Document Sample
An_Army_of_Bots Powered By Docstoc
					                                                                                An Army of Bots

                                                                                Jason Suplita

The information contained in or accompanying this document is intended only of the use of the stated recipient and may contain
information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby
notified that any dissemination, distribution or copying of this document is strictly prohibited and may constitute a breach of
confidence and/or privilege. If you have received this document in error, please notify us immediately. Any views or opinions
presented are solely those of the author and do not necessarily represent those of SecureState, LLC.
An Army of Bots

This white paper delineates the threats that botnets pose and goes over the history and proliferation of
botnets. In addition, it outlines security controls that can mitigate the risk.
Name                                                      Revision Title                                            Date
Jason Suplita                                             1.0                                                       October 29, 2010
  Table of Contents
Introduction ............................................................................................................................................................ 3
What Is A Botnet ..................................................................................................................................................... 3
Types of Botnets ..................................................................................................................................................... 5
     Centralized Command and Control ................................................................................................................. 5
     Peer-2-Peer Command and Control ................................................................................................................ 6
Threat Mitigation .................................................................................................................................................... 8
     Protection ........................................................................................................................................................ 8
     Detection and Attack Mitigation ................................................................................................................... 10
Conclusion ............................................................................................................................................................. 12

An Army of Bots


How long can your business operations be down until irreparable damage occurs? At what point does
company survivability become a concern? How much is it worth to you that your external Internet presence
be operational? While merely asking these questions may incite fear, answering these questions is pertinent
to your company’s viability when facing an attack. Companies are facing unprecedented threats, ones that
have steep consequences. These risks are prevalent in today’s always on, always-connected Internet.

With the proliferation of the Internet, businesses began to tap into markets never even heard of before,
including online retailing, social media sites - driven by corporate advertising and online banking. Companies
maximized this opportunity by creating consumer and business awareness while also generating large sums of
revenue, all the while becoming ever more dependent on this network. Despite the fact that the Internet has
its advantages, every yin has a yang; there is a dark side to the Internet. While organizations have been
focusing on the newest economic and consumer trends, cybercriminals have been scanning the competitive
landscape looking for new opportunities to exploit companies. Just like businesses, cybercriminals are in it for
the money. They have found an un-serviced market and moved in to fill the need by amassing their own
networks called “botnets.” These networks prey on the weak and in contrast to the weakest link theory, the
weak make them strong.

Botnets are patient and subtle, but carry a big stick. The recent news headlines speak to their trophies:
Hackers Take Down the Most Wired Country in Europe; DDOS Attacks Crush Twitter, Hobble Facebook; How a
basic attack crippled Yahoo; DDoS attack strikes UltraDNS, affects Amazon, Wal-Mart. For those who wonder
what long-term effects a botnet can have on business operations, consider this; in 2006, cybercriminals
proved that David does not always defeat Goliath. In an attack that marked a turning point, Blue Security
permanently shut down operations due to extortion from a botnet. In one of Blue Security’s last public
statements, CEO Eran Reshef stated, “It’s clear to us that [quitting] would be the only thing to prevent a full-
scale cyber-war that we just don’t have the authority to start”.

What Is A Botnet?

To understand the concepts outlined in this paper, it is important to understand certain terminology and
definitions. A botnet is a conglomeration of systems infected with a backdoor application called a “bot” in
order to manipulate the system into being their slave. In addition to a “bot” being referred to as a backdoor
application, it is also another name for the infected machine. The cybercriminals who infect and manage the
botnet are referred to as botmasters.

An Army of Bots

Botnets have evolved immensely over time. Quickly realizing that they must adapt to the fitness landscape,
botmasters are constantly improving their software through encrypting communications and preventing
modification or probing into their source code. One of the first examples of this behavior is the Storm botnet.
Created in 2007, the Storm botnet infected computers by enticing users to open up email attachments. Once
anti-virus vendors identified the infection, they noticed that the bot mutated its code at alarming rates,
sometimes hourly. This measure is now consistently taken by newer botnets in order to prevent anti-virus
vendors from creating signatures that match the bot and remove the infection. In addition, Storm encrypted
its communication streams to prevent extrapolation of commands sent to the bots. Furthermore, it was one
of first bots that scared security researchers because of its anti-tampering features. It was common to hear of
Distributed Denial of Service attacks directed at security researching organizations because an analyst was
attempting to debug the code and probe into the inner workings of the bot software. Once the bot detected
this investigation, a command was sent out for the botnet to attack the IP address of the researcher.
According to Joshua Corman, an IBM security researcher, “This is the first time that I can remember ever
seeing researchers who were actually afraid of investigating an exploit. Every time I hear of an investigator
trying to investigate, they’re automatically punished. It knows it’s being investigated, and it punishes them. It
fights back.”

