Botnets: A Hacker's Version of Grid Computing

Hackers once were looking to create chaos–now money is the root of the evil.

Zombie Function: noun Etymology: Louisiana Creole or Haitian Creole z?bi, of Bantu origin; akin to Kimbundu nz?mbe ghost

1 usually zombi a: the supernatural power that according to voodoo belief may enter into and reanimate a dead body b: a will-less and speechless human in the West Indies capable only of automatic movement who is held to have died and been supernaturally reanimated

2 a: a person held to resemble the so-called walking dead; especially : AUTOMATON b : a person markedly strange in appearance or behavior

3: a mixed drink made of several kinds of rum, liqueur, and fruit juice

4: all 252 workstations in your claims office in Des Moines

(Thanks to Merriam-Webster online for most of the above. http://www.m-w.com/home.htm)

Nonsense, you say? No one in the Des Moines office has reported any unusual happenings or behavior. You would know about it if your network were compromised. Right?

Yes, you probably would know about it, and you probably already have safeguards in place to protect your systems from becoming part of a botnet. But that doesn't make this threat any less real or potentially damaging to your or someone else's business. Insurance companies are built on data, and much of that data needs to be kept safe and secure. There are far too many ways in which businesses are being tricked into giving away confidential data–don't forget and overlook the easy ones.

What the Heck Is a Botnet?

Botnet is a term for a collection of software robots (bots) controlled by a common entity (the BotMaster or Zombie Master). Individual computers or workstations configured to be part of a botnet are known as zombies–and these “walking dead” computers silently are waiting to be awakened by the BotMaster and perform some nefarious task. Very simply, individual computers are compromised via a virus or Trojan horse that opens up a communication channel so the infected computer can be manipulated and controlled remotely.

Most users will never know their machine has become part of a “zombie army” and may be responsible for sending pornographic e-mails or bringing down a major site such as Yahoo through a DDoS (Distributed Denial of Service) attack. By the way, this is all accomplished through the use of malware (malicious software). I had to add new words to my spell checker five times in this paragraph. These things have become the new bad boys of the Internet. Kasperky Labs and Symantec have stated independently bots and Trojans are on the rise and mass-mailer viruses are on the decline. A report issued by the Honeynet Project in March 2005 indicated more than a million hosts are compromised and can be controlled by malicious attackers.

How Do I Become a Zombie?

It is very easy. Take an unpatched computer running Windows 2000 or XP and connect it to the Internet. Chances are, it will become infected immediately. Unpatched, unfirewalled machines are vulnerable to a port probe that will find an open port (say, TCP port 135) and install a bot or Trojan. Four ports–445/TCP, 139/TCP, 137/UDP, and 135/TCP–account for 80 percent of botnet traffic. More typically machines are first infected with a virus (such as SoBig or MyDoom) that exploit vulnerabilities in the operating system or Internet Explorer.

There seems to be a never-ending list of buffer overflow exploits that eventually allow unauthorized code execution. After a machine is compromised, a bot may use a variety of available tools (trivial FTP, FTP, HTTP, CSend) to transfer code to the compromised box. The executable is run and connects to an IRC (Internet Relay Chat) server, where it may receive instructions. It is not necessary to use IRC, but it provides a ready-made, time-tested communications channel a user can hide behind.

So What?

PC viruses have been around since the first PCs. Viruses are annoying but rarely do any “real” damage. Right? Wrong. The hacking world is evolving. Most people “writing” and distributing malicious code still are disaffected young men who are copying someone else's code, making minor modifications, and unleashing it on the Internet. Most of these guys can create havoc only by accident. And that does happen. But there is a new breed of hacker lurking about. It used to be the real genius hackers who actually wrote the original code to exploit vulnerabilities just did it as an intellectual exercise or, at worst, as a kind of modern-day anarchist statement. The new generation, though, has figured out it can make money writing malicious code.

You have written your bot code; you have distributed it to 20,000 PCs connected to the Internet. Those 20,000 zombies are sitting there, waiting for your command–your command to do what? There was a time when having the Tricolor pop up on the screen and play “La Marseillaise” on July 14 was cool enough in itself. Not anymore. How about if you could have your zombies all attempt to download a file from www.BigTargetCompany.com at the same time? Twenty thousand requests for a 500K PDF just might bring that site to its knees. Even better: What if BigTargetCompany's biggest competitor offered to pay you $5,000 to take www.BigTargetCompany.com offline for an hour. This is starting to sound pretty attractive. Getting paid to do what you love best–wreaking havoc on the Internet.

This is not supposition but fact (well, almost–names and quantities have been changed). There are recorded cases of individuals paying for a botnet to run a DDoS against specific targets.

From Where Spam Spawns

Do you really think the 35 e-mails you got last night advising you to invest in vending machines came from a legitimate mail server sitting in a legitimate hosting facility? The truth is they probably came from 35 unwitting zombies scattered across the Internet. Keep in mind once you have compromised a computer, you can download just about any kind of software you want. Many bots will open a SOCKS proxy (the SOCKS protocol is an Internet protocol that allows a host behind a firewall to access resources outside the firewall). They then can set up the machine to send spam or phishing e-mails. The bot also could grab all available e-mail addresses on the machine and spam them as well as the initial list. Again, this is a for-profit operation. The spammer is paying the botmaster to deliver all that C*I*A*L*I*S mail to your desktop.

At National Underwriter (parent company of Tech Decisions), we use Google AdSense on some of our Web pages. We get paid a fee for so many click-throughs per ad per month. Google is smart enough to filter out obvious abuse. If I sit at my screen all weekend and click an ad 25,000 times, we are not going to get a big, fat check next month. In fact, we probably would be asked to leave the program. But what if I paid a bot-meister to have his 25K slaves each click through those ads a single time next week? The clicks all would come from different IPs and from different geographic regions (presumably). Google may suspect something's up, but it would have a hard time proving it.

There are lots of things that can be manipulated this way. Online games and polls can be manipulated using a bot grid. There are reports of online game “tokens” offered for sale on eBay. Presumably these valuable tokens were obtained by botnets playing certain parts of the games relentlessly. None of this is really new–computers by their very nature are tools capable of being programmed to perform repetitious mundane tasks. (If an electronic slot machine can be programmed to pay a jackpot every 1.35 x 106 pull, then a computer can be trained to pull it 1.35 x 106 times.) The difference is this is not permission-based computing. This is the bad guy taking all those wasted CPU cycles and using them while hiding behind enough layers of obfuscation to escape detection.

Don't Forget Des Moines

What about those 252 workstations in the claims center. What if they were compromised? The malware could be capturing keystrokes (and thus passwords or credit card information). It could be sniffing packets on the internal network. If the traffic is not encrypted (which it probably isn't internally), then any piece of information in that data center is vulnerable. Just how valuable is that data?

In fact, most companies with a responsible IT department probably will be free of bot software and other Trojans. Firewalls can monitor and control IRC traffic (on any port). Chances are your workers won't become part of a zombie network. But that does not obviate the risk or potential for damage. You still could be the victim of a DDoS attack from a botnet–or spam or phishing e-mails. The ad click scenario is real and scary for advertising-supported Web sites. Plus, there is the risk of the compromised and infected laptop coming in the door and jumping on your WiFi network. Your entire network could be in trouble in minutes. Never assume just because you are safe today, you will be safe tomorrow. Bringing money into the hacking game has changed the playing field. They are no longer playing for fun–they are playing for real.

For more information on botnets, I suggest you check out the Honeynet Project at http://www.honeynet.org.

Special Reports /

Botnets: A Hacker's Version of Grid Computing

Related Stories

Recommended For You