After Hours

10 answers to your questions about botnets

Michael Kassner recently asked TechRepublic members to submit questions about botnets, promising to forward them to the experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.

Michael Kassner recently asked TechRepublic members to submit questions about botnets, promising to forward them to the experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.


Note: This information is also available as a PDF download.

#1: Could you define what a bot or zombie is and how they become part of a botnet?

A botnet is a collection of machines that have been compromised by software installed by the attacker so that they now respond to commands sent by the attacker. This malcode can be installed by exploits on the base OS (e.g., as in the Sasser worm), through browser exploits, or through Trojan horse activities such as fake games or pornography codecs.

#2: What are botnets used for -- are they profitable?

Botnets are used by the attackers for a wide variety of tactics: spamming, hosting phishing sites, harvesting information from the infected PCs for use or resale (such as credit card or banking information), denial of service for pay or extortion, adware installations, etc. The botnet is a platform for the criminal underground, providing unfettered access to the compromised PC and its resources -- disk, bandwidth, IP reputation, personal information, etc. -- for the attacker. It's a way to load arbitrary software onto the machine, as well as to pull arbitrary information off of the machine.

We see botnets used all over the world: the United States, Europe, Russia and the Ukraine, China, Korea, Japan, South America -- all over. The main motivations in the past few years have become monetary, as opposed to curiosity or joy riding.

#3: If I understand correctly, there are different command and control philosophies used by botnets. Could you explain how they work and their effectiveness?

The two main types of command and control structures used by botnets are a centralized mechanism and a decentralized, peer-to-peer mechanism. There is also a third, hybrid approach. Command and control refers to the server(s) that the infected hosts, the bots, contact to receive new commands from the attacker.

IRC botnets are the classic centralized structure, with one or more single IRC servers acting as the main hub. This is still the most popular way to run a botnet, using IRC, HTTP, or other protocols with a single hub. The storm worm used a hybrid approach, where it would pass messages to other bots using P2P, but it would use a central set of servers for files and updates. Finally, the Nugache botnet is the biggest and most well known true P2P botnet.

Obviously, if you can take one server out and disrupt a botnet, that is the most desirable way to approach it. If we take out the hubs of the botnet, the bots are still infected but not acting on commands. P2P botnets are far harder to disrupt and shut down.

#4: Are all operating systems equally vulnerable to rootkits? Is there any advantage to using one operating system versus another?

Almost all commonly available operating systems -- Linux, BSD, Mac OS X, Windows -- are vulnerable to rootkits, either kernel-mode or user-land rootkits. These can be used to hide processes or files from the user. In the end, given that all systems have flaws and can be attacked, the only advantage one OS has over another is the research time devoted to it by an attacker.

#5: My computer's CPU usage is more than 50%, and outgoing network activity is far from normal, so I suspect my computer may be part of a botnet. How can I confirm this?

AV scans can be of some help, through a number of means, assuming it's up to date. First, if you can scan with multiple scanners, this can make a significant difference in the detection rates. This can be easily done with free online AV scanners, as every major AV vendor has them.

Second, scan with something like a rootkit detector to see if a rootkit has been installed; this is usually not a major source of traffic and CPU usage, but would indicate malware infections that may be hidden from AV or manual inspection.

Third, look at your external IP using a check my IP service and then query a tool to see if the IP address is blacklisted for spamming. This is another sign than your system is infected and is a spam bot. The tools at Robtex can be very helpful at this.

Finally, a tool like Trend Micro's RUBotted can help spot some signs of botnet participation. All of these tools can be used freely. But always be wary of software that claims to be free until it charges you a sum to clean up your system; that's usually a scam product.

#6: I've heard that rootkit scanners aren't effective. Is that true? If scanners are effective only for certain types of rootkits, how do I know which ones to use? Which scanners would you recommend?

They're somewhat effective, but they're being defeated by newer rootkits. GMer is one of the better rootkit scanners. It is kept up to date with new techniques and appears to address almost all common rootkits.

#7: I thought my computer was protected by a firewall and antivirus program, yet the computer became infected with Rustock.B and ultimately a member of some botnet. I was told my only option was to completely rebuild the computer. I did, but what if anything can I do to prevent my computer from getting rooted again?

Keep up to date with AV software, keep updated on patches, don't run as Administrator (or with equivalent permissions), and run a personal firewall. If possible, if you're running Windows, run Vista, which does much of this for you. If not, use XP SP2. Make sure that your AV is enabled for e-mail and Web browsing.

#8: I'm a systems administrator for a typical company network. I assume that there's more risk, just from the sheer number of computers. Is there any information I can pass on to the users (especially mobile workers) that will minimize the risk?

Mobile workers are probably the most susceptible, as they enter hostile networks (e.g., the broadband networks they may use at home). They should be told to not ignore software updates, keep their AV updated, and not to cancel such updates or to disable such software. The benefits of these simple hygienic approaches can't be understated.

#9: Could you suggest any good sources of information related to rootkits and botnets (Web sites, forums, RSS feeds) that would allow me to stay current?

I maintain a website, InfosecDaily that covers some of the better blogs and news sites. It's freely available. I also recommend a handful of major sites:

  • The F-Secure blog is very good and timely.
  • Obviously, I'm pleased with Arbor Network's ASERT blog.
  • The filtered news stream from Team Cymru is also very good, selecting the best and most important stories of the day.

I use an RSS reader to fetch and maintain my news; RSS is vital to simplifying your daily news digestion in this business!

#10: From all that I've read, it appears as though there's very little I can do to prevent my computer from becoming a member of some botnet. Is that really the case?

