Bots, Botnets and Botmaster
A malicious bot short for a RoBOT or a zombie is a computer that allows someone other than the actual owner to gain complete control over itself. The attacker takes control of the target computer by infecting it with malicious code designed for the purpose. A virtual network of such compromised machines that are controlled by one or more outside sources are known as botnets. Botnets can consist of a few hundred to several thousand compromised machines. The person who remotely controls the botnets is called a Botmaster.
Most security experts consider botnets as the number one security threat on the Internet today. It has become easier to recruit botmasters for sophisticated botnet attack services. The botnets are very dynamic in nature and very difficult to detect, as they adapt their behavior to go around common security perimeter.
How Are Botnets Created?
Botnet creation begins with the download of a software program called a “bot” (for example, IRCBot, SGBot, or AgoBot) along with an embedded exploit (or payload) by an unsuspecting user, who might click an infected e-mail attachment or download infected files or freeware from peer-to-peer (P2P) networks or malicious Websites.
Once the bot and exploit combination is installed, the infected machine contacts a public server that the botmaster has set up as a control plane to issue commands to the botnet. A common technique is to use public Internet Relay Chat (IRC) servers, but hijacked servers can also issue instructions using Secure HTTP (HTTPS), Simple Mail Transfer Protocol (SMTP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) strings. Control planes are not static and are frequently moved to evade detection; they run on machines (and by proxies) that are never owned by the botmaster.
Using the control plane, the botmaster can periodically push out new exploit code to the bots. It can also be used to modify the bot code itself in order to evade signature-based detection or to accommodate new commands and attack vectors.
Initially, however, the botmaster’s primary purpose is to recruit additional machines into the botnet. Each zombie machine is instructed to scan for other vulnerable hosts. Each new infected machine joins the botnet and then scans for potential recruits. In a matter of hours, the size of a botnet can grow very large, sometimes comprising millions of PC’s on diverse networks around the world.
Armed with this zombie army, the botmaster is now ready to launch the first major attack. Practically anyone with a computer is an attack target, whether a small business, a home user, a corporate office, or a retail point-of-sale terminal. Locating the botmaster is an extremely tricky task. The botmaster typically proxies the control commands through several compromised machines on diverse networks. Proxy connections, as well as the control plane, are changed often to make it nearly impossible to track down the botmaster. Botnets: The New Threat Landscape White Paper [Threat Control] – Cisco Systems
Undetected, unless one is looking for certain symptoms, bots are often used in various internet based criminal activities including DDOS (Distributed Denial of service) attacks and distribution of malware and spam.
The three most common bot variants used are:
- mIRC-based Bots
The possible uses of a botnet are criminal in nature and confined only the imagination of the botmaster. Some of the common activities perpetrated are:
- Infecting and adding other systems to the botnet
- Distributed Denial-of-Service Attacks
- Key logging
- Spreading new malware
- Installing Adware
- Committing Clickfraud
- Manipulation of online polls/games
- Distributing Warez and other illegal downloads
Symptoms of Bot(net) Malware – Are you Infected?
Basically your computer is made part of a botnet by infecting it with a worm exploiting system vulnerabilities. This Malware is unlikely to disable the host computer, because the bot computer must be connected to the Internet for the botnet to survive. However they might cause your computer to slow down, crash or display unexpected messages. The symptoms are mostly similar to other malware infections. Refer to our Symptoms of Malware Infection.
Botnets congest network connections, investigate your system if the internet connection appears to be slow and when you notice anomalous network activity when you are not using the Internet. Your system may be used by the botnet agent to send and receive data.
Check your email “outbox” and “sent items” folder for unrecognized messages.
Query the anti-spam databases and see if your IP address is listed. If it is listed as a source of Spam or other abuse in multiple blacklists, it might be an indication of a botnet infection. Robtex provides a free service to check an IP in multiple blacklists.
Substitute the xxx with your IP in the following URL to check the its on the blacklists.
Bothunter and TrendMicro RUBotted are two free specialized tools that helps in discovering real-time stealth botnet activity on the system.
BotHunter – is “designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model. BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.
The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.”
RUBotted – Trend Micro – “RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.”
How to remove a Botnet infection
An effective antivirus and an antispyware program with updated signatures should be able to scan and clean your system of the bot agents.
- Download, install, update, scan and remove any malware found with any one of the recommended free antivirus software;
Avira AntiVir Personal – FREE Antivirus
AVG Anti-Virus Free Edition or
avast! antivirus Home Edition.
- Download, install, update, scan and remove any malware found with any one of the recommended free antimalware software;
MalwareBytes’s Anti-Malware or
Microsoft® Windows® Malicious Software Removal Tool focuses on the detection and removal of active malicious software.
How to prevent Botnet infections
Secure software and smart security practices are the keys to protect your system from becoming a zombie computer in a face less bot network.
- Run antivirus and antispyware software – Always run antivirus and antispyware software. It is important to keep them regularly updated.
- Windows Update – Enable automatic updates to keep the operating system patched against known vulnerabilities.
- Patch software applications – In addition to the operating system, it is essential to keep software installed in your system patched against the known vulnerabilities. Security patches are usually free and can be downloaded from the software vendors. Secunia Personal Software Inspector (PSI), a free-for-home software perfectly supplements the Windows Update as it informs about missing patches for thousands of third party programs.
- Use a Personal Firewall – A full fledged Personal Firewall can protect your computer from unauthorized access when configured correctly.
- Follow good security practices – There is no substitute for common sense when you are on the world wide web.
- Disconnect your computer from the Internet, when you are not using it.
- Exercise caution when opening attachments or following links in emails and on Websites.
- Research before downloading new, unknown software, especially if it is a security or registry related software.
- Never reveal your passwords over phone or via email.
Acknowledgement: Know your Enemy: Tracking Botnets | The Honeynet Project