Malware

Botnets: How to get rooted in one easy lesson

In discussions about botnets, how and why a computer becomes part of a botnet are two questions that get asked quite often. Like most things in life, the answers aren’t simple. Michael Kassner sets out to provide some answers about the origins of botnets.

 

I noticed a trend in the comment section of my article "Botnets: Bigger Isn't Always Better." People wanted to know how a computer becomes a bot and why it's so hard to detect when it happens. Thinking about this must have put me in one of my moods (often mistaken for daydreaming), because my son asked me what was wrong. I explained my quandary, and in his infinite wisdom, he said, "Well, why don't you (looking at me with that dahh expression) write about it, and then everyone will know." Hmmm, I knew that.

Botnet or rootkit, which came first?

Becoming part of a botnet requires the installation of a remotely accessible command and control application on the computer under attack. The application of choice for this operation is the infamous rootkit, due to its ability to hide and run programs efficiently. For more detail about the inner-workings of rootkits, please refer to my article "10+ Things You Should Know about Rootkits."

In that article, I didn't spend much time on the propagation process, and I'd like to correct that now. Malware that propagates the rootkit is called a blended threat, because it consists of three parts: the dropper, loader, and rootkit. I'd like to focus on the dropper, since it's where much of the confusion lies.

Dropper program

The dropper is a program whose whole purpose is to sneak past security and antivirus applications. I liken droppers to the transformer toys my son used to play with: droppers try to make themselves and their payload (the loader and rootkit) appear as benign snippets of code. That usually happens by encrypting, compressing, or some type of encoding, making it difficult for malware scanners to detect them. The only way scanner applications could possibly detect the malware is by having a signature for the transformation package or by guessing through the use of heuristics.

Dropper versus trojan

Many experts consider dropper programs to be reverse-connect trojans. Trojans typically consist of two parts: client and server. Originally the server (listening portion) was placed on the computer being attacked and the client was on the attacker's computer. The attacker would then try to communicate with the server via the client application. All was good in the attacker's world.

Then NAT started to be widely used. Causing the original style of trojan to stop working, NAT would break the connection between the client and server. Being clever, the attackers decided to reverse the connection process and totally avoid the problem created by NAT, hence reverse-connect trojans. All is good in the attacker's world again.

The reason experts consider droppers to be trojans is their use of trickery. Simply stated, trojans and droppers are malware that appear to be something they're not (ala the original Trojan Horse). For example, one of the earliest methods used to get malware installed on computers was to offer free screensavers. The trouble is that the screensaver was that in name only. In reality, it's a trojan that's now installed on the computer, with the user none-the-wiser.

Dropper's cat-and-mouse game

You can see how it has turned into a proverbial cat-and-mouse game between attackers and computer users. By design, this type of game eventual leads to the discovery of the scam. So instead of discussing specific examples that may already be out-of-date, I'd rather describe the generic approaches being used by attackers today, with a great deal of success, I might add. Once the attack vectors are understood, it should become easier to spot specific examples of how a computer becomes a bot:

  • Drive-by download: This method is the scary one. In many cases the attacker designs a malicious Web site to leverage some unpatched vulnerability or operating system bug. All the user has to do is visit the Web site, and the dropper is automatically loaded on the computer.
  • User interaction: This method pertains to a whole host of possible attack vectors: from simply opening a malicious attachment to clicking on a link that sends the Web browser to a malicious Web site. A good example of a cutting-edge exploit that requires user interaction is clickjacking as explained in my recent article "Clickjacking: Potentially Harmful Web Browser Exploit."

These are the two methods used by most dropper programs presently. Hopefully knowing this will raise a red flag if something you're doing on your computer just doesn't feel right.

Exploit definitions

There are a few more terms that I'd like to look at. By doing so, I hope to dissipate some FUD and allow everyone to make educated judgments when determining how seriously to take malware warnings. On many occasions, security pundits get a bit overzealous, reasoning that it's better to error on that side. Only problem is that most users can't react that fast and ignore the warning. Then if nothing happens they feel the expert was crying wolf yet again. So here they are:

