Botnet Survivor: Outwit, Outplay, Outlast Bot Herders at Their Own Game
Apr 2, 2008 4:00 AM PT
Early adopters are typically characterized as progressive risk-takers who have little to lose and much to gain. Following this logic, it makes perfect sense that within this crowd we find bot herders -- hackers who control a large number of compromised PCs (or bots) for malicious purposes.
Yet it's unsettling that these unsavory characters are using some of the industry's most promising technologies to further their criminal agendas. Whether we like it or not, the fact of the matter is today's bot herders employ strategies and tactics that look more like a set of IT best practices than a conspirator's playbook.
Take peer-to-peer (P2P) technology as an example. P2P has evolved from enabling communications applications to powering vast file distribution networks. From Yahoo Messenger and Skype to BitTorrent and eDonkey, P2P connectivity has proven extremely popular within enterprise, small- and medium-sized businesses, and consumer environments alike. While legitimate users have been basking in its accessibility, convenience and reliability, illegitimate users have emerged to exploit this technology for criminal gains.
However, P2P isn't the only accomplice. Other technologies like fast flux domain name server (DNS) also help cyber criminals construct highly complex failover capabilities, elude botnet hunters and protect their bots from competing bot herders.
The Botnet Pandemic
By infiltrating PCs belonging to others, bot herders seize tremendous computing power that is routinely bought and sold in a complex black market economy fueled by organized crime. Bot herders create and manage networks of these compromised and remotely controlled computers that can span thousands to hundreds of thousands of bots, tied together in a complex, high availability infrastructure.
Bots create active data leakage by providing a nearly undetectable conduit for data mining within an organization, leading to identity theft, credit card fraud, stock pump-and-dump scams and other money-making schemes. The problem is so pervasive experts estimate that one quarter of all online PCs are infiltrated by bots.
Fast Flux DNS
Traditional botnet configurations use a Command and Control (C&C) infrastructure based on Internet relay chat (IRC) servers installed illegally on high-bandwidth networks. These chat servers act as a central point for all bots to check in and receive instructions from the bot herder(s).
However, the typical botnet IRC tree structure is problematic because shutting down the IRC servers can cause major outages in the bot network. This is good news for botnet hunters. If the botnet relies on IRC, botnets can be shut down with only one discovered bot. Communications from that one bot can be traced back to the IRC C&C server, and shutting it down effectively shuts down the entire botnet. For bot herders, this is bad news, so they have turned to new techniques like P2P and fast flux DNS to evade detection and increase redundancy.
DNS is an Internet service that translates alphabetic domain names into IP addresses. Usually the IP address associated with the domain does not change often. However, it is possible to update the IP address associated with the domain name. So the concept of "fast flux" DNS is to update the IP address of a domain name frequently.
Bot herders program bots with a predefined list of C&Cs identified by domain name. By exploiting fast flux DNS, they also change the underlying IP addresses of the domains continuously. Now bot hunters (the good guys) cannot track down the locations of C&C servers fast enough before they change. Fast flux DNS allows bot herders to use a multitude of servers to create a highly evasive control network.
Bot Herders and P2P
Considering the scale to which botnets have escalated -- the number of infected PCs is estimated at over 150 million -- management and scalability are critical. Even today's largest global enterprises have room for improvement when it comes to network management, yet bot herders have a particular knack for controlling their pawns.
Bot herders typically maintain a botnet comprised of active and inactive bots. Inactive bots at the ready can be called into action if active bots are taken down or if additional resources are needed for a particular scam or attack. High-level P2P technologies help bot herders achieve the flexibility and scalability needed for their extremely dynamic resource requirements.
Just as BitTorrent and Skype utilize peer-to-peer configurations to ensure users reach their targets, bot herders utilize P2P technology to maintain connectivity to their vast bot army with no single point of failure. With P2P, there is no longer the risk of losing control over the entire botnet if one central command and control server is taken down.
Protecting Critical Assets
How can today's IT and security professionals regain control of resources consumed by bot activity and protect against infiltration? Traditional security practices are no more than blunt instruments compared with the surgical precision employed by bot herders.
However, by understanding how bot herders utilize P2P, fast flux DNS and other advanced methods to construct and manage their networks, law enforcement as well as IT and security professionals gain deeper insight into how to fight back and secure their networks.
Leading edge technologies greatly aid in this process. Lit IP space analysis and botnet intelligence harvesting are two promising techniques gaining momentum among security practitioners.
Lit IP Space Analysis
The use of honeypots and honeynets, or dummy computers and dummy networks set up to trap bot herders, was formerly effective for detecting malicious network traffic. In their traditional deployments, honeypots or honeynets were connected to isolated network darkspace, utilizing IP addresses unused by legitimate networks.
With the rise in Web- and browser-based computing, bot herders are increasingly hiding their stealth malware in Web traffic to evade techniques such as darkspace honeypots, IPS signatures and spam analysis. To counteract this trend, instrumented virtual machines within the local enterprise network can perform lit IP space analysis, examining active IP traffic to discover and track botnets in real time.
Using lit IP space network analysis and forensics, it is possible to detect the new generation of Web-based malware as well as preserve critical and contextual data surrounding a particular incident for forensic follow-up.
Beyond local network analysis using lit IP space analysis, global network intelligence is increasingly important to fight botnets within enterprise networks. There are many security tools and devices already deployed in today's complex IT infrastructures that can help with enforcing and blocking botnets. However, they can only make a difference in the war against botnets if they are adequately equipped with actionable and timely botnet intelligence.
The latest in anti-botnet technologies can extract information that can enable security devices to take better action against the most sinister botnet threats. These tools gather critical information such as C&C IP addresses, exploit signatures for the bot malware, and the bot commands that trigger criminal activity. Quality of botnet intelligence can also be measured based upon availability, timeliness and accuracy.
Tools available today enable IT to learn and identify how bots talk to one another, communicate with their command and control servers, and alter the operating systems of their hosts, so they can best fortify their defenses against botnet attack.
The botnet pandemic continues to grow at an alarming rate, compromising privacy, resources and undermining the very foundation of the Internet economy: trust.
Fueling the pandemic are profit-hungry bot herders, a new breed of hackers using infiltration as a highly lucrative endeavor. They exploit P2P and fast flux DNS to architect and manage some of the industry's most resilient, flexible and high-availability networks.
Companies must utilize the latest security technologies to protect their critical people and resources. Lit IP space analysis and actionable botnet intelligence are two examples of tools available to IT security professionals to win the war against botnets.
Ashar Aziz is founder and chief executive officer of FireEye, a provider of anti-botnet protection systems.