Cyber Crime: Case Study: Emerging threat of Internet Bots

From CyberSecurity
Jump to: navigation, search


Network intrusions, data theft using Trojan horses, viruses and worms are among the threats security experts worry about on a regular basis. However, something more dangerous is emerging. Botnets, which with their proliferation, sophistication and criminal use is emerging as number one security threat. The recent arrest of 20-year old Californian man who made $60,000 by selling access to botnets to spammers and hackers is evidence of the growing menace.

A bot is a malicious software program that invades computer so that it can covertly be controlled by a remote attacker. A bot is seeded by attackers through worms, viruses or other means to exploit desktop and server vulnerabilities. They are then herded into botnets that can force zombie machines to work together to perform any task.

In addition, botnets are evolving and getting nastier. Previously, they were controlled exclusively through Internet Relay Chat (IRC) channels, but are now increasing being manipulated through other means, such as Web, instant messaging or peer-to-peer. Moreover, bots are incorporating encryption, shape-shifting polymorphism to evade detection, and using rootkits, code that allows a permanent and undetectable presence in order to conceal itself from the user of the machine. "Kernel level rootkits are extremely dangerous as they conceal their malicious code and cannot be removed by most anti-virus or anti-spyware programs," says Martin Overton, security specialist at IBM Global Service.

“The state of bot technology has reached the point that the state of Web technology has,” says Peter Tipett, CTO at Cybertrust, whose security experts found more than 12,000 people contributing to bots or renting out botnets. “Instead of fighting with each other, these guys are working together and posting their code. It’s evil open source. We are getting a rich set of commands and capabilities used by the bad guys.”

Apart from evolving as sophisticated security threats, their presence is growing exponentially. Network-security experts identify and shut down botnets with 10 to 100 compromised hosts several times a day. Crackdowns on large botnets with 10,000 or more hosts are rarer, but they still occur weekly, said Johannes Ullrich, chief technology officer for the Internet Storm Center, which detects, analyzes, and disseminates information about Internet-related security problems. “Security investigators have even found one botnet of 100,000 computers,” Ulrich noted. Research conducted by Symantec found that on average more than 60,000 botnets gets active each day in first half of this year. They also noted this is an increase of more than 140% from the previous year's semi-annual count. “Botnets have been one of the big underreported problems in the security,” says Bruce Hughes, director of malicious-code research for security consultancy Cybertrust.

--Hema 13:32, 5 December 2005 (PST) I hope u have endnotes/reference in the word doc for the number quoted above.

Valuable Victims and Targets:

High Bandwidth: One of the most desired hosts are the machines connected to the Internet using high-bandwidth broadband. This can provide an attacker with an enormous cumulative bandwidth to carry out large scale DDoS attacks on target severs.

Availability: The one of the most sort out hosts that are always connected to internet i.e they are always on. This ensures hackers can carry out attacks round the clock without depending on whims of the users which may connect to internet at irregular intervals.

Low user Awareness and monitoring capability: Attackers prefer hosts where users have low security awareness and do not have access to control devices like firewalls installed on their computers. The absence of these access control devices with un-patched operating systems are ideal victims for hackers to break into the system, install and maintain bots over a long period of time without being identified or traced.

Location: One of the prime goals of these cyber-criminals is to avoid detection after they committ crimes. They achieve this by selecting hosts that are geographically far away from their location. This makes very difficult for law enforcement officers to detect bots back to hackers. Also international prosecution being time consuming, expensive and non-standardized process that varies for each country, unfortunately ends up helping these cyber-criminals to go Scot-free.

The typical profile that fits the above criteria is that of residential broadband connection that has low or no access control devices or university subnets connected to Internet with minimal monitoring, high bandwidth and most of time availability.

Attack Techniques:

Bots generally employ one of the several attack methods, but sometimes use multiple techniques to create a network of compromised computers. Some of these approaches are quite sophisticated, such as Phatbot, which can generate a new encryption for itself each time it infects a new system. This makes it difficult for the software to find a common code signature for and thus recognize Phatbot. According to Ken Dunham, director of malicious code for Security Consultancy iDefense, Phatbot has successfully evaded detection by mutating itself from spyware to launch vitriolic DDoS attacks on compromised networks. The following are some of the ways that attackers use to create networks of bots for themselves.


IRC is the most common used technique, including those in the large Phatbot/Agobot and Sdbot/Robot families as a way to communicate and receive commands from hackers. IRC has a built in mechanism for multicast capabilities which let attackers quickly send commands to all parts of a botnet without writing new code for the bot.


Many bots take advantage of peer-to-peer communication to infect computers with vulnerabilities. They connect to open-source file sharing technology such as Gnutella and work with the WASTE file-sharing protocol. WASTE uses a distributed directory rather than a central server which lets bots easily find each other and communicate with one another. They can thus exchange hacker commands or other attack-related information among themselves. An attacker can initiate the process by serving as a peer in P2P network sending commands to one bot, which can then pass them onto the others. Thus, hackers don’t have to communicate to bots via IRC multicasting. Decenteralized-based bot systems are harder for security officials to trace or shutdown than systems using a single IRC source.

If security officials discover and disable some of the bots in a sophisticated system, Skoudis said, the bots can communicate to one another and the attacker and then start spreading again to compensate for losses. Each bot carries software necessary to create and spread more bots.

--Hema 13:32, 5 December 2005 (PST) Who is Skoudis ? I think u can leave out the above para.

Email Attachments/Worms:

Many hackers use methods such as email attachments or worms to infect computers. Bots don’t replicate or spread on their own, but they can use the worms’ functionality to do so. In fact, hackers can spread bots more quickly with worms than with other methods. In addition, Botnets can spread worms faster than worms can spread on their own. The Symantec Security Response team said 2004’s Witty worm, which infected and crashed tens of thousands of servers, was probably launched by a botnet. According to Huger, “we saw Witty break out more or less at the same time from a hundred or more machines. The machines were all over the world but they had something in common: they were on our bot list of compromised computers,” he noted.

--Hema 13:32, 5 December 2005 (PST) Sorry but I think we are quoting what others said too much..

Malicious use of Bots and Botnets:

Bots can serve several purposes both legitimate and illegitimate. One legitimate purpose is to support the operation of IRC channels by conferring special administrative privileges or designated users. However, most of the common uses are criminally motivated for monetary gains or for destructive purposes.

1. Distributed Denial-of-Service Attacks

A DDoS attack is an attack on a computer system that causes a loss of service to users, typically the loss of network connectivity and services by consuming of the bandwidth of the victim network or overloading the computational resources of the victim’s system. Most commonly implemented and often used are TCP SYN and UDP flood attacks.

One of the most often uses of DDoS attacks is to wrest control of an IRC channel from its founder and founder’s delegates. To take over an IRC channel, attackers conduct a DoS attack against one or more of the network’s servers. If they can succeed in downing a server they can split the network into two or more disconnected segments. If in a given segment there are no users joined to a particular channel of interest, the attacker can join that channel and seize the founder’s privileges.

Apart from the role in taking over IRC channels, attackers can launch successful DDoS attack against Internet sites. Let us assume if a given botnet has around 15,000 compromised hosts and has an associated bandwidth of 5kbps, a simultaneous attack by the entire botnet would direct almost 850 Mbps at its target – enough to cripple almoat all e-commerce sites. These estimates are conservative because most of these compromised machines have cable modem and DSL hosts. Moreover, because bots are widely distributed within the IP address space, filtering or blocking such DDoS attacks is not easy. At best, it requires cooperation between the target and multiple service providers.

DDoS is not only limited to web servers, virtually any service available on the Internet can be a target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhaustive search queries on the victim’s website. Recursive HTTP flooding means that the bots start from a given HTTP link and follow all links on the provided website in a recursive way. This is also called spidering.

Further research also showed that botnets are used to run commercial DDoS attacks against competing corporations. Jay R. Echouafni and Joshua Schictel, alias EMP, ran botnets to send spam and carry out paid DDoS attacks to take a competitor’s website down. Echouafni was indicted on August 25, 2004 on multiple charges of conspiracy and causing damage to protected computers.

2. Spamming

Some bots enable SOCKS v4/v5 proxy – a generic proxy protocol for TCP/IP-based networking protocol on a compromised machine which allows them to launch spam attacks. Using bots and thousands of zombies (compromised machines) attackers can send massive amounts of bulk emails. These bots can also add special functionality to harvest email-addresses. Harvested email addresses help them to send phishing mail which appear to victims to come from legitimate sources.

3. Sniffing Traffic

Bots can be used a packet sniffer to watch for interesting clear-text data passing by compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. They can also provide information about other Internet bots if it has been compromised more than once. This allows one to “steal” another botnet.

4. Keylogging

If the compromised machine uses encrypted communication channels (e.g. HTTPS or POP3S), then just sniffing the network packets on the victim's computer is useless since the appropriate key to decrypt the packets is missing. But most bots also offer features to help in this situation. With the help of a keylogger it is very easy for an attacker to retrieve sensitive information. An implemented filtering mechanism (e.g. "I am only interested in key sequences near the keyword ''") further helps in stealing secret data. If the keylogger runs on thousands of compromised machines in parallel, it is easy to imagine how quickly PayPal accounts are harvested.

5. Spreading new malware

In most cases, botnets are used to spread new bots. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP. But spreading an email virus using a botnet is also attractive. A botnet with 10,000 hosts which acts as the start base for the mail virus allows very fast spreading and thus causes more harm. The Witty worm, which attacked the ICO protocol parsing implementation in Internet Security System (ISS) products is suspected to have been initially launched by a botnet due to the fact that the attacking hosts were not running any ISS services.

6. Installing Advertisement Add-ons and Browser Helper Objects (BHO)

Botnets can also be used to gain financial advantages. This works by setting up a fake website with some advertisements. The operator of this website negotiates a deal with a hosting company that pays for clicks on ads. With the help of a botnet, these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the "clicks" are executed each time the victim uses the browser.