  • Proof-of-Concept: Proof of Concept (PoC) is a mechanism or application used to prove whether a concept is viable or not. A good example of this is the clickjacking exploit. Clickjacking was known to be an issue for a long time, but it didn't have any clout until researchers released a PoC. What does this mean to users? Well, there's some breathing room. If it's interesting enough and easy to assemble, malware developers will be all over it in short order though.
  • Zero-day exploit: Is often confused with zero-day malware, but they are two entirely different concepts. Zero-day exploits try to leverage an unknown/undisclosed application or operating system vulnerability. Just remember that you have zero days to patch the computer, because there's an exploit in play already.
  • Zero-day malware: This refers to active malware strains that are so new security and antivirus applications are without signatures for them. This is a real problem, especially since attackers like to keep zero-day malware quiet for as long as possible. You may remember my run in with Rustock.B and my mentioning that experts are almost positive that Rustock D is out as well, yet no one knows anything about it. So Rustock.D would be considered zero-day malware, and there's precious little users can do about it.
  • In the wild: This is self-explanatory to some extent and the exact opposite of PoC. If you hear mention that some malware is in the wild, that means many attackers are using it to leverage some sort of malicious activity. The following diagram (courtesy of Viruslist.com) shows the growth of just rootkits in the wild:

rootkit-graph.jpg

Final thoughts

I hope that I was able to provide some answers for those who were wondering how a computer gets rooted and why it's so hard to detect the process. Logically my next step is to provide solutions for detecting rootkits and removing them. I'd like everyone to stay tuned as it should get interesting.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

57 comments
Craig_B
Craig_B

Watchguard is a security company that makes some appliance type boxes to help secure your network. They also offer free videos on security, including botnet and rootkit videos. I recommend that you check them out here: http://www.watchguard.com/education/videos.asp

andrewv
andrewv

As an average Joe user, whats the best way to protect my pc?

Michael Kassner
Michael Kassner

I was so close to getting blacklisted due to an Exchange server being rooted. Are there any other similar circumstances? I ask this as there doesn't seem to be any checks and balances in place to fix or refute being placed on such a list.

Jaqui
Jaqui

I have made it habitual to install antirootkit software first thing when I install an os. since I'm strictly open source that and a firewall are the only anti-malware defenses available. The Antivirus, Anti Adware software that runs on linux doesn't look for malware that could potentially infest the host, they only look for malware for windows systems. rootkits are the most significant threat to a unix or unix-like operating system, since these operating systems use priviledge escalation for administration, it makes them particularly vulnerable to botting from rootkit exploitation. Most distros have an anti rootkit package available, but do not install it by default. [ rkhunter being the current favorite to have in the repositories ]

Michael Kassner
Michael Kassner

Becoming a member of a botnet keeps getting easier. The first line of defense is understanding the process of getting infected. I've had the experience and it was just that. Have any of the members experienced a rootkit infection leading to being botted? Has anyone had the opportunity to have several computers on one network be part of a botnet?

Retired007Geek
Retired007Geek

Andrew, I'd suggest the following: Router w/Nat Comodo Pro Firewall (Free for home use) AVG Anti-Virus (Free for home use) Windows Defender (Free) AdAware 2008 (Free) Spy-Bot Search & Destroy (Free) Do we see a pattern here? Except for the router (hardware) it's all free and good. I've been installing this stuff on home user's machines for years with nary a security incident aftewards. You just have to invest a little time learning how to use them.

Michael Kassner
Michael Kassner

I've a few more articles coming out that will try and address the problem. Right now the only for sure method is to reformat and reload the operating system. Please stay tuned.

Michael Kassner
Michael Kassner

Thanks for the link. I've used LiveCDs with the appropriate applications and scanners on them to some success. There is that lingering doubt though, not sure how to get rid of that. I'll have to check into that Strider Ghostbuster.

rbees
rbees

I haven't really used windows since I got my laptop which I installed Debian Testing 64 on, and I have had no problems with bots or rootkits on any of my linux boxes. I did have some problems back in the day with windows on my wife's box and xp (virus' only I think). Now I have a linux router/firewall in the setup. I also insist that my users use some other browser than internet explorer, mostly opera. And for critical I have installed firefox with the noscript add-on. Lately I have learned some things, thanks to Michael, and I am not so convinced that I am as safe as I use to think I was. Please keep up with the great info so I can continue to do a better job or securring my system. Thanks again

Michael Kassner
Michael Kassner

Thank you for responding. I know your involvement with Linux so I'm very curious to learn if you have any information as to any Linux equipment every getting rooted, especially to become part of a botnet. It again is for my research.

ls_220
ls_220

Recently, I was the entire IT staff of a small college. We had pretty good perimeter protection, NATed, IPDed, AVed, w. Barracuda firewall, PacketShaper and CISCO PIX and network analysis module on the Catalyst switch. I held very tightly to admin access on everything the college owned, but had to allow privately owned devices onto the network (student and faculty owned computers). Can anyone spot the hole here? While traffic levels were monitored, they tended to vary widely depending upon the vagaries of student interest in online gaming, etc. I spent less time monitoring traffic than instructing professors on proper use of mice and print servers. One day connection to the cloud just stopped. After rudimentary efforts on our end I called AT&T (our ISP) and was informed we had been forcibly cut off due to complaints from a Fortune 100 firm that had identified our outside IP as the source of a DDoS attack. It seems one of the college president's senior staff had downloaded a "screensaver" which had subsequently crawled around the campus infecting everything inside the perimeter. Although I never did get every machine cleaned (the college has since closed permanently) I was able to block enough outbound traffic to reduce the DDoS attack to manageable dimensions. AT&T placed a two-week block on our IP address, so I had to promote a second IP (previously held in reserve) to get back online. Older and much, much wider.