Since the advent of these powerful networks, their size has proliferated. Once small, some of these botnets
have grown in numbers greater than any company ever in existence. At one point, the Zeus botnet had an
upper range estimate of 50 million computers. An army of bots that large wields an enormous amount of
power. To put it into perspective, Google’s cloud computing facility has one million CPUs that can handle up
to 1,500 Gbps of traffic; Conficker, at over an estimated 18 million computers strong, can transmit 28,000
Gbps, easily dwarfing Google’s cloud computing farm. This ominous potential has the security industry
extremely concerned. If leased to a vicious criminal or a group of people, the results could be apocalyptic in
today’s digital age. The loss incurred in such an attack could have vast economic implications to not only
companies, but also nations.

An Army of Bots

Types of Botnets
Botnets can be classified into two major groups: Centralized Command and Control and Peer-2-Peer (P2P).
Each offers their own unique sets of advantages and disadvantages.

Centralized Command and Control

The Centralized Command and Control model is the most widely adopted design. Many well-known botnets
have used this setup, such as AgoBot, RGbot and Conficker. In a Centralized Command and Control model,
botmasters use a centralized control point for registration, updates and control. When newly infected
machines become active, the first thing they do is contact the centralized server. These instructions are built
into the malicious code. Upon initiation of the connection, the bot registers to the centralized server and
awaits orders.

Cybercriminals choose this design primarily for the following benefits. First, there is an abundant set of tools
that enable a centralized server/client communication. Historically the preferred method of choice is IRC or
HTTP. Because there is no shortage of web servers and IRC servers are easy to implement and require nothing
more than a telnet client, which is built into most operating systems, this leads to lower cost and
sophistication. Secondly, a botmaster is able to control thousands to millions of hosts efficiently from a
centralized server. Finally, cybercriminals can identify how many infected computers are under their control,
and guarantee command propagation and low message latency.

While this model is easy to implement and maintain, it has one significant drawback. Because there is a stark
reliance on the centralized control server, that server is the weakest link. The ability to take down this server
can cause all communication to halt, which in turn causes the cybercriminal to lose control of the botnet. This
threat has compelled many botmasters to either switch its communication model or improve on the
traditional centralized command and control model.

One recent example that exposed the weakness in the command and control mode was the takedown of the
Mariposa botnet. The Mariposa Working Group, a joint effort between the Defence Intelligence, Panda
Security and Georgia Tech Information Security Center, uncovered the Mariposa botnet, which consisted of
over 11 million unique IPs. After identifying the command and control server, the Mariposa Working Group
was able to gain control of the server. After a struggle against the botmaster, they lost control. However, they
were able to alter the DNS records in order to divert the command of the botnet. This effort proved
successful and resulted in the arrest of the botmaster. However, while this example reveals the inherent
weakness in the traditional command and control model, botnets like Conficker have reconciled this issue.
With the latest iteration of code, Conficker generates a list of 50,000 domains per day, with the worm
choosing only 500 of those domains in an attempt to contact the control server. In addition, it tries to resolve
each of those domains only once per day. These measures were put into place in an effort to ensure
survivability of the botnet. This rapid evolution indicates that botnets will do whatever it takes to endure.

An Army of Bots

Peer-2-Peer Command and Control

In opposition to the Centralized Command and Control model, Peer-2-Peer botnets follow a decentralized
form of communication. Therefore, instead of contacting a centralized server, P2P botnets relay
communications directly to other infected bots. This creates small communities in which each infected
machine forms neighbor relationships with other bots. However, this imposes a number of constraints on the
botnet. In order to avoid detection and keep CPU utilization within normal limits, each bot can communicate
only with a small number of systems. In addition, message delivery to the entire botnet is not guaranteed,
because a breakdown in communication of one bot may affect multiple systems. Another disadvantage is the
latency involved in command propagation. The amount of time to number of hosts receiving the commands
can be compared to a distribution chart with a negative skew. Figure 1 depicts the rate of propagation from
the botmaster sending the initial command to when the last bot receives it. At the beginning, the initial rate
of propagation starts off slowly, due to structure of the P2P network relying on small groups of systems to
pass on the information. Within time, the rate starts to increase, reaching exponential rates of transmission
near the end. This latency increases in proportion to the size of the botnet, potentially causing scalability
issues. Finally, the development costs of a P2P botnet are significantly higher than those of the Centralized
Command and Control model.

