02:24
Lethal code
.::Introduction to Bots and Botnets::.
The word bot is an abbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of a robot, or bot (as we will call them from now on) – an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread.
IRC
IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication , based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer).
An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user.
IRC bots are treated no different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them.
An important feature of such bots is the fact that they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet.
In recent past zombie (another name for bot–infected computers) networks were controlled with the use of proprietary tools, developed intentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also allows attackers to cover their identity with the use of simple tricks such as anonymous proxies or simple IP address spoofing. Thanks to this, server administrators have little chance to find the origin of an attack controlled in such a manner.
In most cases bots infect single user PCs, university servers or small company networks. This is because such machines are not strictly monitored, and often left totally unprotected. The reason for this is partially the lack of a real security policy, but mostly the fact that most PC users with an ADSL connection are completely unaware of the risks involved, and do not use protective software such as antivirus tools or personal firewalls.
.::Bots and their Applications::.
The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Let's look at the most common ones.
DDoS
Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition (as in the case of dotcom wars).
Distributed DoS Attacks (DDoS)
A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol).
Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol.
Spamming
Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.
Sniffing & Keylogging
Bots can also be effectively used to enhance the ancient art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to keylogging – capturing all the information typed in by the user (e–mails, passwords, home banking data, PayPal account info etc.).
Identity Theft
The abovementioned methods allow an attacker controlling a botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) putting the blame on someone else.
Hosting of Illegal Software
Last, but not least, bot–compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware ADSL user.
Hours could be spent talking about the possible applications of botnets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.
.::Different Types of Bots::.
Many types of ready–made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bots, outlining common features and distinctive elements.
GT–Bot
All the GT (Global Threat) bots are based on a popular IRC client for Windows called mIRC. The core of these bots is made up of a set of mIRC scripts, which are used to control the activity of the remote system. This type of bot launches an instance of the client enhanced with control scripts and uses a second application, usually HideWindow, to make mIRC invisible to the user of the host computer. An additional DLL file adds new features to mIRC in order for scripts to be able to influence various aspects of the controlled host.
Agobot
Agobot is probably one of the most popular bots used by crackers. It is written in C++ and released on a GPL licence. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot.
DSNX
The Dataspy Network X bot is also written in C++ and its source code is also available on a GPL licence. Adding new functionality to this bot is very easy thanks to its simple plug–in architecture.
SDBot
SDBot is written in C and also available on a GPL licence. Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features. Nevertheless, it is still very popular and available in different variants.
.::The Elements of an Attack::.
An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands.
The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
Bots run on compromised computers, forming a botnet.
.::A Practical Example::.
The activity of the attacker can be split into four different stages:
creation
configuration
infection
control
The creation stage is largely dependent on attacker skills and requirements. A cracker can decide whether to write their own bot code or simply extend or customise an existing one. A wide range of ready–made bots are available and highly configurable. This is made even easier via a graphical interface. No wonder this is the option most often used by script kiddies.
The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host. An attacker first enters data necessary to restrict access to the bots, secures the channel and finally provides a list of authorised users (who will be able to control the bots). In this stage the bot can be further customised, for example by defining the target and attack method.
The infection stage involves using various techniques to spread the bots – both direct and indirect. Direct techniques include exploiting vulnerabilities of the operating system or services. Indirect attacks employ other software for the dirty work – they include using malformed HTML files exploiting Internet Explorer vulnerabilities, or using other malware distributed through peer–to–peer networks or through DCC (Direct Client–to–Client) file exchange on IRC. Direct attacks are usually automated with the use of worms. All worms have to do is search the subnets for vulnerable systems and inject the bot code. Each infected system then continues the infection process, allowing the attacker to save precious resources and providing plenty of time to look for other victims.
The mechanisms used to distribute bots are one of the main reasons for so–called Internet background noise. The main ports involved are the ones used by Windows, in particular Windows 2000 and XP SP1 (see Table 1). They seem to be the attackers' favourite target, because it is easy to find unpatched Windows computers or ones without firewalls installed. It is often the case with home PC users and small businesses, which overlook security issues and have an always-on broadband Internet connection.
The control stage involves actions after the bot is installed on the target host in a selected directory. In order to start with Windows, it updates the Windows registry keys, usually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. The first thing the bot does after it is successfully installed is connecting to an IRC server and joining the control channel with the use of a password. The nickname on IRC is randomly generated. The bot is then ready to accept commands from the master application. The attacker must also use a password to connect to the botnet. This is necessary, so that nobody else can use the supplied botnet.
IRC not only provides the means to control hundreds of bots, but also allows the attacker to use various techniques in order to hide his real identity. This makes it difficult to respond to attacks. Fortunately botnets, by their nature, generate suspected traffic, which is easily detectable due to known patterns. This helps IRC administrators in detection and intervention, allowing them to take the botnet down and report the abuse.
Attackers are forced to refine their C&C (Control and Command) techniques, which leads to botnet hardening. The bots are therefore often configured to connect to different servers using a dynamically mapped hostname. This way an attacker can easily move the bots to new servers, keeping them under control even after detection. Dynamic DNS services such as dyndns.com or no–ip.com are used for this task.
Posted in: 
0 comments:
Post a Comment