I don't think so; I feel this is a winnable battle. The best things you can do are to keep your software updated; the base OS, your browser (most important), and any add-ons. Most bots and malcode get in by using well known vulnerabilities.

The next best thing to do is to keep your AV software updated; most people don't update their AV software -- hourly or even daily, in some cases -- and have no real benefit from it as a result. Finally, a good anti-spam filter can do wonders to prevent threats via e-mail.

Final thoughts

I'd like to thank Dr. Nazario of Arbor Networks for answering these questions and Jessica Sutera, also of Arbor Networks, for helping to make the question and answer session possible. I found the links to be especially illuminating. Oh, almost forgot GMer, which already has a special spot in my rootkit scanner toolbox.


More admin resources

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!


Michael Kassner has been involved with communications for 40-plus years, starting with amateur radio (K0PBX). He now works as a network field engineer for Orange Business Services and as a consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

94 comments
Michael Kassner
Michael Kassner

Dr. Nazario took some of his valuable time to answer the members questions about botnets. Let me know what you think or if I missed any questions.

BALTHOR
BALTHOR

Centralized is a rerouting of the phone company and decentralized is a laptop in the field.These observations are the most difficult to make.My computer is being terrorized.I see extortion as common.I expect to see many sites labeled as botnets by virus scanner software in the future to the point of shutting down the Internet.How are they doing this?The entire Internet has been rerouted and we are not seeing the real Internet.The attacks take place in the hacker's Internet system.Your site resides in the hacker network!

seanferd
seanferd

I was surprised to read. This was interesting, and a bit contrary in the historical department. https://forums.symantec.com/syment/blog/article?message.uid=305374 And many current articles keep referring to Mebroot as "new", which it is not. edit: It's a virus. It's a trojan. It's a worm. It's a rootkit. So much for definition. It's a steampunk hypervisor.

Michael Kassner
Michael Kassner

I'm sorry I need to ask, do you consider Sinowal to be a rootkit? I never cease to be amazed at the ingenuity that is put into these applications regardless if they are considered rootkits or not.

JCitizen
JCitizen

Funny thing too; I kept getting hit with a UAC warning while reading this article. Something trying to install an IE7 addon. I cancled it of course. May be nothing but it has never happened to me this way before. I was not initiating any action whatsoever, just reading. Makes me paranoid just visiting TR these days! Michael, your really hitting the homeruns here lately, Thank You Very Much for all the hard work!

deepsand
deepsand

No, the "entire Internet has" [b]not[/b] "been rerouted." And, there is no "hacker's Internet system." The "hackers" do not possess their own infrastructure, but merely use the same one as the rest of us. What is happening today with the 'net is in principle little different from its predecessor, telephone phreaking. The practical difference is that today's technology allows even the least skilled script-kiddies to play; phreaking required no small amount of technical knowledge & skill. Ironically, it is this same difference that actually makes it easier to detect & combat 'net hacking than 'phone phreaking. As for "sites" being "labeled as botnets," this view is based a misconception. Botnets are comprised, [b]not[/b] of web [b]sites[/b], but of individual users' machines.

Michael Kassner
Michael Kassner

First, I'm honored to have you be the initial comment on one of my pieces, especially one that took a great deal of work. Second, you have expressed an opinion that's far-reaching in it's scope and depth. I'm also concerned that the Internet as we know it will be changed due to circumstances beyond our control.

Michael Kassner
Michael Kassner

Good rootkits hang around and have all sorts of variants that aren't even known about. Srizbi is another one and has the honors of creating the largest current spam botnet. Deepsand, Thanks for that link, there is a wealth of knowledge there. I could spend months reading. Sean, You might be interested in the one about bootkits as it appears that is what Mebroot is.

deepsand
deepsand

What with the press of time, I am only now learning of it. No matter what one calls it, though, it is most definitely highly sophisticated. I am particularly impressed by its avoiding heuristic detection by way of the noted installation delays. When I've the time for devoting my full attention, I'll be reading the cited material at http://web17.webbpro.de/index.php/analysis-of-sinowal .

Michael Kassner
Michael Kassner

Thanks, J. I appreciate your comments and help in making this article possible. I have one more coming next week about rootkit removal. That's been a hard one to get right. As for UAC, that's interesting. Was something was trying to obtain admin rights and load an application? Was it when you were just on the page or when you were trying the links? I'll have to try this when my son gets home as he is the only one that has Vista.

Michael Kassner
Michael Kassner

Balthor has an "outside the box" viewpoint that looks at things differently. If one works hard enough it starts to makes sense.

boxfiddler
boxfiddler

(limited to the framework you employ here) appear to be in the works, for sure. It has likely been only a matter of time, from it's inception, that yet another marvelous technology would be twisted into a tool highly useful in enlarging the divide between the 'haves' and 'have-nots'. As to the larger framework, circumstances have never been in our control, despite the minor influence we occasionally exercise upon them.

Michael Kassner
Michael Kassner

After reading this comment and your other one about comparing a computer and organic virus, I find it interesting that the success of a computer and organic virus are also similar.

Michael Kassner
Michael Kassner

Being an old fart, I see that concept in play all the time, actually in life in general as well. I find it fascinating for example that wide neck ties are back in style and my son hates the skinny ones that I have.

deepsand
deepsand

Old techniques are constantly supplanted by new ones, and are eventually forgotten, until the day when someone re-discovers them and again puts them to use.

deepsand
deepsand

1) Length of time deployed in the wild before detected. 2) Total no. of machines ever impacted. 3) Max. no. of machines impacted at a given point in time. 4) No. of variants spawned. 5) No. of times end goal(s) achieved. 6) Total dollar value of achieved end goal(s.) No doubt other measures might be applied as well; but, these should suffice to make the point that "success" is in the eye of the beholder.

