The Life-cycle of Botnets

Saturday, June 23rd, 2012

The term ‘botnet’ is used to refer to a collection of bots. A bot is a computer that has been infected with malicious software that allows the bot to become part of a network of other bots, or botnet.  Computers that are infected with bot malware are known as ‘zombies’, as they are effectively dead until they are given a task via a ‘command and control’ server.

How machines become bots

The lifecycle of a botnet begins with a bot-herder trying to recruit vulnerable computers. This is initially done by tricking the user or potential bot-client into installing malware. Malicious software or ‘malware’ is a term that is generally used to refer to any software that is designed to gain access or to damage a computer system including a single desktop PC, server or a computer network.

The user can be tricked into downloading malware by the use of social engineering methods such as phishing, spoofed websites and spam emails. Phishing is a form of social engineering which relies on the victim clicking on a link usually in an email, the result of which can have several consequences. It may then attempt to trick the victim into parting with some valuable information such as passwords and bank account details, or it can also lead the victim into downloading malware leading to the infection of their computer.

Once the malware is on the victims’ machine it then searches for any available vulnerabilities on the machine and attempts to hide its presence. The bot malware can then look for open ports and search for other machines to infect and spread the botnet.

The bot can attempt to hide its presence by targeting the antivirus software that would normally detect and remove the bot infection. The bot can attack the antivirus software in a various ways including stopping the software from automatically updating, killing its processes.

Recent evidence shows that advanced botnets can spoof the scans performed by antivirus software by presenting a false image of memory or hard disk to the anti-virus software to scan, or alternatively the malware can disrupt the vulnerability scans by dropping packets, spoofing the network response, or by traffic  redirection. In addition to attacking the antivirus software the malware can also change frequently, making it difficult for antivirus software to detect it.

The malware can also be hidden by a technique known as ‘rootkitting’. Some rootkits are known to actively hide specific files, as well as registry and port data. While other rootkits disable tools that are meant to identify malware, such as anti-virus software, and task manager. Because rootkits are activated before the operating system has booted up it makes them difficult to detect.

How botnets are controlled and utilised.

The next stage in the lifecycle involves the bot-herder gaining control over the bot. This involves the bot-client contacting the botnet Command and Control (C&C) server commonly by using the Internet Relay Chat (IRC) protocol or, as in the case of the Storm botnet, encrypted P2P protocol.

When the bot communicates with the C&C server it needs to open a channel for communication and to avoid detection the bot will use a proxy such as those provided by chat room message boards (IRC). Due to the large number of IRC networks and the ease of maintaining anonymity, the bot is provided with a widely available method of communication with the C&C server. A more sophisticated approach is for the botnet to use P2P protocol for communication. This takes more effort to set up but makes detecting the botnet more difficult, and makes it more robust because if one bot is detected it will not result in the loss of the whole botnet.  Another method involves using a blind drop on a site such as a forum where anonymous messages can be left. Bot-clients can leave messages on the site and the bot-herder then anonymously checks for the messages.

Once the bot is under the control of the C&C server, the bot can then be then be used to perform attacks.

Botnets are used for a wide variety of attacks and perhaps the most common usage is for Spam which must have at some time been seen by everyone with email. In this case botnets are often rented out to Spammers and the Spammer then uses the services provided by the botnet. The Spam is also often used to increase the size of the botnet as the email itself may contain the malware used to propagate the botnet.

However botnets are increasingly being used for criminal purposes rather than for annoying advertising. As criminal organisations realise the value of botnets they are being used to obtain personal information which is then in turn used for online fraud. The botnets can be used to install keyloggers which obtains personal information such as account numbers and password.

Botnets can also be used for profit by automating clicks on a pay-per-click system. Individual bots can be used to automatically click on selected sites upon activation of a browser. By employing this method botnets can be used to earn money from Google’s Adsense for example, by using zombies to artificially increase the click counter of an advertisement.

Most infamously, botnets can be used for Distributed Denial of Service (DDoS) attacks, in which the intention is to render the target website from functioning correctly. Targets are often large institutions such as banks so that the attackers gain more credibility by successfully bringing a large company to a standstill. The botnets are usually used to starve the target of resources by flooding it with requests that it does not have the capacity to handle. The motives for DDoS attacks vary from revenge, to ruin a business competitor, political motivation or even just to see if it can be done.

Tags: , , , ,