7. Google AdSense abuse

A similar abuse is also possible with Google’s AdSense program. AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. The company earns money due to clicks on these ads, for example per 10,000 clicks in a month. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increment the click counter. This kind of usage for botnets is relatively uncommon so far.

8. Attacking IRC Chat Network

Botnets are also used for attacks against Internet Relay Chat (IRC) networks. Popular among attackers is especially the so called "clone attack." In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by a service request from thousands of bots or thousands of channel-joins by these cloned bots. In this way, the victim IRC network is brought down - similar to a DDoS attack.

9. Manipulating online polls/games

Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. Online games can be manipulated in a similar way.

10. Mass identity theft

Often the combination of different functionality described above can be used for large scale identity theft, one of the fastest growing crimes on the Internet. Phishing emails that pretend to be legitimate (such as fake PayPal or banking emails) ask their intended victims to go online and submit their private information. These fake emails are generated and sent by bots via their spamming mechanism. These same bots can also host multiple fake websites pretending to be Ebay, PayPal, or a bank, and harvest personal information. Just as quickly as one of these fake sites is shut down, another one pops up. In addition, keylogging and sniffing of traffic can also be used for identity theft.

--Hema 13:32, 5 December 2005 (PST) Not convinced if we need an elaborate defending Against Bots and Botnet section....

Defending Against Bots and Botnet

Defense against botnet infection and attack can be classified in three stages: prevention, detection and response. All of which needs to treated differently from home and system administrator perspective.

Home User Prevention

The most common way for bots to compromise hosts is by exploiting the known vulnerabilities in OS or installed applications. Users should follow guidelines regarding safe use, patch and updates for the installed OS and application to defend their computers from being infected from attackers. They should activate the auto-patch update facility with popular OS and applications. Users should always install latest version of anti-virus software and practice safe handling of common web application such as web browser, email, and instant messaging.

Home User Detection

Users should regularly monitor their TCP ports (expecially 6667 which is used fro IRC chat relay) which can be easily done with tools such as netstat. Slow network response, unexpectedly high volumes of traffic, traffic on unusual ports, and unusual system behavior indicate the presence of malicious software including bots. Antivirus is able to detect and respond to known type of bots but not effective for any new bots. Online resource for scanning your system may be employed like Symantec online security checker – will scan the system for open common Trojan ports.

Home User Responses

As soon as the user realizes that his/her computer has been compromised, the computer should be physically disconnected from the network. This denies access to the attackers. This help limits the potential damage both to user’s own system and to other systems on the Internet. They should immediately update anti-virus software and check OS and application vendor sites for latest patches. If the user stores bank or credit card information on PC, the user should assume them compromised and contact the appropriate organization. Any passwords or secure data should be no more be used and changed at once.

System Administrator Prevention

System administrators should follow all the best practices recommended for home users in previous section. In addition to this, every system administrator should be given training on online security and privacy issues. High level of awareness on these issues is the best course in preventing malicious bots from infecting computers. They should remain well informed of the latest vulnerabilities by referring to web resources like and, by subscribing to bugtraq mailing list. They should implement access control measures and regularly monitor the generated logs.

System Administrator Detection

In addition to detection techniques used by home users, system administrators can employ network based tools to monitor perimeter defense devices to detect anomalies in Internet traffic. The tools like network packet sniffer can be used not only to identify but also to isolate the subnet/machine which is generating malicious traffic. The windows command line utility like netstat or fport can be used to monitor/verify the activity on tcp ports and map tcp connection established on system to program making that connection. Analysis of the log generated by network sniffer can also be used for finding the IRC server used, name of the attacker’s private channel and authentication key.

System Administrator Responses

In addition to response measures suggested by home user, system administrators should isolate infected subnets to prevent the spread of bots. They can asses the damage with the help of a network packet sniffer by identifying the number of machines infected by bots within a subnet. They can assist the incident response team by preserving data on the affected system and relevant system logs like firewalls, mail servers, IDS, DHCP server, proxy.

Advancement of network model like IRC and easily available tools to edit bots has provided attackers, with very limited knowledge of underlying technology, to create large botnets that are scalable and automated to easily launch various attacks as enumerated in this paper. Sophisticated Bots are incorporating encryption and shape-shifting polymorphism, and using rootkits – code that allows a permanent and undetectable presence of computer- to conceal itself from the user of the machine creating nightmarish scenarios for security experts.

Bots are creating difficult challenges; nevertheless, users can fight them back by proactively following best practices as recommended by the operating system and application vendors to prevent their machines from getting compromised in the first instance. Some of the reactive methodologies outlined include using packet sniffer, monitoring firewall and preserving critical logs to help incident response team to track down the attackers. However, none of these, in isolation are effective. The high level security awareness among users and diligent monitoring of the systems are the most and real defense against the growing menace of bots.

Further, lot of research is being done at universities and institutions using honeynets to learn about attacker’s tools, tactics, and motives and developing ways to track these criminals down. Government should encourage these research efforts as they may provide effective arsenal to law enforcement agencies against bots – the fastest emerging threat, if unchecked may jeopardize the safety of cyber-world in coming years.