Michael Kassner
Michael Kassner

I'm reading the polymorphic encryption paper or trying to. As you said there is a great deal of in-depth information there. I suspect some of the phrasing strangeness is due to english being a second language. It's still a very impressive site.

seanferd
seanferd

I followed the reverse-engineering analysis up through the third article on the driver. The website (or collection of linked sites) is really cool, if somewhat strange to navigate, including some rather incomplete pages. I can see how that happened, though. It is rare, in my experience, to see such well-commented lines of assembly code. I can't read assembly language, but the explication and the code comments were quite clear, aside from the odd bits of rough translation when mixed with misspelling. Somewhere in the site I found reference to the very old boot sector virus stoned.angelina being shipped on Vista systems in Germany, with an AV already installed, which couldn't remove it. Funny how something from 1995 could affect the Vista boot sector.

seanferd
seanferd

No, I haven't read the Vienna Computer projects page yet, just the Window Secrets articles. It will take me a while to parse, but it looks very interesting. I'm going to have to skip on out of here until later tonight or tomorrow. Second Thanksgiving with the other half of the family and all. Take care and have a good weekend.

Michael Kassner
Michael Kassner

Sean, as per your other comments. I'd like to ask if you went to the web site Deepsand suggested. I mentioned it with reference to bootkits. That web site has exactly what you referred to. The documents are very intense and have all sorts of good info.

seanferd
seanferd

I did read the articles as well. FixMBR is so very handy a command. I was just surprised that Mebroot is still listed as the most successful, and also that it is still being referred to as "new", especially when considering the earlier variants from which it was built.

JCitizen
JCitizen

as injecting a small package is more advantageous; especially now that I have read Michael's article it makes even more sense. Of course just making hash of application vulnerabilities is no small feat, and a very practical programing tactic as well. The occasional "kill" would not be so bad if a percentage of successful exploitations were to be accomplished. Instability wouldn't be all that disadvantageous, but would make the victim very aware he'd been had, thank goodness.

Michael Kassner
Michael Kassner

That is a very interesting point, it seems to apply to a computer virus as well.

deepsand
deepsand

quickly killed, do not live to reproduce. BTW, polymorphism is quite old; in fact, such viruses predates the 'net. In fact, self-altering code was in every competent programmer's bag of tricks as early as 2nd generation machines, along with the technique of using data as code, so as to be able to stuff 10 lbs. of code & data into a 5 lb. bag of memory.

Michael Kassner
Michael Kassner

In my research about polymorphic rootkits, the experts made mention on numerous occasions that the ability to morph leads to instability. Also I always think of how a natural virus has the ability to morph as well. Pretty amazing.

JCitizen
JCitizen

that information verified something I've suspected for some time; that malware borrows code from previous successful malware tools to complete it's nefarious mission. Actually this rootkit like behavior fits the definition of virus to a tee. A natural virus borrows RNA code to replicate and continue. Todays digital mega-viruses borrow lines of code from previous successfull malware, and modifies the type, timing, and subroutines to complete a new variant that is highly likely to finish the job the taskmaster intended. Some of the peripheral information pointed to something you and seanferd related, on how unstable these "bootkits" can become if one iota of code is not properly written during the install phase. Good thing to see Vista is at least resistant to this particular family of threat.

JCitizen
JCitizen

I think I ducked a bullet on that one. This is why I can't understand why people think the UAC is such a nag; it is way more utilitarian than Comodo's Defense + . As far as character strings, Google has become amazingly accurate when such undecipherable phrases are entered. I've learned not to underestimate it's usefullness.

deepsand
deepsand

I've no knowledge re. timeouts under UAC. As for the sting of odd characters, and assuming that such was the file name of an .EXE file whose installation was being attempted, then I hazard a guess that there is a high probability of its being malware. The use of random character strings as file names is an old trick; absent any pattern that is recognizable to and/or likely to be used by the user, the likelihood of its being remembered or discovered by the user is greatly reduced. And, in such case, it is quite probable that, had you managed to record the name, you still would have no found it via a search, owing to the app having changed its name upon installation and/or periodically thereafter. An old and common ploy is for such an app to: 1) Rename itself under a new randomly generated name upon installation; 2) Write a Start/Run Once entry to the Registry using the new name; and, 3) Repeat step 1 & 2 on each re-boot. Not too difficult to find & eradicate if one knows about this technique, and is willing and able to manually search & edit the Registry; otherwise, a most effective ploy.

JCitizen
JCitizen

This wasn't one of those yellow bar requests by Internet Explorer for example a flash download. This must have been something that came in from a webpage I suspect, drive by, if you will? All of my previous UAC admin logon requests have been for named files, that were recognizable. I couldn't copy the ID so I was about to type it in notepad when it suddenly went away. I assume there is a timeout to the UAC? (edited) I had several pages open at the time besides the TR site, so there's no telling where it came from. I should have noted that for reference, just where I was visiting; but I didn't. I've since been getting flash errors, but this is unrelated I'm sure. Apparently Vista handles all IE addons totally separately by account/profile.

deepsand
deepsand

download, install or execute? Was the referenced "string of letters" the name of the file inquestion?

Michael Kassner
Michael Kassner

It was trying to gain admin rights to execute? I really don't have much experience with Vista, can you tell? So can you help an old fart understand UAC?

