Robot Wars - How Botnets Work
Robot Wars - How Botnets Work
Massimiliano Romano, Simone Rosignoli, Ennio Giannini
What you will learn...
- what are bots, botnets, and how they work,
- what features most popular bots offer,
- how a host is infected and controlled,
- what preventive measures are available and how to respond to bot infestation.
What you should know...
- how malware works (trojans and worms in particular),
- mechanisms used in DDoS attacks,
- basics of TCP/IP, DNS and IRC.
The late nineties and the beginning of a new millennium brought a new strategy of attack against network systems. The notorious Distributed Denial of Services (DDoS) was born. Many important dotcoms felt the rage. The reason why such attacks are so widespread is mainly their simplicity and difficulties in tracking down the parties involved. This type of attacks, despite our vast experience and knowledge, still represent a severe threat today, and still give an attacker the edge. Let's see what these attacks are all about and let's look into the product of their evolution: botnet attacks.
Introduction to Bots and Botnets
The word bot is an abbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of a robot, or bot (as we will call them from now on) - an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread.
IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer).
An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user.
IRC bots are treated no different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them.
An important feature of such bots is the fact that they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet.
In recent past zombie (another name for bot-infected computers) networks were controlled with the use of proprietary tools, developed intentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also allows attackers to cover their identity with the use of simple tricks such as anonymous proxies or simple IP address spoofing. Thanks to this, server administrators have little chance to find the origin of an attack controlled in such a manner.
In most cases bots infect single user PCs, university servers or small company networks. This is because such machines are not strictly monitored, and often left totally unprotected. The reason for this is partially the lack of a real security policy, but mostly the fact that most PC users with an ADSL connection are completely unaware of the risks involved, and do not use protective software such as antivirus tools or personal firewalls.
Bots and their Applications
The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Let's look at the most common ones.
Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition (as in the case of dotcom wars).
Distributed DoS Attacks (DDoS)
A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol).
Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol.
Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e-mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.
Sniffing & Keylogging
Bots can also be effectively used to enhance the ancient art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to keylogging - capturing all the information typed in by the user (e-mails, passwords, home banking data, PayPal account info etc.).
The abovementioned methods allow an attacker controlling a botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) putting the blame on someone else.
Hosting of Illegal Software
Last, but not least, bot-compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware ADSL user.
Hours could be spent talking about the possible applications of botnets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.
Different Types of Bots
Many types of ready-made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bots, outlining common features and distinctive elements.
All the GT (Global Threat) bots are based on a popular IRC client for Windows called mIRC. The core of these bots is made up of a set of mIRC scripts, which are used to control the activity of the remote system. This type of bot launches an instance of the client enhanced with control scripts and uses a second application, usually HideWindow, to make mIRC invisible to the user of the host computer. An additional DLL file adds new features to mIRC in order for scripts to be able to influence various aspects of the controlled host.
Agobot is probably one of the most popular bots used by crackers. It is written in C++ and released on a GPL licence. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot.
The Dataspy Network X bot is also written in C++ and its source code is also available on a GPL licence. Adding new functionality to this bot is very easy thanks to its simple plug-in architecture.
SDBot is written in C and also available on a GPL licence. Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features. Nevertheless, it is still very popular and available in different variants.
The Elements of an Attack
Figure 1 shows a structure of a typical botnet:
Figure 1: Structure of a typical botnet
- An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands.
- The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
- Bots run on compromised computers, forming a botnet.
A Practical Example
The activity of the attacker can be split into four different stages:
The creation stage is largely dependent on attacker skills and requirements. A cracker can decide whether to write their own bot code or simply extend or customise an existing one. A wide range of ready-made bots are available and highly configurable. This is made even easier via a graphical interface. No wonder this is the option most often used by script kiddies.
The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host. An attacker first enters data necessary to restrict access to the bots, secures the channel and finally provides a list of authorised users (who will be able to control the bots). In this stage the bot can be further customised, for example by defining the target and attack method.
The infection stage involves using various techniques to spread the bots - both direct and indirect. Direct techniques include exploiting vulnerabilities of the operating system or services. Indirect attacks employ other software for the dirty work - they include using malformed HTML files exploiting Internet Explorer vulnerabilities, or using other malware distributed through peer-to-peer networks or through DCC (Direct Client-to-Client) file exchange on IRC. Direct attacks are usually automated with the use of worms. All worms have to do is search the subnets for vulnerable systems and inject the bot code. Each infected system then continues the infection process, allowing the attacker to save precious resources and providing plenty of time to look for other victims.