Timbo Zimbabwe
Timbo Zimbabwe

"Have any of the members experienced a rootkit infection leading to being botted?" Having had teenagers in the house and, like most of them, using Kazaa or some other pirating, er, uh, peer file sharing product, I think I did get infected once. After not finding the culprit of system slowdowns, high CPU cycles, etc, I decided to just re-image my PC. As you pointed out previously, it is difficult to tell if you've been infected. I decided from that point on that I would not have administrative access to my PC through my personal profile, but would instead use the "run as" to do any of the administrative tasks that were needed to be done. I realize that some exploits circumvent security altogether, but at this point, my account cannot be used to install any software and the administrator account has been renamed to make it less of a target. As usual, another great article from you, Michael. Keep up the good work, we appreciate it.

pgit
pgit

I usually see on average 2-3 a month. Usually XP but I had one Vista machine infected. Most of these people are pretty good about keeping up with AV and updates etc. It's just getting too dang easy for someone to push a script. I try to get everyone to use firefox and noscript. I tell them there's 80% of your protection from the current and growing variety of mayhem. Alas most people say noscript is a "pain in the a##" and don't use it. A few understand what's going on and do use it. I don't see those folks as often. But I do see a few folks repeatedly. Teenagers in the house... [EDIT]: great article as usual, informative.

tailee
tailee

Hello I was wondering if you could provide me with the dummy version on how to tell if your infected and how to fix it. Thanks so much, Tracey

Michael Kassner
Michael Kassner

I would still strongly suggest that the first thing any user does is to get imaging software and when they have their computer setup as they like it make an image. That still is the only for-sure method of eliminating any kind of polymorphic (the trend is towards that style) malware. For example, any HTML-based rootkit will side-step all of the applications you suggested.

pgit
pgit

I've looked at it experimentally a few times. I couldn't afford the brain sample needed to keep it straight. I ended up weighing "my eyes tell me I'm keeping things pretty secure here without it" against "how paranoid am I?" Thank God there's plenty of diversions for my paranoia outside IT. Might still look at it again someday, though. Meantime I keep imagining inotify might be something of value in the vein of a tripwire...

Jaqui
Jaqui

looked at tripwire. The idea is good, but I haven't looked at the product.

Michael Kassner
Michael Kassner

Your experiences are invaluable to me. I have been following this and it's starting to be the typical MS versus Linux debate. I appreciate that yet my research gets skewed, since the main stream press isn't reacting that way. Is it because of the number of existing units or the quality of the OS? I'd appreciate your thoughts on this.

Michael Kassner
Michael Kassner

That's great information, I'm not a Linux type yet, so I appreciate the comments about how this applies to Linux.

pgit
pgit

Been running Linux for 10 years, set up hundreds of systems including internet acing servers of all varieties. I've never had a machine compromised, except for one smoothwall that fell to an exploit that had been patched several months earlier. The operator forgot to check updates. =(

Jaqui
Jaqui

for the rootkit detection chrootkit and rkhunter are the two I work with. Firewalls, well those options are much larger, at least as far as user interface goes. the least complex option is effectively the firewall included on consumer level routers, just on your system instead. unfortunately, because anti rootkit tools are not installed by default, gnu-linux systems are currently the fastest growing number of botted systems online. [ I think it was Secunia or Qualisys that issued that report,though I'm not positive. ] with more and more people running linux in some fashion, it is becoming more of a target. With Ubuntu being to broadly used, the insecurity in it's default configuration is a starting point for linux infestation.

Michael Kassner
Michael Kassner

I sincerely appreciate your comments. Did you get to determine the dropper and rootkit? I'm sincerely sorry for what happened and I can empathize as I've been there too. I know what I'd do differently, but I and (I suspect) the members would humbly like to know what you'd change. How would you prevent the use of private devices on the college network?

Michael Kassner
Michael Kassner

Hello, Timbo I really appreciate that information, it aligns with my research. It's my hope that I can determine a different approach rather than re-imaging the computer. Or at least determine that there isn't a better approach and allow users to save time wasted on trying to remove the malware.