JCitizen
JCitizen

wanted permission, just a string of letters. Now I'm getting Adobe flash download indicators; although that makes sense, I already have the latest flash player. I installed it yesterday!

Michael Kassner
Michael Kassner

In the general scheme of things for this and my other articles I was trying to simplify and make the connection between rootkits and botnets. In my research, I got the impression that if one would rate what rootkits were used for, a very high percentage would have to be given to creating bots.

deepsand
deepsand

Many & various types of malware possess such capability; but, it is not an integral part of a root kit. The purpose of a root kit is simply to gain a level of system control so as to prevent another from using the system's own tools as a means of discovering its presence. A root kit is not an end unto itself, but rather one particular means of achieving an end.

deepsand
deepsand

should serve to illustrate the absence of an accepted definition of a root kit in the Windows environment; and, that such phrase may need to suffice.

Michael Kassner
Michael Kassner

I wanted to make sure you saw my answer and I posted it in the wrong spot initially. I wish they would change the limits on comments. I don't quite understand the rational behind the limits.

seanferd
seanferd

I replied to your similar post above. This thread is getting ... spaghettified, as if it were falling into a black hole, which it isn't. I think it's heading back toward the light. :)

seanferd
seanferd

I guess that the average reader doesn't much care about which bit of code serves what purpose, only that bad things can happen and that they may be hidden from the OS and AV. Specificity is important in order to provide clarity to those initiated into the world of malware sometimes. It is also a good CYA move in regards to potential reading by serious security experts or those of us who can be sometimes very picky (like me). :) Right now, I really would like a clear definition of "rootkit" arrived at by consensus of some respected experts - not from the AV industry, thank you very much, who cannot even issue standard names for malware. Hopefully, defining "rootkit" or types of rootkits, or malware which uses some type of rootkit-like behavior, would be easier than discerning whether Kraken is really just Bobax (which itself has, like, ten other names, y'know?).

Michael Kassner
Michael Kassner

I agree with your concepts, Sean. I think my mistake was that I didn't see the need to isolate rootkit from botware. In the general scheme of things, I still feel that way. If the discussion gets detailed as in this case, I should have defined in detail the individual components of the malware associated with botnets into dropper, loader, rootkit and botware.

Michael Kassner
Michael Kassner

I agree with your concepts, Sean. I think my mistake was that I didn't see the need to isolate rootkit from botware. In the general scheme of things, I still feel that way. If the discussion gets detailed as in this case, I should have defined in detail the individual components of the malware associated with botnets into dropper, loader, rootkit and botware.

seanferd
seanferd

Yes, that is more like the way I understand it. I just don't know the current frequency with which bots present rootkit behavior. Considering I have found references to "application level rootkits", I am entirely unsure as to what rootkits are anymore. Is CSRF or XSS a "document level rootkit"? :D I think I'll need to get back to current primary sources in order to make any further assessments on this topic. I need to see dissection of real malware packages that are currently in the wild to know how these things are set up, both in particular cases, and on average. It is a bit mind boggling when I get into this in-depth, as I haven't really been keeping up with the internals of contemporary malware. It is all so very interesting, and also of great concern. Whatever label we use, I thank you, Michael, for blogging on these topics. Great discussions ensue. edit: Are you familiar with Dancho Danchev's blog? He's also on ZDNet with Ryan Naraine. http://ddanchev.blogspot.com/

seanferd
seanferd

The only rootkit for which I can find a reference for phoning home is the Sony rootkit. The rootkit did not actually phone home, the DRM software it was hiding did that. AFAIK, communicating with C&C and lateral propagation is done by the bots, which may or may not have built-in rootkit tech. I suppose it all depends on the division of labor for the code. Some malware will use other parties' rootkits to hide (including Sony's), so they don't need there own at all. Then again, here http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm it is said that bots take complete control of a computer, which indeed would mean that it is a Windows rootkit. I'm still thinking, though, that all bots may be rootkits, but not all rootkits are bots (i.e., active on a network or phoning home, or taking orders). I have previously had the thought, now further reinforced, that type definitions of malware are nothing short of miasmic, especially in popular usage.

Michael Kassner
Michael Kassner

How about this. Most botware that I know of uses rootkit technology to install itself.

seanferd
seanferd

Perhaps I've been missing things, but I've never associated network activity or phoning home with rootkits. Botware certainly phones home and probes the network neighborhood, and other malware may send data home, but I've associated rootkits with only one thing: subverting the OS to hide from the OS, anti-malware, and users/administrators. A lot of infections use discrete code to perform separate functions, and some may lump functions together in code (the botware may have rootkit behaviors), but I've never seen phoning home as being a qualification for, or as being integral to a piece of code being labeled as a rootkit. I do believe I need to do some further reading in regards to your angle on this.

Michael Kassner
Michael Kassner

I agree with your definition of malware/crimeware, Sean. The component that I don't see you referring to is the command and control or ability to phone home. In my definition of rootkits, that is always a key ingredient. As I stated earlier, my intent was to hopefully make the connection between rootkits and botnets. The very fact that everyone has a different idea is probably why there isn't a concerted effort to deal with them.