                                     Figure 1: command propagation over time

While the number of P2P versus Centralized Command and Control botnets are disproportional, the growing
trend is for new botnets to follow the P2P model. The rationale for this is in two fold. First, the ability for
authorities to eradicate the botnet becomes severely impaired. These botnets are highly resilient and do not
depend on a limited number of command and control servers to function. As such, they can withstand the
disruption of a number of bots with minimal effects overall. Because each bot has a trust relationship with the

An Army of Bots

other, the botmaster requires access only to one infected machine in order to control the botnet. The ability
to choose any system to control the botnet makes it harder for authorities to identify the botmaster, because
authorities cannot monitor every infected machine waiting for the botmaster to connect in an attempt to
identify their location.

Botnets are highly lucrative businesses. They have virtually no fixed costs since there is no need to purchase
hardware, office buildings or property. In addition, there is plenty of demand from criminals or even
businesses looking for a competitive edge. While there are a multitude of services they provide, the following
are the most prevalent: theft of confidential data, selling or leasing the botnet and Distributed Denial of
Service (DDoS) attacks.

Few attacks elicit as much fear as DDoS attacks. They are the effort of multiple systems working in
conjunction to flood a dedicated target with traffic. The intention is to halt operations or effectively take
down the target. The target typically is a business or governmental agency. Cybercriminals lease their
networks to nefarious users on a daily basis, ranging in costs as low as $30 to a few thousand, with the price
tag depending on the target and the size of the botnet needed. If the goal is to take down a small business
with relatively few security controls in place, $30 per day may fit the bill. However, attacking an enterprise
with a large supply of bandwidth and advanced security controls in place to mitigate attacks is going to cost
considerably more. The reason is two-fold. The first pertains to the number of bots needed to carry out the
attack: the greater the numbers, the greater the cost. Secondly, the cost centers on the amount of attention
attracted from the attack. The operator of the botnet has to weigh the risks of leasing out their network. An
attack on small to medium size businesses probably will warrant minimal investigation from authorities, but
enterprise scale attacks will generate much more attention. If authorities launch a massive investigation and
assemble teams to eliminate the botnet, the survivability of the botnet will be at risk, thus increasing the
operator’s costs.

How much is your identity worth to you? How much do you stand to lose? Think about all of the steps and
the time involved: canceling all credit cards, debit cards and constantly monitoring your credit report. In case
you are wondering how real the threat is, in terms of cost and time lost, here are some statistics1:

      There are over 10 million identity theft victims each year
      On average, it costs $8,000 for a person to recover from identity theft
      Victims spend an average of 600 hours in paper work and other activities to clear their name

And the frustration does not end there. “Thirty-seven percent of victims reported experiencing problems
other than out-of-pocket expenses or the expenditure of time resolving issues as a result of having their
personal information misused. The problems victims report include, among other things, being harassed by
collections agents, being denied new credit, being unable to use existing credit cards, being unable to obtain
loans, having their utilities cut off, being subject to a criminal investigation or civil suit, being arrested, and
having difficulties obtaining or accessing back accounts.”2 While the cost to the victim is high, the purchase
price to buy your identity is not. “Credit cards are some of the cheapest commodities sold on the Internet

An Army of Bots

Black Market, averaging about 98 cents each when sold in bulk. A full identity goes for just $10.” 3 The price, in
this case, is dictated by the overabundance of supply. Cybercriminals compromise data on a mass scale. In
2009, researchers at the University of California, Santa Barbara, hijacked the Torpig botnet and uncovered
70GB of financial data, including bank accounts and credit card numbers. Even more astonishing, the Torpig
botnet accumulated the 70GB of data in only 10 days.

Threat Mitigation
Mitigating the effects of botnets can be categorized into three categories: protection from infection, detection
and reducing the impact from an attack. The necessary controls to alleviate the threat depend on which
classification is being focused on.


To protect against being infected by a bot, organizations need to incorporate a Defense-in-Depth stance. The
Defense-in-Depth principle outlines that security controls should follow a layered approach. The idea is that a
corporation that follows this approach will be capable of stopping a threat through multiple control points
within the network. In doing so, there is no adherence to a single security control providing all of the
protection. This is critical since security controls can also introduce vulnerabilities. For example, many
organizations have anti-virus software installed on corporate systems. This software protects the systems
from malware; however, there are times when the anti-virus software has a vulnerability. A virus or worm can
take advantage of this weakness and potentially compromise the system. It is ironic that software specifically
designed to protect against malware can be exploited because of the protection. In contrast, a layered
security design would have had a firewall that scanned the packets looking for malicious software to remove.
Or, a web proxy server that uses reputation based filtering, which determined that the site posed a high risk;
therefore, it blocked access to it. In that scenario, the system would have been adequately protected.

