Is your PC part of a Zombie Botnet? Check now!

Bots, Botnets and Botmaster

A malicious bot short for a RoBOT or a zombie is a computer that allows someone other than the actual owner to gain complete control over itself. The attacker takes control of the target computer by infecting it with malicious code designed for the purpose. A virtual network of such compromised machines that are controlled by one or more outside sources are known as botnets. Botnets can consist of a few hundred to several thousand compromised machines. The person who remotely controls the botnets is called a Botmaster.

Most security experts consider botnets as the number one security threat on the Internet today. It has become easier to recruit botmasters for sophisticated botnet attack services. The botnets are very dynamic in nature and very difficult to detect, as they adapt their behavior to go around common security perimeter.

How Are Botnets Created?

Botnet creation begins with the download of a software program called a “bot” (for example, IRCBot, SGBot, or AgoBot) along with an embedded exploit (or payload) by an unsuspecting user, who might click an infected e-mail attachment or download infected files or freeware from peer-to-peer (P2P) networks or malicious Websites.

Once the bot and exploit combination is installed, the infected machine contacts a public server that the botmaster has set up as a control plane to issue commands to the botnet. A common technique is to use public Internet Relay Chat (IRC) servers, but hijacked servers can also issue instructions using Secure HTTP (HTTPS), Simple Mail Transfer Protocol (SMTP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) strings. Control planes are not static and are frequently moved to evade detection; they run on machines (and by proxies) that are never owned by the botmaster.

Using the control plane, the botmaster can periodically push out new exploit code to the bots. It can also be used to modify the bot code itself in order to evade signature-based detection or to accommodate new commands and attack vectors.

Initially, however, the botmaster’s primary purpose is to recruit additional machines into the botnet. Each zombie machine is instructed to scan for other vulnerable hosts. Each new infected machine joins the botnet and then scans for potential recruits. In a matter of hours, the size of a botnet can grow very large, sometimes comprising millions of PC’s on diverse networks around the world.

Armed with this zombie army, the botmaster is now ready to launch the first major attack. Practically anyone with a computer is an attack target, whether a small business, a home user, a corporate office, or a retail point-of-sale terminal. Locating the botmaster is an extremely tricky task. The botmaster typically proxies the control commands through several compromised machines on diverse networks. Proxy connections, as well as the control plane, are changed often to make it nearly impossible to track down the botmaster. Botnets: The New Threat Landscape White Paper [Threat Control] – Cisco Systems

Undetected, unless one is looking for certain symptoms, bots are often used in various internet based criminal activities including DDOS (Distributed Denial of service) attacks and distribution of malware and spam.

The three most common bot variants used are:

• Agobot/Phatbot/Forbot/XtremBot
• SDBot/RBot/UrBot/UrXBot/
• mIRC-based Bots

Botnet Activities

The possible uses of a botnet are criminal in nature and confined only the imagination of the botmaster. Some of the common activities perpetrated are:

• Infecting and adding other systems to the botnet
• Distributed Denial-of-Service Attacks
• Spam
• Key logging
• Spreading new malware
• Installing Adware
• Committing Clickfraud
• Manipulation of online polls/games
• Phishing
• Distributing Warez and other illegal downloads

Symptoms of Bot(net) Malware – Are you Infected?

• Basically your computer is made part of a botnet by infecting it with a worm exploiting system vulnerabilities. This Malware is unlikely to disable the host computer, because the bot computer must be connected to the Internet for the botnet to survive. However they might cause your computer to slow down, crash or display unexpected messages. The symptoms are mostly similar to other malware infections. Refer to our Symptoms of Malware Infection.

• Botnets congest network connections, investigate your system if the internet connection appears to be slow and when you notice anomalous network activity when you are not using the Internet. Your system may be used by the botnet agent to send and receive data.

• Check your email “outbox” and “sent items” folder for unrecognized messages.

• Query the anti-spam databases and see if your IP address is listed. If it is listed as a source of Spam or other abuse in multiple blacklists, it might be an indication of a botnet infection. Robtex provides a free service to check an IP in multiple blacklists.