seanferd
seanferd

Again, I suppose it partially depends on what one would consider a Windows rootkit. Is anything that hides itself a little bit a rootkit? Personally, I'll use the term rootkit to describe a piece of code if that is the popular characterization used by the anti-malware community, rightly or wrongly. I won't be too particular about it, for if a strict definition is used, there probably aren't too many out there that really subvert NTAUTHORITY/SYSTEM in a comprehensive way. Fooling AV doesn't always require rootkit type behavior. Fooling a user into installing malware with administrator rights does not require a rootkit, either, whether via "social engineering" or attacking a machine where the user is always running with admin privileges. The other part, and more to my original point, is that rootkits simply aren't required for crimeware to do its job. Crimeware users, unless doing targeted attacks, really don't care about attrition because expansion is on the flip-side. Crimeware is business, and it is probably easier to alter the code of payload software once it is recognized by AV and the security community than it is to redesign a rootkit once it becomes easily detectable. Again, they are also entirely unnecessary when the user has allowed installation. Crimeware is a serious business, it is quite organized, with marketing, competition, theft of IP, statisics and analysis tools, and a variety of services available. Economically, they have found, currently, that they just don't need to invest in rootkits to make their money. They certainly are in use, but they aren't a necessary element of every successful malware campaign. As an aside, I find that all malware is hard to remove, even when it is easy to remove, as I'll keep looking for that rootkit or regenerating executable or registry entry that will bring about re-infection, long after I've killed it all. :p I always expect there to be more.

boxfiddler
boxfiddler

if you were truly (my apologies to those among us who don't like that word) a person of ruts, the word awesome would not have entered your mind. Boxes.

santeewelding
santeewelding

(We) shove your ass out the door first. That way, (we) get to see what happens first.

Michael Kassner
Michael Kassner

Deepsand and Santee, I have to make sure that I mention my appreciation of your forcing me to look elsewhere. I'm a person of ruts and moving out of my areas of limited expertise is scary. Yet both of you push me there and I appreciate that shove.

boxfiddler
boxfiddler

falls on all if the GW folks are correct.

santeewelding
santeewelding

Not be carried away. Of first, second, and third-tier laws of thought, you tarry still with the particular and necessary, but lesser. On occasion, you brush the underside of more. I hold hope.

deepsand
deepsand

That is high praise indeed!

deepsand
deepsand

yet another mis-positioned post

deepsand
deepsand

"... do their jobs economically." Because, under Windows, "Administrative" privileges are sufficient for the task. A true root kit, in the original sense, would have the equivalent of Windows "System" privileges. But, since "Admin." privileges will suffice & are easily had, and true "System" privileges much harder to come by without breaking anything, there is no economic advantage to putting effort into securing the latter. By way of analogy, consider the hunting of birds that flock; e.g., ducks, geese, quail, or doves. One uses a shotgun, rather than rifle. Not only is the shotgun a less expensive firearm, but, it is more readily obtainable, is more easily maintained, and the ammo is much cheaper. And, that most of the shot will hit nothing but air is of no import; enough will hit something. With bot-nets it does not matter if a few are detected and lost; there are plenty more to be had, with more becoming available even as we here speak.

santeewelding
santeewelding

Present such a blizzard of detail. Yes. I suppose you must. Thanks.

santeewelding
santeewelding

So long as they know to decry one head up one ass at a time, in spite of the bottom line. At least you didn't spell it, "defiantly".

deepsand
deepsand

You are quite right to believe that that traffic will be light, as such is only required in order for a bot to get its next marching order. The extent to which such traffic is detectable depends on how many C&C servers are used, whether they are at a fixed or variable location, and whether they are addressed via IP Address or URL, with the 1st of each choice being the more vulnerable to detection. The most secure C&C centers are those which have the zombie randomly generate a URL, one which the bot master may or may not have registered, until it receives an HTTP "200" status code. In this manner, the bot master can shift the URL to any IP Address available to him, at any time he chooses, thus presenting no observable traffic pattern to a local external observer such as an ISP. Additionally, such serves to provide for a fall-back position should a server for any reason become unavailable.

Michael Kassner
Michael Kassner

You have been bewildering me for longer than I care to remember. You definitely know what I was referring to. Oh, must I remind you that welders like yourself build and make our world a better place.

santeewelding
santeewelding

Do it without "symbiosis" and them other big words. For us welders, you understand.

Michael Kassner
Michael Kassner

HP did pretty much the same this last August for the Proliant server. http://news.cnet.com/HP-ships-USB-sticks-with-malware/2100-7349_3-6236976.html Also, I guess I should have been more descriptive in my definitions. One of my major goals in doing the series on rootkits and botnets was to point out their symbiotic relationship. Which is to say, I'm only really concerned with rootkits that install phone home capabilities to garner access to a botnet. I understood that I might get some positive fallout from my articles. If you can remove a rootkit with the applications I mentioned, there is a better than average chance that other malware will be found and for the most part removed as well. Well, at least the logic sounded good internally, along with all the voices. I believe now that I should have been more specific. Actually, it sounds like there's enough interest to tackle that as a series of it's own.

JCitizen
JCitizen

here in the hinterlands, has been similar to elsewhere, I'm sure. I must admit cable users were more prevalent, but I've had a few on highspeed DSL. Out of these clients only one did not keep the machine logged on and running 24/7/365 days a year. That client had a limewire install infected in the recovery FAT32 section of the HP computer, and was reinfecting the OS image even on recovery wipe. It wasn't all that sophisticated, however as an old obsolete version of Spybot Search and Destroy was able to detect and defeat it. It did require a midscan reboot and follow up with restore turned off and system files unhidden, done in safemode. If she hadn't been turning the machine off after each use and powering down her router, I suspect the bug may have updated itself into something more vicious. This client employed no AV/AS as is typical. The rest of my forays into this subject were easier to fix, and the clients were totally clueless to computer security, and typically had some well known P2P bugs running as server, and only some of the bots bothered shutting down during user sessions to lower their detection signatures. I hardly considered them rootkits, especally when analyzing the limewire problem because it came on the factory recovery CD as well as the recovery partition. Of course HP may have been clueless as well in those days. That incident was dated 2005 and things have changed a lot since then, but I still get clueless clients that refuse to maintain their computers even if they have AV/AS already previously installed. They just don't do their updating and scanning, and end up blaming the mess on the AV/AS utilities. The very thing that could save them. Ultimately they uninstall them and wonder why their computer doesn't work anymore. I tell them it is because they are not using their machine anymore the bot is. When you look at the traffic on their modem it is obvious what is going on.

