hard.

[TwistedSpring]

Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.

I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.

It's a question of money

[Slayer]

People write bots and operate bot nets because there is money to be made from this kind of operation. Numerous stories have been posted here and elsewhere about botnets bringing down big companies' servers or being used to extort money. This means there is a lot of money to be earned (especially in countries with no decent judical system and/or high levels of corruption), so obviously it attracts talented folks.

What this whole story brings to us is not, that AV and security experts deal with botnets (they've been doing this for many years, this would not at all be news worthy in the year of 2006). It means that some higher level folks got pissed off by this situation and start pouring significant amounts of money into the anti-botnet effort.

Rest assured, that the people who are sent to hunt down botnets are not beginners who just know ROT13 and XOR, they know what they are doing and because they will be in high demand, they will get paid well, which brings more smart people into the field.

Don't forget, the italian mafia was able to operate for decades without significant interference from the FBI and the government. But when the mob got too obnoxious, RICO was passed and a number of these suckers went to prison for good.