  

  Substitute the xxx with your IP in the following URL to check the its on the blacklists.

  http://www.robtex.com/ip/xxx.xxx.xxx.xxx.html#blacklists

• Bothunter and TrendMicro RUBotted are two free specialized tools that helps in discovering real-time stealth botnet activity on the system.

BotHunter – is “designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model. BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.

The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.”

RUBotted – Trend Micro – “RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.”

How to remove a Botnet infection

An effective antivirus and an antispyware program with updated signatures should be able to scan and clean your system of the bot agents.

1. Download, install, update, scan and remove any malware found with any one of the recommended free antivirus software;
   Avira AntiVir Personal – FREE Antivirus
   AVG Anti-Virus Free Edition or
   avast! antivirus Home Edition.

   Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection.

2. Download, install, update, scan and remove any malware found with any one of the recommended free antimalware software;
   Malwarebytes’ Anti-Malware or
   SuperAntiSpyware.

   Microsoft® Windows® Malicious Software Removal Tool focuses on the detection and removal of active malicious software.

How to prevent Botnet infections

Secure software and smart security practices are the keys to protect your system from becoming a zombie computer in a face less bot network.

• Run antivirus and antispyware software – Always run antivirus and antispyware software. It is important to keep them regularly updated.
• Windows Update – Enable automatic updates to keep the operating system patched against known vulnerabilities.
• Patch software applications – In addition to the operating system, it is essential to keep software installed in your system patched against the known vulnerabilities. Security patches are usually free and can be downloaded from the software vendors. Secunia Personal Software Inspector (PSI), a free-for-home software perfectly supplements the Windows Update as it informs about missing patches for thousands of third party programs.
• Use a Personal Firewall – A full fledged Personal Firewall can protect your computer from unauthorized access when configured correctly.
• Follow good security practices – There is no substitute for common sense when you are on the world wide web.

1. Disconnect your computer from the Internet, when you are not using it.
2. Exercise caution when opening attachments or following links in emails and on Websites.
3. Research before downloading new, unknown software, especially if it is a security or registry related software.
4. Never reveal your passwords over phone or via email.

Acknowledgement: Know your Enemy: Tracking Botnets | The Honeynet Project

Botnets: 4 Reasons It’s Getting Harder to Find and Fight Them

"The perpetual proliferation of botnets is hardly surprising when one considers just how easy it is for the bad guys to hijack computers without tipping off the users. Botnets have long used a variety of configurations, in part to disguise their control mechanisms.
Read more

Bots exploiting Microsoft’s latest RPC flaw

"Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft’s out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that’s where criminals can make the most money from the malware code.
Read more

Rustock and Srizbi botnets share a common trojan

"Two of the world’s largest and most prolific spamming botnets have been spotted sharing a common bot malware-delivery method. But whether that means that the operators of the rival Rustock and Srizbi botnets are actually in cahoots is unclear, security researchers say.
Read more

Security: New BotSniffer better able to detect foul stench of botnets

"Researchers at Georgia Tech have published a paper on BotSniffer—a program they’ve designed to detect and disable botnets. Botsniffer is not the only bot-detection program available, but the Georgia Tech research team believes that the program’s approach to the botnet issue results in a better correlation rate and a lower number of false positives.
Read more

Security: Limelight kills botnets better than cops do

"Botnet operators have become public enemy number-one as consumers, businesses and governments fall foul to identity theft, DDoS attacks and spam. Yet no one appears to be able to stop the spread of bots — except maybe the media.
Read more

Security: What IT can learn from botnets

"Josh Corman is the host protection architect for Internet Security Systems, Inc. (ISS), with more than eight years of experience in security and networking software. What was refreshing was Corman’s out-of-the-box thinking on the distributed networks currently being used by online criminals. Of the most popular of these networks, he said "Storm did a lot of things right; in some ironic sort of way, you could argue that Storm is itself a blueprint for fighting (botnets)."
Read more