Michael Kassner
Michael Kassner

I've heard some good things about BotHunter. I like the fact that it emphasizes network activity(uses a Snort engine) and not installed files. The authors are claiming it will detect HTML C&C traffic and that is of significant interest to me. It's also available in a LiveCD, which adds capabilities. I'm researching the application now and would love to hear your thoughts on it. I was going to try and include it the article, but I didn't feel that comfortable with it yet.

santeewelding
santeewelding

That it's shortly after 7 am my time on a quasi-holiday and I'm reading -- hanging on -- every word of all this. By the by, Michael, I downloaded BotHunter last night to play with. Means I have to play with ipconfig and nslookup and DNS server numbers for insertion.

Michael Kassner
Michael Kassner

I agree with both you and DeepSand, as I mentioned my intent was to elevate general knowledge as I do feel that rootkits are a significant issue. Just remember McColo. Also I don't quite understand what you meant here: "They just aren't necessary for botnets and other malware to do their jobs economically."

seanferd
seanferd

Begging everyone's pardon, I do believe the discussion has sort of gone cross-purposes here, so I'm just going to inject my 2 cents. (Is 2 cents injection worse than SQL injection?) I hope this post isn't too meandering. Cable ISPs can identify botnet-infected computers by watching traffic patterns in the loops via logs. Patterns that have a very low liklihood of occurring in the absence of a botnet. They can also identify C&C if there is direct communication between the C&C server and bots, once they have identified infected computers, by looking at the common IP addresses with which they all communicate. Bots frequently communicate with each other and uninfected neighboring machines while looking to spread, looking for the C&C server if it moved, or because they don't necessarily commincate with C&C at all times for instruction in the first place (consider the possible mechanics of fast-fluxing domains). Windows rootkit malware is a different sort of animal than the true rootkits of unix, and are of a much broader stripe. Colloquial usage stretches the operant definition of rootkit even further in meatspace userland. Would one consider the Sony rootkit a rootkit? If a Windows rootkit isn't a rootkit, we need another term, or we need to specify Windows rootkit. Debating the relative merits of calling this sort of thing a rootkit in a Windows environment is probably best left to its own discussion, as the term is a) well established and, b) technically incorrect. Windows rootkits do not necessarily provide full root access (call it administrator or system-level access), but may gain some root-like access, or simply employ techniques which hide their attendant malware from systems and administrators. Hooking the kernel, employing null-terminated registry entries, or hiding in alternative data streams can define a piece of malware as a rootkit, rightly or wrongly. A rootkit may use some sort of virtualization technology without being a true hypervisor. "Nebulous" is indeed a good way to characterize the concept of Windows rootkits. Of course, all malware that use some sort of "stealth" do not qualify for rootkit status, however loosely defined. Trojans, worms, droppers, or hybrids thereof have used stealth tactics for a long time without being considered rootkits, and different security vendors will label the same piece of malware code differently, not just in name, but in type. This continues to complicate discussions of the already ill-defined Windows rootkit. So mote it be. I don't think that rootkits are necessarily all that prevalent, and are probably in use less than they were in recent past, but the real cause for concern with rootkits is that you may never know if there is one on a system unless you go looking. I have no idea how many rootkits would even stay resident once the actual first round of business-end malware is installed, but installed rootkits may also be a future vulnerability or liability. And when the next script kiddie or 1337 hAxOR wants to display his chops for kicks or to break into the crimeware business, there will be another rootkit to annoy us. They are a problem, just not as big a problem as was predicted in the past. They just aren't necessary for botnets and other malware to do their jobs economically.

Michael Kassner
Michael Kassner

You were referring to the one additional method that bots propagate by IM or peer to peer deception on the same subnet. I understand that now. As for the HTML traffic that goes out to a public IP address, that would in most cases be less than the number of hits Google gets on any given day. So it would be very difficult to isolate that particular stream. I guess my point is that the traffic to the C and C servers would be very light, usually just one HTML header.

deepsand
deepsand

Propagation is effected, not by C&C, but to a very large extent by the zombies themselves. Once a machine on a particular sub-net has been compromised, it then seeks to recruit others within that sub-net. This is effected by way of brute force probing of all IP Addresses within that sub-net, probing that is done by way of absolute IP Address, rather than by requesting a resource via a URL/URI. This type of behavior is easily detected. Additionally, a zombie's communications with C&C is likewise done via absolute IP Address. Repeated call to the same absolute IP Address are also easy to detect. It is this type of behavior that can & should be detected by ISPs, and acted on accordingly. Absent zombies, a C&C center is useless.

deepsand
deepsand

If I gave that impression, such was unintentional and went undetected. Botnets are indeed a very large problem; however, root-kits are neither necessary nor widely employed for the building of such.