A number of technical controls that can protect against bot infection are:

      Reputation based web proxies
      Intrusion Prevention Sensors
      Anti-virus scanning engines
      Host Intrusion Prevention Software (behavioral)
      Host anti-virus software

Reputation filtering, Intrusion Prevention Sensors (IPS) and anti-virus scanning engines provide protection
before an attack reaches the host. When taking the total cost of recovery from an infection, these controls
can greatly reduce the impact. For example, if company policy requires that any system infected by malware

An Army of Bots

needs to be reimaged, the cost per infection can be relatively high when accounting for lost revenue, because
the employee cannot work and the cost incurred from the staff’s hourly wage of both an IT resource and the
affected employee. This does not even account for any legal involvement, fines or reputational damage.
Now, how much would it be worth to you if that infection was blocked before it reached your employee’s
system? Begin to add up all the down time and the total cost per incident, and it becomes clear that
deploying layered security controls actually reduces operating costs.

As users of corporate assets, we pose the greatest security risk to the organization because we are
unconscious of the impact and do not understand the threat. This problem stems from the recent use of
computers over the last 20 years. We can often determine the physical risks that we are subject to, since it
has been built into our instincts. However, assessing the threat to intangible data that sits on our hard drive is
increasingly more difficult to comprehend. In addition, our own security controls have desensitized us to
exposure. Anti-virus software is one of the culprits that give us a false sense of security, because we feel
confident that when we click the “clean infection” button that the risk has been averted, even if the payload
has metastasized.

There is a security adage, which states that security is 20% technology and 80% people. In today’s modern
society, this is more relevant than ever before. While cybercriminals have always focused on exploiting
vulnerabilities, the target has shifted to the individual. Historically cybercriminals compromised systems by
researching code, looking for vulnerabilities then creating a package that would exploit it; however, over the
last few years there has been a rise in social engineering including the creation of phishing sites and infected
email attachments. By appealing to people’s emotions or by deceiving them, cybercriminals ensure that they
are compromising the most abundant vulnerability available. Instead of spending hours identifying a technical
weakness that is specific to an application or operating system, social engineering allows them to span across
platforms to steal information.

Even though the human component poses the greatest security risk, many organizations do not have a
formalized security awareness program implemented. Technical changes are easy to make, but changing the
way people interact with others and how they use the Internet is challenging. However, it is important to
know since many of our societal norms create security vulnerabilities. For example, how often were you told
as a child to hold the door open for people? How about when entering your company building, even when
you are required to swipe your access control card? Many of us have done it without ever thinking if the
person belongs there. With the abundant information available on the Internet, even criminals can seem like
they belong. Let’s play out a scenario:

       Employee: “Oh hi, we have never met. I’m Jason.”

       Criminal: “Hi, I’m John. I work with Jennifer Arthur in Accounting.”

       Employee: “That reminds me. I was going to drop something off for her today.”

An Army of Bots

       Criminal: “Just so you know, she is not in the office today.”

       Employee: “Thanks. It was nice meeting you John.”

       Criminal: “You too Jason.”

What the employee did not know is that the criminal has been gathering information for quite some time. He
had impersonated a user and became friends with Jennifer on Facebook. Jennifer happened to post a
message that day and because of the new “location” feature, John noticed that she was located outside of the
office. Armed with this information, John has gained Jason’s trust, knows enough information to convince
people and has a cubicle to use for the day.

With a security awareness program, companies are able to increase their security, while not even needing
additional technical controls to do so. By educating your workforce, employees become cognizant of
information and physical security issues. This will minimize the organization’s risk since users will be more
cautious of how they use the Internet, what emails they open, who they let into the building and what
information they post. If more people were knowledgeable of the risks, there would be less infections and

Detection and Attack Mitigation

There is an overlap in security controls to prevent infection as well as detect and mitigate the impact of an
attack. Often, it requires only some minor adjustments to the controls. For instance, once a computer is
infected, we must rely on a number of network-based and host-based controls in order to identify the threat.
A network based IPS can be tuned to look for consistent patterns in traffic, such as a DNS request from a host
in constant time intervals. This type of traffic would generally raise alarms, especially if the traffic were
occurring during off hours. Another appliance that is beneficial in detection would be the reputation-based
proxy server. When pulling reports, if it is noticed that certain hosts are constantly connecting to sites that
have a low reputation or a high number of connections to non-standard websites, it can be an indication of
bot traffic. There are additional services and software provided by third party vendors that offer bot
detection. While most of the devices mentioned are network based, there is a number of host security
software able to detect malicious activity. These would include: anti-virus software, Host Intrusion Prevention
Software (HIPS) and file integrity monitoring. While the two former controls would attempt to prevent the
infection, they also provide detection capabilities. From a protection standpoint, one of the best controls to
have is behavioral HIPS. In addition, it provides a wealth of information to determine if something suspicious
is happening. Most often, HIPS provides file integrity monitoring. This allows an administrator to view any
changes to critical files. If it is noticed that system files or application attributes are being modified, a security
analyst can extrapolate that a breach is probable. Once again, when there is a layered security approach,