The mechanisms used to distribute bots are one of the main reasons for so-called Internet background noise. The main ports involved are the ones used by Windows, in particular Windows 2000 and XP SP1 (see Table 1). They seem to be the attackers' favourite target, because it is easy to find unpatched Windows computers or ones without firewalls installed. It is often the case with home PC users and small businesses, which overlook security issues and have an always-on broadband Internet connection.
Table 1: List of ports associated with vulnerable services
WINS (Host Name Server)
HTTP (IIS or Apache vulnerability)
RPC (Remote Procedure Call)
NetBIOS Name Service
NetBIOS Session Service
Bagle worm backdoor
MyDoom worm backdoor
MySQL UDF (User Definable Functions)
UPnP (Universal Plug and Play)
The control stage involves actions after the bot is installed on the target host in a selected directory. In order to start with Windows, it updates the Windows registry keys, usually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. The first thing the bot does after it is successfully installed is connecting to an IRC server and joining the control channel with the use of a password. The nickname on IRC is randomly generated. The bot is then ready to accept commands from the master application. The attacker must also use a password to connect to the botnet. This is necessary, so that nobody else can use the supplied botnet.
Figure 2: Botnet hardening
IRC not only provides the means to control hundreds of bots, but also allows the attacker to use various techniques in order to hide his real identity. This makes it difficult to respond to attacks. Fortunately botnets, by their nature, generate suspected traffic, which is easily detectable due to known patterns. This helps IRC administrators in detection and intervention, allowing them to take the botnet down and report the abuse.
Attackers are forced to refine their C&C (Control and Command) techniques, which leads to botnet hardening. The bots are therefore often configured to connect to different servers using a dynamically mapped hostname. This way an attacker can easily move the bots to new servers, keeping them under control even after detection. Dynamic DNS services such as dyndns.com or no-ip.com are used for this task.
A dynamic DNS (RFC 2136) is a system which links a domain name to a dynamic IP address. Users connecting to the Internet via modems, ADSL or cable usually don't have a fixed IP address. When such a user connects to the Internet, the ISP assigns an unused IP address chosen from a selected pool. This address is usually kept only for the duration of that specific connection.
This mechanism helps ISPs maximise the use of available IP pool, but penalises the users who need to make certain services available via the Internet on a permanent basis, but cannot afford a static IP. In order to solve this problem, dynamic DNS was created. Providers offering such a service use a dedicated program, which signals the DNS database every time the IP address of the user changes.
In order to hide the activity, the IRC channel is configured to limit access and hide activity. Typical IRC modes for botnet channels are: +k (a password is required to enter the channel), +s (the channel is not displayed on the list of public channels), +u (only operators are visible on the userlist), +m (only users with the +v voice status can send to the channel). Most expert attackers using personalised IRC servers encrypt all the communication with the channel. They also tend to use personalized variants of IRC server software, configured to listen on nonstandard ports and using a modified version of the protocol, so that a normal IRC client cannot connect to the network.
C&C in Practice - Agobot
Let's now have a look at a sample attack scenario, which will allow us to see the command and control process of a botnet clearly. Two computers were used for the task. The first one ran an IRC server based on UnrealIRCd 3.2.3 and two virtual Windows XP SP1 machines based on VMware Workstation (two potential infection targets). The second one was used by the master to control the botnet through Irssi, a text IRC client.
In order to make reverse engineering difficult, Agobot implements routines defending against the use of debuggers such as SoftICE or OllyDbg, and against the use of virtual machines such as VMware and Virtual PC. It was therefore necessary to hack the source code in order to bypass VMware protection, before the bot could be installed on our sample virtual systems.
The first step was to configure the bot with the use of its simple graphical interface (see Figure 3). The information entered included name and port of the IRC server, name of the channel, a list of users with master passwords, and finally - filename and directory in which the bot is to be installed. Plugins have also been activated such as sniffing support and polymorphic engine. The result of this stage was a config.h file, fundamental for bot compilation.
