Botnet: 10 Years of Security Threats

Their history dates back in the late 90s, when the infamous NetBus and BackOrifice2000 backdoor Trojans started to spread havoc among computer users. NetBus and BackOrifice2000 were more than simple Trojans with new features: they were completely distinct breeds of malware that integrated new technologies and functions.  For instance, these two Trojans were the first pieces of malware to allow remote administration of the infected computer.

The real danger posed by the Trojans was amplified by the fact that only a few tech specialists could completely understand the phenomenon, while the rest of the PC users were merely panicked. After all, software applications that would open or close without users' interaction were a little more than the average PC consumer could understand. However, such Trojans were not able to team up in an independent network, which meant that both NetBus and BackOrifice 2000 were rather proof-of concept pieces of malware, designed for fun and not for profit.

One year later, in 2000, remote administration software applications got new abilities to simultaneously control multiple machines at the same time. New features have been subsequently added to the already existing backdoor programs, in order to allow them to automatically connect to a defined rally point. The new generation of security threats built on a tool that has been previously used by hackers: IRC channels. Upgrading regular IRC bots to perform malicious tasks was piece of cake, since the vast majority of bots were available as open-source software. More than that, the IRC protocol has a simple syntax, which means that any person with average programming skills could hijack a regular bot into a weapon of mass destruction.

The new challenge as far as botnets are concerned was to simultaneously control as many computers as possible. While controlling a single computer was piece of cake, controlling thousands of systems as once proved to be more difficult than on paper. This is why more and more bots were equipped with a "call home" feature: each time a bot would infect a system, it would immediately call home and report for duty. This means that it would log onto a pre-defined IRC channel and send a private message to a logged-on user (usually the bot controller). The message could look like this:

"Hi, I am ready to start. My IP is 127.0.0.1 and I take commands on port 1222."

Things got serious in 2003, when the SoBig email worm struck millions of computer users. The attack was alleged to be the first organized attempt to add an incredible number of computers to the same botnet. It was also the first time that an e-mail worm came with a bot as payload.

Media played a crucial role in promoting botnets as one of the most important security threats ever. As information about IRC-based botnets disseminated among hackers and malware authors, they have quickly rallied to improve and strengthen botnets. Of course, other malware authors decided that they had rather hijacked already existing botnets than building their own from scratch. IRC channels with huge numbers of visitors become the main targets of hijackers. After successfully bypassing authentication, hijackers would simply redirect the "confiscated" bots to another IRC channel, thus seizing control on someone else's botnet.

However, as IRC botnets gained ground, more and more Internet service providers imposed strict firewall limitations on IRC ports, and many botnets found themselves irreversibly separated from their command centers. It was expected that the Botnet industry to migrate to a different protocol that would be harder to block.

Worldwide hackers started working on fully-fledged HTTP servers able to remotely control compromised systems located behind a corporate firewall or NAT server. More and more whitepapers and howto-s were published on specialized hacking forums. HTTP proved to be extremely user-friendly, given the fact that port 80 was never blocked by the corporate firewall. However, any experienced system administrator could easily detect abnormal traffic associated with the port 80, thus endangering the botnet itself.

Malware authors also attempted to create botnets using instant messaging services, but they gave up shortly thereafter, as each bot would need to have its own username and password, a painstaking task that takes up time and effort.  Some botmasters shifted their attention to implementing new network architectures. New botnets came with multiple command and control centers, as single C&C centers could be easily hijacked, taken down or otherwise destroyed. Multiple C&C nodes bring extra efficiency, but at the same time, they are much harder to maintain.

Next on the evolutionary roadmap, there were Peer-to-Peer networks . The new infrastructures enjoyed increased efficiency over the traditional C & C botnets, but at the same time, they were dramatically conditioned by the total number of bots they could control at once. Some botmasters experimented with P2P architectures since 2004, but it was only in 2007 that the first large P2P botnet was discovered.

Called the Storm botnet, the new P2P network was built using the fearful Storm Worm (Storm Worm is a mixed-type piece of malware that combines worm features with backdoor and Trojan capabilities. Initially spotted in the wild on January the 17^th 2007, the worm is trying to infect computers, and then to add them to the Storm botnet. The worm disguises itself as a newsletter containing a film about forged news stories, especially weather cataclysms). The Storm Worm was extremely prolific and, in order to bypass antivirus detection, its author(s) came up with new and updated variants of the code. It is alleged that the worm came in five different flavors (The Storm Worm was extremely similar to a polymorphic virus, but unlike conventional polymorphism, mutation took place on an Internet server rather than locally, on the infected machine) that basically unleashed the same malicious payload.

Larger botnets were immediately labeled as threats to the national security, the national information infrastructure, and the economy, so multiple government institutions took stance against the attackers. The Federal Bureau of Investigation started a new national initiative, called the Operation Bot Roast. They identified over one million of compromised machines that had been used to relay spam and perform other types of informational attacks in the US alone. A couple of botmasters located in the US received home visits from the agency, and three persons were trialed and convicted with computer fraud and abuse in violation of Title 18 USC 1030.

James C. Brewer, a computer programmer living in Arlington, Texas was sentenced to imprisonment for having operated a botnet inside the Chicago area hospitals. It is alleged that Brewer managed to infect tens of thousands of computers worldwide. Jason Michael Downey of Covington, Kentucky was also charged with computer fraud, as his botnet would send huge anmounts of traffic to intended recipients to cause damage by impairing the availability of Pcsystems (Distributed Denial of Service). Last, but not least, Robert Alan Soloway of Seattle, Washington was charged with computer fraud and abuse as his botnet was used to spam „tens of millions of unsolicited email messages to advertise his website from which he offered services and products" (All the arrests have been announced by FBI spokespersons on June the 13^th 2007. The suspects are still in jail for computer abuse and frud.).

The United States were only the starting point for a new series of arrests and convictions. Other botmasters that operated on different geographic areas were also jailed for abuse. One of the largest botnets knows by the authorities was operated by the 18-old Owen Thorn Walker from the New Zeeland, that „enslaved" no less than 1.3 million computers in order to steal the users' credit card credentials.

- Anatomy of a Botnet