An Army of Bots

information can be gathered from multiple points to be correlated. This can provide a company with both
protection and detection capabilities.

Mitigating the impact of a botnet attack can take every available security resource, both technical controls and
staff that a company has. Botnet attacks are not something to take lightly. They attack with little warning,
because when they attack, they are not looking to gather information to steal information off the network:
they are simply flooding the network with traffic. In addition, botmasters have been known to contact the
organization and extort them for money, in exchange for stopping the attack. One subtle difference in the
attack can determine how a company recovers. Is the attack consuming all of your Internet bandwidth? If
not, then appliances such as firewalls, IPS and anomaly detectors may be able to stem the attack. Firewalls
typically have anti-DoS capabilities that many organizations simply do not use. Typically, DoS attacks involve
flooding either a network or servers with massive volumes of “SYN” packets, in order to exhaust the system’s
resources, with no intention of establishing a connection. Firewalls have features that can take advantage of
this. Usually you can set a threshold that after a certain number of “SYN” packets, also known as “embryonic”
connections to some firewalls, the firewall will proxy the connection and send an acknowledgement reply
back. If the other end establishes the connection, the firewall will pass the connection through to the server.
However, if no reply is received, the firewall drops the connection and the server’s resources were never
consumed. This can be very effective in DoS attacks, because the firewall is capable of handling considerably
more traffic than a server. Furthermore, IPS and anomaly detectors can provide protection, since they can
look deep into the packet, identify inconsistencies and provide remediation. However, if all of the bandwidth
is consumed, many of these controls will provide minimal support, since there is no bandwidth to permit
legitimate traffic through. If this is the case, the company’s Internet Service Provider (ISP) must participate in
the recovery. It is difficult for many organizations to accept this, since they view themselves as being
completely autonomous, able to determine their own outcomes. That stance is detrimental when dealing
with this threat. ISPs alone are able to triage the tasks among multiple entities, including other ISPs to stop
the attack. It is a collective effort since many of the attacking systems will be in a number of countries. The
primary tool in their arsenal is Remotely-Triggered Black Hole (RTBH) routing. This involves blackholing the
traffic at the edge of the ISP’s network. In doing so, they are able to determine how much traffic is coming off
that connection with the destination of the target company. If minimal traffic is coming off of the connection,
the ISP can be reasonably assured that the attackers are not on that connection. However, if there are
massive amounts of traffic, the ISP can contact the connecting ISP to follow the same process in blocking the
attackers. Once this has gone through a number of iterations, the ISPs are able to determine which links the
offenders are on and block the traffic. This relieves the resources of the targeted company and allows them to
resume services.

An Army of Bots


Botnets have become one of the most predominant threats on the Internet. While they have built their
network with corporate assets, they have viewed themselves as being a separate entity, unwilling to give up
control. They are extremely capable of defending themselves from eradication and have proven to be
resilient. Over time, we will see these botnets evolve. There is a lot of money to be made and where there is
a market, someone will always step in to fill the void, even through illicit means.

If botnets have proven anything so far, it is that they adapt to their environment and any simplicity in their
design is by choice and not necessity. While outlined in this paper is the current designs utilized by these
networks, researchers are finding adaptations every day. It is only a matter of time before they become even
more entrenched in our network with little ability to be removed.

Unfortunately, dealing with cybercriminals has become the expense of doing business on the Internet. While
posing considerable risks, organizations can make headway in minimizing the threat. Organizations have the
ability and the responsibility to exercise due care. This has to be the way of the future. Anything less will
result in criminal networks so menacing and large that it may be impossible to stop them without undergoing
massive economical impacts. It is time for companies to take back the ownership of their equipment. No one
outside the company has the right to information developed by said organization. The greatest security
control that companies have is their employees. Educate them and make them aware of the risks and the
threats. In doing so, your company will be better off both financially and operationally.

An Army of Bots

References and Related Links

       Federal Trade Commission – 2006 Identity Theft Survey Report


Shared By: