Print | Send on Yahoo! | PDF version | RSS | Filed Under: BOTNETS

Anatomy of a Botnet

Command and control are essential steps tin maintaining an operational botnet, but at the same time, they are the weakest link of the system.

Once the communication is interrupted, the computer is out of the reach of the botnet. Many times, something goes wrong with an important computer that is part of the botnet, and the botmaster risks losing the entire structure for a single station. That is why botmasters have been intensely researched on different network architectures to protect their network even when a significant part of it has been taken offline.

 

 

Attackers can control their botnets in a centralized manner, using peer-to–peer software or at random. While the latter architecture is more of an experiment, and there are is no evidence of random architectures in the wild, the other two types of botnet are extremely efficient. 

 

Command and Control Models

A centralized control method consists of a single vulnerable computer that has all the necessary processing and communicational resources, such as a high-capacity network. It is designated as the command center that would communicate with all the other zombie computers. Each newly infected system will announce the command and control center of its availability, and then would await orders from it. Botmasters have to take into account multiple aspects before designating a server as a command center, such as the available bandwidth, the port restrictions imposed by the ISP , as well as the number of software updates performed by the system administrators.

More and more Internet service providers fight malware by limiting access to specific ports. In order to prevent e-mail abuse, some ISPs block port 25, as spamming software automata rely on it to successfully send bulk messages. Other Internet service providers block all the ports, except for port 80 (used for HTTP requests), port 21 (FTP) and some other ports that play a key role in serving web pages and e-mail messages.

Distributed Command and Control is a term that covers all the botnets that do not operate in a centralized manner. It is an evolutionary step taken by botmasters, as they found out that directly controlling a large botnet might draw attention, and could ultimately end up bad for them as well as for their “business”. Running a huge, monolithic botnet is not a wise choice nowadays, as Internet service providers, law enforcement agencies and media joined their forces to fight back criminal organizations exploiting home computers.

Image 2: Peer-to-Peer botnet. Once an infected computer has been compromised, the network will re-create itself using the available bots.

 

 

Peer-to-Peer botnets are the best-known example of distributed architectures. Once a computer goes offline forever (either because it has been disinfected either by the user or because the ISP has banned it from the network on grounds of suspicious traffic) a centralized botnet would witness severe functionality loss. However, peer-to-peer networks are able to quickly regenerate, as each bot would look for its siblings, and then reconnect it to the network. The most important drawback in using Peer-to-Peer networks is the fact that they are slower than the centralized model, and can only accommodate between 10 to 50 zombie computers. In a decentralized environment, commands are transferred from bot to bot, as each compromised computer holds a list of adjacent drones. This way, commands are distributed across the entire network using the shortest path between bots. The botmaster can continue to control multiple computers by simply logging into a single compromised system.

 

Peer-to-peer networks have become increasingly popular during the last several years. Botnets created using Slapper, Sinit, Phatbot and Nugache are only a few known examples of decentralized architectures. However, despite the fact that P2P networks are more resistant to “extermination” the architecture has many flaws that dramatically reduce its performance. For instance, Sinit wastes a lot of time and computing resources probing for other similar bots to communicate with. The botnet is therefore poorly connected and can be detected with ease, since the increased network traffic is likely to draw attention.

 

The random model of command and control is not yet used, and it exists only in theory. In order to launch new attacks, botmasters scan the computers connected to the Internet in order to determine the currently active workstations. Shortly put, the infected hosts never attempt to connect other computers or central servers, as they merely listen to the traffic and wait for the proper commands from the botmaster.

 

However, this approach would force a botmaster to scan huge IP ranges on the Internet, as there would be no list with the existing and active bots. Although there are visible advantages in using random architectures (such as complete stealth thanks to the minimal network traffic during the rallying process), the disadvantages simply make the approach unpractical, because of the latency and scalability issues. Scanning, finding and instructing individual bots is a painstaking process, especially because bots located behind NAT routers and firewalls could never be contacted.

 

Command and Control Protocols

In order to successfully receive commands from their botmaster, bots have to be connected to the Internet. Connectivity can be achieved using multiple protocols , depending on the bots’ complexity, as well as on the environment the bot is running on.

Protocols are sets of standard rules for data representation signaling, authentication and error detection required to send information over the Internet.

Undoubtedly, the widest-spread network protocol when it comes to botnets is Internet Relay Chat (IRC). Because of its simplicity and low overhead of the IRC format, it is highly scalable and features extremely low latencies. There are accounts of botnets comprised of about 1.5 million machines that were able to flawlessly integrate due to the IRC protocol. IRC servers are extremely popular on the net, but botmasters can also run IRC as a service or daemon on zombie machines. More than that, IRC is the perfect protocol for handling bots, since it supports passwords and private chats. However, IRC also has a major flaw: once the channel is detected, it can be easily taken down by authorities. System administrators can also block the entire IRC port range directly from the corporate firewall, thus cutting down communication with the botmaster.

HTTP is probably the widest-spread protocol across the Internet, and many communications specialists call it the Universal Firewall Traversal, because traffic on port 80 is almost always permitted. Of course, as compared to the IRC protocol, HTTP is less suitable for large botnets, but it ultimately ensures botmasters that they can contact their bots. One of the bots that make heavy use of the HTTP protocol is the Bobax bot, that can be controlled using HTTP variables and gets. There are multiple reports on Bobax botnets that count as many as 100,000 compromised computers, which means that large HTTP botnets can exist. However, since such botnets usually disrupt the HTTP traffic (bot packets are different from the regular traffic), HTTP-based botnets can be easily identified and shut down.

Instant Messaging bots have started appear as IM services gained ground among PC users. Botnets based on the IM protocol are less common than the IRC and HTTP architectures, although they rely on the same technology. For instance, IM botnets differ from the IRC-based networks as they use communication channels provided by IM services such as AOL, MSN, ICQ and Yahoo. IM-based botnets are less appealing to botmasters because it is difficult to create individual IM accounts  for each and every bot on the network.

Apart from IRC and HTTP, botnets can also use other protocols. Phatbot-based botnets are known to rely on peer-to-peer protocols, such as Gnutella and Waste, but the protocol limitation allows botmasters to efficiently control as much as 50 clients.