Michael Kassner
Michael Kassner

Sorry to bug you, but I'm very curious to learn if you are referring to generic malware or rootkits specifically. Knowing this makes significant difference in my research.

tailee
tailee

Thank you so much and I will definately stay tuned

Michael Kassner
Michael Kassner

Hello, Tracey I understand your questions as it's mine as well. Simply because what you are asking is a huge point of frustration with me as well. Please know that I'm working on it and hope to have some semblance of an answer for you and the members. Stay tuned, sorry for the cliche, but as of right now it's all I have.

Neon Samurai
Neon Samurai

You have to check your daily logs or admin emails and update the rule set once a week for regular changes. I've also read recommendations to write your tripwire database too a cd or other read only media so it can't be modified until the next week when you update it.

Michael Kassner
Michael Kassner

I think one point to consider is who's using the OS. A server is going to be maintained by a professional. A home user isn't as worried about OS health, they just want it to work. I suspect that has a great deal to do with the problem.

Neon Samurai
Neon Samurai

Servers hold more valuable information than client nodes. In the server market, the Unix like OS are the majority share. The big target or popular kid. Unix like OS are still not being over run and effected by known code they way the Windows genetic family is. I do think there would be an increase but I don't think it would be anything close to the current malware library. I think that because identified flaws in the Windows family are left in place by choice for third party AV companies to patch. "It's not a problem with 'our' Windows products, it's a problem with third party program XYZ. They need to fix it." Of course, the reason program XYZ could be exploited is because of the flaw in the underlying Windows systems which remains unfixed and repeatedly exploited by variations on the same theme. In the unix world, exploitable flaws left outstanding are rare. They do happen but not nearly as frequently. I have to admit too though, I am curious to see how it would really play out with a different OS in the majority market share.

Michael Kassner
Michael Kassner

I'm not sure if the security debate will ever be resolved. It seems to not be just in the IT world.

rbees
rbees

I am not sure that I am qualified to answer that question. But it seams to me that the main stream press does not endorse unix flovors because of the momentum that is Microsoft based. You know the whole teach them when they are young and you will have them for life thing. People in general are not turning to the nix's for that reason. They don't want to learn something knew when what they have works ok. I don't think I have ever convinced anyone to take up linux. Even my wife and kids. They just don't want to leave their entrenched MS software and games behind. As for your question I think it is a combination of both. First their are many more MS boxes in use, and people don't take security seirously. For instance my wife's friend. She is on a cable modem and a couple of years ago she called me to clean out her box because it was running really slow. I ended up doing a complete reinstall and she lost a whole bunch of special pictures and what not. At the time I told her to get a little d-link router or some other brand and put it in between her modem and comp. Big supprise she never did it. Last weak she called me again with problems with her new Vista powered box. Her user porfile and all of her, this time business files, and data were gone, and she wanted me to get it back. I did not succed, and the Geek Squad didn't either. As far as I know she still does not have any kind of firewall between her and the internet. My point, security is not taken seriously by the masses. The other aspect I see is that the nix's seam to be more secure, and generally I think they are. But would they be more succeptable if they held a larger market share? I ask this because then they would be more widely targeted. My understanding is that the code to rootkit or bot a linux system is a lot harder to write and therefore weeds out the less able crackers. And so with the small share it has it is not as widely attacked. Were it more main stream more crackers would make the effort to develope their skills and we would see more of these nix based rootkits. To put a percentage on it, giving MS some benifit because of its market share and vis versa to the nix's I would say 70-30 2 cents

Michael Kassner
Michael Kassner

I wonder if attackers that focus on Linux rootkits are more savvy? I've been reading that may be the case as Linux users are typically power users and more interested in all aspects of IT

Jaqui
Jaqui

I have never had one infect a system. My understanding is they effectively go after the admin password. once they have that, the system is completely exposed. Canonical's distros, Ubuntu, Kubuntu, ..., all use an END USER password for admin access. This even though they target the average end user of windows for their user base. The lack of good habits fostered by windows "run as administrator" practice makes these distros ripe for rookit exploitation. In Chad's security blog Chad and I detailed a best case config for any linux / unix os to help protect the system. This config actually only hurts usability when it comes to administration. user login, they have to su to a different user account, then sudo the admin tool, with a THIRD password to actually use the admin tool. a rootkit will catch the user password for the su, but it would have to start itself as a process as that user to catch the admin password. the tools to catch rootkits check for signals on specific files to see if there may be one infesting the system, then it also checks userspace executables to see if they are rootkits.