Michael Kassner
Michael Kassner

I do not understand why you refer always to the fact that the command and control server will be on the same subnet, whereas the ISP can then monitor the specific HTML traffic, that is almost never the case. McColo was the command and control center for bot all around the world and not even remotely on the same ISP's network. I also value your being precise about definitions. I guess my ultimate goal was to have a better informed public that will help eliminate the problem. I guess you don't feel that botnets are a problem, but it's hard to refute the effect of shutting McColo down and the immediate and significant drop in spam.

deepsand
deepsand

There are here 2 fuzzy factors in play - 1) the origin of the word "root" as it here applies, and 2) the terminology used by the popular press. "Root" originated with UNIX, which has a "super-user," or "systems administrator" know as the "root user." As the "root," one has absolute control over the entire system, and is thus in position to not only install that which is desired, but to take any and all measures as might be needed to render any systems assets, files and processes invisible to other users. Windows clients lack such "super-user;" there can be any number of users with Administrative Privileges, none of which is superior to another. Absent such "root user," a Win based application which wishes to achieve the same degree of control as is obtainable by a "root" on a UNIX or UNIX-like platform must substantially modify the the OS kernel itself, along with a host of DLLs and Driver, in order to completely hide its presence. And, it must do so in a manner that leaves the platform sufficiently operable so as to not raise suspicions on the part of the user(s). Like a biological disease, it must allow the victim to survive at least long enough for its purpose to be realized. This is no mean task. Consequently, very few true "root-kits" for Windows based clients are developed. Instead, "root-like" techniques are employed to cloak the most important and/or most easily discovered components of the infectious application. Which brings us to the matter re. the popular press. Articles such as the cited work published in PC World are directed, not at the cognoscenti, but at the average reader. Accordingly, they make no effort at explaining such as is above set forth, but rather focus on what the reader might remember and understand from a quick read of a short work. For example, with respect to "Rustock," the writer, assuming that he himself would understand the distinction, makes no effort to inform the reader that that application installs but a single driver that employs techniques common to true root-kits, but that these techniques that are also used by applications other than root-kits, and these to only partially conceal its presence. And, it is perhaps the case that none of the "experts" interviewed themselves made an effort to explain the fine nuanced differences to the journalist, believing or knowing that, for whatever reason, such would in no way change that which was ultimately written and published.

deepsand
deepsand

Just as heuristics can be used for identifying potentially undesirable activity by an internal application, so too can it be used to similarly evaluate external activity. The IP Addresses assigned to individual subscribers by their ISPs are not randomly chosen, but drawn from a pool of contiguous numbers belonging to a block assigned exclusively to that ISP. It is exceedingly rare that a subscriber would knowingly and with intent repeatedly 1) make a request for resources that would reside on a legitimate server residing with their IP Block, and/or 2) make such request by way of a direct call to a specific IP Address, rather than by URL [i]vis-a-vis[/i] the DNS system. However, this is precisely what a zombie machine does when seeking other machines to penetrate and subvert and/or communicate with its peers and/or handler. In short, such behavior is exceedingly suspicious; and, it is easily observed without the necessity of deep packet inspection. Having ISPs identify & take action against such machines can & should be a 1st line of defense. A neutralized zombie is of no more use to a bot-net than is a machine never compromised.

Michael Kassner
Michael Kassner

I'd love to know how one HTML command can be dropped over another. I may be missing something, probably am.

JCitizen
JCitizen

You say port 80 HTML packets cannot be analyzed; am I misunderstanding CheckPoint's claims that they can filter misbehaving port 80 traffic? Depending on what is temporarily infecting my honeypot, I'm get several port 80 outbound blocks on what is mostly worm traffic. They are obsolete mostly, but even the new ones are examples of malware that took advantage of vulnerabilities that have been recently patched.(fortunately)

Michael Kassner
Michael Kassner

I guess like anything there will be various opinions about a semi-nebulous subject. The article stated that it took awhile to find Rustock.C a rootkit. What about the rootkits that they still haven't found. Also all of your comments about ISP being able to control this have not addressed rootkits that use HTML for command and control.

deepsand
deepsand

Deep packet inspection is not need for identifying misbehaving machines, those that repeatedly & persistently transmit packets to other machines within the same IP Address Block and/or repeatedly prematurely cancel their existing IP lease and request a new one (this in an attempt to mask their identity by frequently changing IP Addresses.) Having identified such machines, Comcast, or any other cable ISP, can then contact the subscriber, and insist that their machine be scanned & cleansed, and that appropriate measures be taken to guard against future infestations.

deepsand
deepsand

"Storm" is a "Worm." It employs no root-kit techniques, and is very easily detected & removed. Symantec rates it as a "Level 1: Very Low" threat. "Rustock" is a "Backdoor Trojan Horse." Although it employs [i]some[/i] root-kit like techniques, techniques that are [u]not unique to root-kits[/u], it does not alter the OS itself so as to fully cloak itself, but simply installs a driver which hides its files and Registry entries from casual observation . Thus, it is easily detected; and, removed with moderate ease. Symantec rates it as a "Level 1: Very Low" threat as well. "Hacker Defender" is actually a tool used for [b]creating[/b] malware; specifically, it is a "Trojan Creation Tool." And, while it does indeed employ root-kit techniques, it itself is not the payload to be delivered to a target machine, but rather a tool for creating such. Since all Trojans created using "Hacker Defender" share common code & behavioral characteristics, they are frequently, though technically improperly, referred to "Hacker Defender," "Backdoor:HacDef" or similar. And, even though it is readily available, both in source and binary form, it is its open source nature which makes it easily detected and removed. In fact, it is general rated as a "Very Low" threat.