Figure 3: Agobot configuration interface
Command and Control
Once the bot has been compiled, the two test systems have been infected manually. The master computer has connected to the IRC server and joined the channel in order to be able to control and command the bot (see Figure 4):
Figure 4: Master server and channel connection
In order to gain control over the bots, authentication was needed. This was done by simply sending a command to the channel (see Figure 5):
.login FaDe dune
Figure 5: Username and password authentication
Then the first bot was asked for a list of all the running processes on the infected computer (Figure 6):
/msg FakeBot-wszyzc .pctrl.list
Figure 6: Master request response from the first bot
Then the second bot was asked for system information and cdkeys of the applications installed (Figure 7):
/msg FakeBot2-emcdnj .bot.sysinfo
/msg FakeBot2-emcdnj .harvest.cdkeys
Figure 7: Master request response from the second bot
We used simple functions in this example, but Agobot provides a very rich set of commands and functions. Some of them are listed in Table 2.
Table 2: Some of Agobot commands
List of all the available commands
Resolves an IP/hostname
Runs an .exe file on a remote computer
Opens a file on a remote computer
Runs a command with system()
Connects to an IRC server
Enters a specific channel
Sends a private message to a user
Downloads and executes a file through HTTP
Downloads and executes a file through FTP
Starts a UDP flood
Starts a Syn flood
Starts a PHATicmp flood
Starts a HTTP proxy
Starts a SOCKS4 proxy
List of processes
Kills the process
How to Defend your Computers
Let's now take a look at methods of defence against infection and bot attack both from user's and administrator's point of view.
Defence Strategies for PC Users
The main signs of bot presence are connection and system slowdown. A simple and efficient way to check for suspicious connections is the netstat tool (see Figure 8):
Figure 8: Netstat on an infected system
Netstat is a very flexible tool available both for Windows and *NIX systems. Its main function is control of the active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *NIX system netstat displays all the open streams. It also uses output selection filters.
Possible connection states contain:
- ESTABLISHED - both hosts are connected
- CLOSING - the remote host is closing the connection
- LISTENING - the host is listening for incoming connections
- SYN_RCVD - a remote host has asked to start a connection
- SYN_SENT - the host is starting a new connection
- LAST_ACK - the host must send a report before closing the connection
- TIMED_WAIT, CLOSE_WAIT - a remote host is terminating the connection
- FIN_WAIT 1 - the client is terminating the connection
- FIN_WAIT 2 - both hosts are closing the connection
Watch for ESTABLISHED connections to TCP ports in 6000-7000 range (usually 6667). If you find your computer compromised, disconnect from the Internet, clean the system, reboot and then check again.
Defence Strategies for Administrators
Administrators should always have up to date information on the latest vulnerabilities, and should read Internet security resources on a daily basis. A subscription to a mailing list such as Bugtraq is a good idea. Administrators should also attempt to educate their users and define security and privacy policies.
It is also necessary to study the logs generated by IDS and firewall systems, mail servers, DHCP and proxy servers. This can help spot any abnormal traffic, which could be a sign of bot presence in the network. Once such traffic is noticed, a sniffer comes in handy in order to identify the subnet and the computer generating it. All the above may seem obvious, but are often forgotten about.
It is also possible to use more sophisticated techniques to study and detect threats. One of these techniques is honeybots. Honeybots are machines built to become an easy target for attacks. Their role is to become infected and allow the administrator to pinpoint the source of the problem and study the attack method.
In conclusion, regardless of the tools at our disposal, the most efficient defence against botnet attacks lies in the user himself and in his awareness.
On the Net
- http://www.honeynet.org/papers/bots/ - use of honeybots to study bot activity,
- http://security.isu.edu/ppt/pdfppt/Core02.pdf - tools and strategies for attack response,
- http://www.securitydocs.com/library/3318 - introduction to Netstat,
- http://www.irchelp.org/irchelp/faq.html - introduction to IRC.
About the Authors
Massimiliano Romano's main interests are computer science and networks. He works as a freelancer in one of the largest Italian mobile telephony companies. He spends much of his spare time on Ham Radio, studying and decoding digital radio signals.
Simone Rosignoli is a student of the University La Sapienza in Rome. He is currently completing a degree in Computer Science Technologies (Systems and Security). His interests range from programming to computer security.
Ennio Giannini works as a system analyst. He spends his free time experimenting in GNU/Linux environments. He is a strong supporter and promoter of Open Source.