Botnets are not a new threat, but they are a serious one. Amassing the resources of possibly millions of compromised PCs, attackers use that combined power for all sorts of nefarious activities.
Since their inception, botnets have been one of the more difficult threats to neutralize, and new and innovative techniques are making this malware even more difficult to stop.
Bots: the building blocks of botnets
Bots — shorthand for “robots” — are not inherently malicious and come in various forms, such as web crawlers, Internet bots, chat bots, IRC bots, and gaming bots. Search engines, for example, use bots as web crawlers — small apps that sweep up information about other websites. IT admins could use them to automate or remotely initiate specific tasks.
Bots can emulate human interactions on computers — though at much faster speeds than true human interactions. For purposes of this discussion, bots are applications installed on personal computers. They typically monitor a designated Internet Relay Chat (IRC; more info) channel for specified commands. They then act on those commands.
It didn’t take long for cyber criminals to see the potential power in bots. If a bot can perform remote tasks for admins, it can also execute malicious code on behalf of an attacker. They also discovered that their malicious bots could be easily scaled, quickly compromising and linking tens of thousands or even hundreds of thousands of PCs.
Once infected, those systems would join a botnet, quietly monitoring an IRC channel — and wait for instructions. (For Star Trek fans, the Borg will immediately come to mind.)
Taking control starts with phoning home
In most cases, when a botnet executable compromises a PC, its first action is to connect with an Internet-based command-and-control (C&C) server and request instructions. Usually, it’s directed to download additional malware components — code that will help the botnet remain hidden on the compromised system. It might also be instructed to download malicious code that a cyber criminal wants spread to other systems.
After that initial activity is completed, the bot typically lies dormant in the PC, quietly waiting for new commands from the C&C server. That reliance on Web-based servers makes a botnet relatively easy to disable. If you can locate the malicious server and either block it or take it offline, you effectively render the botnet useless — even if every bot-infected system is still technically compromised.
Effectively, cutting off the head kills the snake.
Due to their sheer numbers, it should be no surprise that Windows machines make up the bulk of botnet-compromised personal computers. In recent years, Microsoft has worked closely with the U.S. Federal Bureau of Investigation and Department of Justice to hunt down and close major botnets — by going after malicious C&C servers.
Distributing botnet command-and-control
Cyber criminals are nothing if not resourceful. Faced with a rising tide of C&C shutdowns, they simply came up with a more innovative approach.
“Over the past five years, more and more botnet operators mimicked Conficker [a type of digital worm; more info]; they moved to a peer-to-peer command-and-control infrastructure,” explains Sophos senior security advisor Chester Wisniewski. He added, “While [this technique is] more complicated to code, it makes dismantling botnets and identifying their operators significantly more difficult.”
All PCs in a botnet are part of a peer-to-peer, command-and-control structure. Like the Borg in Star Trek, if one member is eliminated, its duties are simply taken up by the next “Borg” in line — and the threat continues.
When a botnet no longer has a single point of failure, taking it down requires eradicating the bot malware from all compromised systems — a daunting task, compared to simply shutting down a few C&C servers.
To protect themselves further, attackers added an additional layer of complexity. Wisniewski states that cyber criminals are combining the peer-to-peer botnet approach with Tor.
Short for “The Onion Router,” Tor (more info) is an open-source project intended to help users remain anonymous online. Tor bounces traffic across multiple random points on the Internet to obfuscate its true source.
According to Wisniewski, “This doesn’t make detection any more difficult, but it does make takedowns and arrests significantly harder. If we had to identify one advancement that’s making it harder to put these guys in jail, it’s this.”
The best defense is an updated AV app
Two of the most prevalent botnet threats are Cutwail and Zeus. Cutwail is primarily a spam bot that uses compromised systems to distribute massive amounts of spam. But Cutwail is also used to deliver a Zeus payload.
Zeus is more nefarious; it’s a Trojan designed to capture sensitive financial information. Recently, Zeus has also been the source of a more insidious threat: CryptoLocker. CryptoLocker is a ransomware threat that encrypts your data and holds it hostage until you pay a ransom for the decryption key. (See Susan Bradley’s Oct. 24 Top Story, “CryptoLocker: A particularly pernicious virus.”)
Individuals should fight off bots with standard anti-malware practices. Keep Windows and your AV software fully updated with all security patches. Use strong passwords. Monitoring outbound traffic and checking open firewall ports can also help. (Some ISPs, such as Comcast, are now blocking port 25, commonly used for email.) Periodically check your firewall logs for traffic that seems anomalous or suspicious. You might catch bot-based malware attempting to phone home to its C&C servers.
Organizations might also look for suspicious traffic from the Internet — such as the use of Tor for no valid or authorized purpose. Security experts often recommend using a layered defense. In the Internal Auditor story, “Botnets could be invading your network,” the Fighting Botnets section lists steps businesses should take to fend off bots.
For more on bots and botnets, see:
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!