Michael Kassner
Michael Kassner

How is an ISP supposed to distinguish acceptable from covert HTML traffic, especially when it's instigated by the client? In reality, the simplistic beauty of this attack vector is quite amazing. I realize that you are referring to a different botnet command and control system, but HTML is the structure of choice, and drive-by droppers making it very simple. Just think about all of the Windows machines in existence that are not fully patched and vulnerable.

deepsand
deepsand

If I can, simply by looking at firewall logs, determine which machines on Comcast's loops are attempting to penetrate other machines on the loop, why can Comcast not do likewise? And, by extension, determine which are attempting to jump the loop to other machines in the same IP Address Block? Is there any reason for them to assume that all, or even some small portion, of that intra-IP Address Block traffic is legitimate?

Michael Kassner
Michael Kassner

I see the same issue cropping up and that's why the botnets are growing. ISPs can't stop HTML traffic any more than a user can stop a drive-by dropper from infecting their computer that isn't patched. It's really that simple.

JCitizen
JCitizen

that the use of rootkits is exploding. And when you think of it, if an attacker is to gain control of a business for criminal activity, they would have to employ them as a minimum. I assume all businesses have more security that the average Joe/Jill. However, for botnet activity, this would be unnecessary as the clients I run into everyday refuse to practice even the least security measures. It just doesn't take any effort to own their machine. Deepsands comments on efforts by ISPs to at least attempt to secure their clients will have the greatest impact on the problem, if they can make it usable to the client without a lot of fuss(IMO).

Michael Kassner
Michael Kassner

I'm curious to learn what you think about Hacker Defender, Storm, or the various versions of Rustock. I guess I'd consider them pretty successful rootkits. Knowing that between the three of them they have subverted over a million computers and that's using pessimistic estimates.

deepsand
deepsand

From Wikipedia, "[i]The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system. ... Since then, similar software has been developed for other operating systems, and the term rootkit has been broadened to include any software that surreptitiously alters an operating system so that an unauthorized user can take arbitrary control of the system.[/i]" On Windows client platforms, there is no "root" user, no single "system administrator;" many users can have administrative privileges. Furthermore, it is not necessary to modify the OS, as a true root kit does, in order to achieve at will control of a machine; all that is needed is some well placed and properly crafted entries in the Registry Hive. The sole benefit of employing a root kit is that, by properly modifying the OS and its administrative tools, one cannot use such tools to in any way detect or access that which the root kit hides. Implementing a root kit installation is in fact no different than that of applying a series of legitimate OS patches; and, as is witnessed by the number of such patches that themselves create new problems, the design of a flawless root kit is no mean feat. Given the difficulties inherent in designing a well behaved root kit, and that effective control of a machine can be achieved by easier and more reliable means, it should come as no surprise that root kits are seldom deployed.

Michael Kassner
Michael Kassner

Rootkits are necessarily needed, but are now the preferred attack vector as they use a drive-by dropper, which makes it easier for the attacker. Then they hide the malware. Rudimentary AV applications with up-to-date signature files will catch normal malware, but not rootkits.

JCitizen
JCitizen

deepsand wrote: "Within the past year they have begun to provide their subscribers with McAfee countermeasures, with use being voluntary; to what extent such measures have been adopted I cannot say." AT&T has begun providing customers with a CA solution; their Symantec trial a disaster. I've had to help a lot of clients remove any IE addons attendant to Norton and other registry entrys so they could get functionality again. I agree with your assessment on the state of most bot-net victims. They have such poor security that their computers are owned without the need of root kits.

Michael Kassner
Michael Kassner

I'm curious to understand your comment about rootkits being quite rare. It's my understanding that they are actually quite prevalent, otherwise there wouldn't be millions of computers involved in botnets. I'm also concerned that the use of drive-by dropper applications will render firewall applications ineffective as the dropper uses port 80 and HTML to install the malware.

deepsand
deepsand

As a general observation, I long ago noticed, by way of examining firewall traffic logs, that it is those who use cable who are most susceptible to having their machines turned into zombies. Given the physical connectivity of those on the local loops, along with the IP addressing schemes used by the providers, employing brute force techniques to locate possible targets is quite effective. While a relatively simple firewall was sufficient for combating such, for quite some time Comcast seemed to turn a blind eye toward such activities within their systems. Within the past year they have begun to provide their subscribers with McAfee countermeasures, with use being voluntary; to what extent such measures have been adopted I cannot say. In any event, the only infection that a client of mine who used cable experienced after I installed firewalls & an AV app owed to an infection internally introduced by a white box builder who, rather than install Spybot Search & Destroy, installed an imitation that was actually malware. With respect to machines using DSL or T1 connections, the observed rate of attempted penetrations is well below that for cable. Here, but 2 incidents were experienced. Both machines were very old boxes, running Win 95 (so as to support mission critical legacy apps), and without sufficient resources to continue to run current versions of anti-malware apps; their sole protection was the perimeter firewall for the LAN. A single user, one with very bad web surfing habits, was responsible for his machine being infected with Cydoor & Spyware Sheriff, which in turn invited a host of other undesirables to join them. After I'd rehabilitated his machine, he 2 days later did the same to another user's machine! In both cases, a manual examination of the Registry Hive, and no small amount of time, sufficed for identifying & removing all of the miscreants. None of these 3 incidents involved root-kits. From my readings it is my understanding that their use is in fact quite rare, owing to the facts that 1) their effective use requires more expertise than do other attack vectors, and 2) the latter are presently sufficiently effective for the needs of bot masters.

Michael Kassner
Michael Kassner

Thanks, I wasn't sure and hoped that I could be of some help. I'd appreciate hearing any experiences that you have with botnets and or getting rid of rootkits.

deepsand
deepsand

However, I also know that, in this case, making it "look" sensical will not make it so. And, I think it important that others who might pass this way also know this.

Editor's Picks