MoMusings

I’m currently writing a paper for the Virus Bulletin conference, to be held during October in the fair city of Dublin, Ireland; the paper is about bots and botnets*. So, when I saw the this news item yesterday I decided it was time to post a blog entry on the subject of bots and botnets; especially as bots are very widespread now.

So, what is a bot?
‘Bot’ is a contracted (truncated or short) name for a software robot. A bot is a piece of software that allows a system to be remotely controlled without the owners knowledge, it can also be used to automate common tasks. System infected by a bot are often referred to as ‘Zombies’ or ‘Drones’.

And, what is a botnet?
A group [’Herd’ or ‘Network’] of Zombie systems controlled by the ‘Bot Master’ [sometimes called a ‘Bot-Herder’]. These botnets are told what to do by the botnet owner. This can be anything that the bot has been programed to do….including updating itself or installing new malicious software.

If you saw the film ‘iRobot’, this is similar to the way the C-5 robots are controlled when commanded to carry out tasks that are in breach of the ‘Three Laws of Robotics’.

Why you should be interested…
Well would you be interested when your door explodes at 3A.M. and police pour into your house and arrest you? You would, well that’s a surprise!

So, why might this happen to you?

Let me describe a scenario which will help to explain why this could happen to you, even if you have done nothing wrong, illegal or immoral, and all that you need to be able to see yourself in this scenario is a PC and an Internet connection.

How to become a Zombie or Drone…

Your computer is connected to the Internet and unknown to you it becomes infected by a bot; this particular bot uses a known vulnerability in Windows to get in without your knowledge or permission. The bot adds itself to the registry to ensure that it always gets loaded when Windows starts. Once loaded, the bot will connect out to the Internet and log in to a dedicated IRC [Internet Realy Chat] channel for the botnet it belongs to; effectively signing in for duty…..

Now, the botnet owner decides to carry out a DDoS [Distributed Denial of Service] attack on a major company. His botnet is 1,000 strong [a small botnet, they can be 100,000+ in size], so he tells his Zombies [including your PC] to attack the site….At this point your PC is firing off thousands of requests to the site, and so are all the other Zombie PCs [All DSL connected at speeds from 128Kbps to 2048Kbps].

Now, let us switch to the victims view

The victims IT staff notice that their IDS/router/firewall has lit up like a Christmas tree; incoming e-mail has almost stopped, all the web servers are crashing under the load, and nobody from the company can browse the web, oh dear!

So, the IT staff quickly scribble down some of the source IP addresses that the attacks are coming from, they inform their IT Director, who tells them to contact their ISP and the Police and supply the IP addresses that they have managed to record.

The ISP staff trace one of the IP addresses back to your PC and pass the details to the police.

Your system is repeatably used to attack others, and is reported again and again to the authorities.

Now, let me add several other things to the mix, your system is now also being used to send SPAM, Phishing scams and new malware through, not only that but someone has found out that you are infected by a bot, and has decided to use the built-in backdoor to upload stolen software and credit card details onto your system.

Q. What may happen when this information is also given to the authorities?

A. Exploding front door early in the morning!

Now, what are the authorities going to find when they examine your computer, and who is going to be in trouble, you or the miscreants that have been using your system?

Well, in the short to medium term, you will be the one that will appear to be guilty and how will this effect you personally? How long will it take for the authorities to realise that you are innocent, weeks, months?

OK, back to the article I linked to in the first paragraph. Malware authors are working very closely with organised crime to create new bots, which they use to build botnets which they can rent out, not only to cyber-extrotionists, spammers, scammers but also for those that wish to store stolen data, software and other illegal material without having to worry about being caught in possession of it.

Oh, and by the way this bot has also been commanded to download and install a keylogger, so now all your credit-card and other persoanl details are being harvested too…..I bet you can’t wait until you get your next bank/credit-card statement!

These botnets, which are increasingly built to order, are usually between 100 and 5,000 members [Zombies] in size.

FAQs:
Q. But I run Anti-Virus software so the bots can’t infect me.
A. The source code for most of the major bot families is constantly being updated to create new variants [strains]. These new variants may not be detectable by AV software at the time you get infected. Remember this mantra: “Anti-virus is only as good as it’s last update” and this one too, for that matter “If the malware isn’t in the AV products database of known malware, chances are it won’t be detected”**. Anti-virus is for most parts a ‘reactive’ technology, never forget that!

Q. My system is fully patched, so I can’t get infected in the way you describe.
A. Bots can get onto you system in many ways; dropped via a worm coming in via e-mail, Instant Messaging, hidden inside a Trojan program, put there by someone else…..and so on.

Q. I use a software firewall, so that will stop the bot connecting to the Internet to get its orders.
A. Many bots now either disable personal firewalls, anti-virus and anti-spyware tools, or they use rootkit techniques to get access before these tools are running thereby making the bot invisible to them.

Q. But I only connect to the Internet for 15-60 minutes at a time, so I can’t get infected, can I?
A. I personally know of a system that was infected by 6 malware strains in under 10 minutes of connecting to the Internet. Of those 2 of them were bots.

Please don’t take this short article as a full explanation of bots, botnets and how they work or are used [misused?], all feedback and comments are most welcome.

To use a well-known quote from Star Trek - “Resistance is futile, you will be assimilated!” No, resistance is not futile! Using up-to-date anti-virus, a good personal firewall, anti-spyware software, a rootkit detector and some common sense will help to minimise the chance of you becoming part of the Bot collective.

Links:
Stealth virus warning sounded again [ZDNet]
Experts: Zombies ousting viruses as malware of choice [C|Net]

* The paper will be available on my personal website after the conference.
** Yes I haven’t forgotten about heuristics, but these usually only detect a small number of new strains.