Jul
30
Filed Under:
BOTNETS
The Genesis of a Botnet
30 July 2008
Modern botnets are using social engineering tactics to trick the user into unwillingly installing malicious code on their computer.
However, contrary to popular belief that malicious bots usually “travel” by e-mail, this is not an effective way to carry a successful infection. It might be true that some e-mail messages come bundled with malware, but the number of such messages is dramatically limited. On the other side, while visiting a popular IRC server, you will surely be sent a lot of DCC file transfer offers, as well as ads leading you to compromised websites that host malware. Users can get infected either by downloading and running malicious software, or even by simply visiting the website through miscellaneous ActiveX exploits for Internet Explorer. For instance, if the user is running an unpatched version of the browser, the site would attempt to drop a small Trojan onto the machine. There is a catch, though, as the exploit can only drop files less than 34KB, but the “glitch” has been fixed by malware authors by using compressed pieces of malware(The fearful EvilBot, for instance, takes up only 7 KB of space when compressed with the UPX software utility).
A couple of IRC bots are able to scan for computers that have already been infected with other Trojans. This extra ability allows malware authors to place their own bots onto computers that have been proven vulnerable to at least one Trojan. Moreover, the lifespan of the IRC bot is dramatically improved, since the presence of another Trojan only shows that the user is not concerned with data security, and might not even have installed an antivirus utility.
After the bot has been successfully installed, it creates a registry key that allows it to start with the operating system. After all, bots can be contacted by the botmaster only if they are already running on the machine.
Next on, the bot would attempt to connect to the Internet using a hardcoded port. Most IRC bots would prefer port 6667, but such bots are able to “listen” on ports including 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669 and 7000 as well. However, given the fact that these other ports are usually taken by other applications, port 6667 is the first choice. As they successfully connect on a specific IRC channel, bots await for further commands from the botmaster.
On the other side of the connection, there is always a botmaster. Masters would log into the bots using an encrypted access password that is usually hardcoded into the bot. The encrypted password ensures that Bots can only be controlled by their owner, and prevents the entire network from being hijacked by third parties, such as other botmasters. After the login operation completed successfully, the zombie army awaits their master’s commands.
RELATED INFO:
BOTNETS
For instance, a botnet can distribute infected e-mail messages carrying malware, or just links to compromised websites, where the systems are infected on-the-fly. Social engineering techniques are comprised of messages that come with apparently harmless messages accompanied by an infected attachment that seems to be a simple .jpeg image. Botnets can auto-expand by identifying and infecting other vulnerable computers.
However, contrary to popular belief that malicious bots usually “travel” by e-mail, this is not an effective way to carry a successful infection. It might be true that some e-mail messages come bundled with malware, but the number of such messages is dramatically limited. On the other side, while visiting a popular IRC server, you will surely be sent a lot of DCC file transfer offers, as well as ads leading you to compromised websites that host malware. Users can get infected either by downloading and running malicious software, or even by simply visiting the website through miscellaneous ActiveX exploits for Internet Explorer. For instance, if the user is running an unpatched version of the browser, the site would attempt to drop a small Trojan onto the machine. There is a catch, though, as the exploit can only drop files less than 34KB, but the “glitch” has been fixed by malware authors by using compressed pieces of malware(The fearful EvilBot, for instance, takes up only 7 KB of space when compressed with the UPX software utility).
Most of these security threats are Web Download Trojans, which, once executed, they fetch a file from a different location on the web and install it onto the vulnerable computer. This way, malware can be dropped without the user noticing anything suspicious.
A couple of IRC bots are able to scan for computers that have already been infected with other Trojans. This extra ability allows malware authors to place their own bots onto computers that have been proven vulnerable to at least one Trojan. Moreover, the lifespan of the IRC bot is dramatically improved, since the presence of another Trojan only shows that the user is not concerned with data security, and might not even have installed an antivirus utility.
After the bot has been successfully installed, it creates a registry key that allows it to start with the operating system. After all, bots can be contacted by the botmaster only if they are already running on the machine.
Next on, the bot would attempt to connect to the Internet using a hardcoded port. Most IRC bots would prefer port 6667, but such bots are able to “listen” on ports including 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669 and 7000 as well. However, given the fact that these other ports are usually taken by other applications, port 6667 is the first choice. As they successfully connect on a specific IRC channel, bots await for further commands from the botmaster.
On the other side of the connection, there is always a botmaster. Masters would log into the bots using an encrypted access password that is usually hardcoded into the bot. The encrypted password ensures that Bots can only be controlled by their owner, and prevents the entire network from being hijacked by third parties, such as other botmasters. After the login operation completed successfully, the zombie army awaits their master’s commands.
RELATED INFO:
BOTNETS
Article rating:
- |
- Send on Yahoo!
- |
- RSS
Copyright 2010. Site powered by BitDefender