Jaqui
Jaqui

you now can point out that the priviledge escalation model used in unix and unix-like operating systems makes them extremely vulnerable to exploit by rootkits. each system needs to have some sort of anti rootkit tool installed and being used regularly.

Michael Kassner
Michael Kassner

Oops, I also wanted to ask if the users have any leeway as to what's on the computers or are they locked down?

TBBrick
TBBrick

Use standard image based on ws model and to a lesser degree what the workstation is used for. No patient data is kept on workstation, [or should *not* be ;-) ]so it's just a matter of making sure the image has as much of the usual suspect programs on it.

Michael Kassner
Michael Kassner

You have an interesting situation dealing with HIPAA, does that require a standard image for every user or is there some latitude?

TBBrick
TBBrick

I'm at a medical group, 600+ employees, 90+ providers. It takes forty forevers to find the malware in the first place, and then one really never is certain that you got it completely. Add the HIPAA issues we have to deal with, better safe than to be sued.

Michael Kassner
Michael Kassner

I guess I'd look at what is the weakest link or simplest entity to subvert and that will be the next target.

Dumphrey
Dumphrey

as it is now. Im thinking hypothetically down the road. A "what if" scenario. Its easy enough to imagine.

Michael Kassner
Michael Kassner

It is my understanding that mp3s can be malware. I don't think that malware can infect mp3s though.

Dumphrey
Dumphrey

but at home I use them very rarely. It seems to me that soon enough some one will be using some type of stenography to embed the executable in an mp3 or .jpg

Michael Kassner
Michael Kassner

PDF files are that way now. I think attackers are going to stick with web pages and web apps for the foreseeable future as they are so easy to subvert.

Dumphrey
Dumphrey

when data files are no longer able to be trusted. bye bye iTunes library, time to fight with Apple to recover... And with the slow evolution to small, portable laptops and home server storage, it will become much more important to provide security in depth to protect your data. I would cry if I had 500GB of no longer trusted data :( I'm not sure how much longer we can really go on with home users being uneducated about security. They know to lock their doors and windows, not talk to strangers, and be alert in "bad areas". But apparently many people do not make the connection that the internet is an unsafe place with access to your "home/privacy."

Michael Kassner
Michael Kassner

I'm grudgingly agreeing with you. I suspect that dumb computers with simple images will become the norm. If there's some sort of a problem, just re-image. I guess my concern with that is it's not what I would consider an elegant solution. The good guys are losing and that's just sad.

Slamlander
Slamlander

ANY form of virus infection makes the entire system suspect, whether it's Windows or *nix. There are more ways to hide malware than there are bytes on a HDD and you can never be sure, short of re-imaging, that you've removed the bugger. There is no 100% reliable way to remove a virus, short of re-imaging.

pgit
pgit

I've tried a bunch, but haven't really been able to tell if one is better than the other. I started with P.H.L.A.K, then Helix, a cutom Slax disk I made, onward to LinuxDefender, Ultimate Boot and others... Anyone have experience with one or two to the degree you prefer it/them, and/or can recommend it?

Michael Kassner
Michael Kassner

If you'd like to experiment, I'd try a LiveCD with several of the scanner apps on it. Even some AV scanners as well. With the OS dormant, you might be able to capture the malware files.

Dumphrey
Dumphrey

problem is just that, confirming a rootkit. The older ones should be noticed by rootkit hunter, icesword, blacklight.... but the newer ones will still be invisible to these programs I think. But the behavior should be the same, high traffic, weird high use processes. Any thoughts on this Michael?

pgit
pgit

Good distinction, which I have rather neglected to keep count. Most of course is basic malware, like your "antivirus 2009" garbage. But there have been numerous machines that displayed rootkit behavior. Unfortunately for the sake of time (and cost) I elect to back up and wipe these machines as soon as it's obvious we're not dealing with the typical junk. For instance Friday, and XP machine with two symptoms; a slew of traffic originating from the machine going out over port 80, and one instance of "svchost" running that consumed at minimum 96% of system resources. On most machines, running malwarebytes' "mbam" gets rid of near everything except perhaps a trojan or other virus. Then I uninstall whatever the anti-virus app on board, install AVG free and run it, which usually finishes the job. Back in business in a couple hours. But this machine, after doing this, still exhibited the same behavior. No software having found it, and only the underlying "svchost" instance showing that much activity I assumed this machine had been rooted. Mbam and AVG said it was clean. I see similar on occasion, a couple a month is seems. What would you have me do to confirm, in such instances? Run rkhunter or the like? Have you had luck in removing/repairing such a system, rather than wiping and reinstalling? For the sake of research I'll take the extra step from here on out,to confirm the presence of any rootkits.