Botnets: A Hacker's Version of Grid Computing

Hackers once were looking to create chaos–now money is the rootof the evil.

Zombie Function: nounEtymology: Louisiana Creole or Haitian Creolez?bi, of Bantu origin; akin to Kimbundu nz?mbe ghost

1 usually zombi a: thesupernatural power that according to voodoo belief may enter intoand reanimate a dead body b: a will-less andspeechless human in the West Indies capable only of automaticmovement who is held to have died and been supernaturallyreanimated

2 a: a person held to resemble the so-calledwalking dead; especially : AUTOMATON b: a person markedly strange in appearance or behavior

3: a mixed drink made of several kinds of rum,liqueur, and fruit juice

4: all 252 workstations in your claims officein Des Moines

(Thanks to Merriam-Webster online for most of the above.http://www.m-w.com/home.htm)

Nonsense, you say? No one in the Des Moines office has reportedany unusual happenings or behavior. You would know about it if yournetwork were compromised. Right?

Yes, you probably would know about it, and you probably alreadyhave safeguards in place to protect your systems from becoming partof a botnet. But that doesn't make this threat any less real orpotentially damaging to your or someone else's business. Insurancecompanies are built on data, and much of that data needs to be keptsafe and secure. There are far too many ways in which businessesare being tricked into giving away confidential data–don't forgetand overlook the easy ones.

What the Heck Is a Botnet?

Botnet is a term for a collection of software robots (bots)controlled by a common entity (the BotMaster or Zombie Master).Individual computers or workstations configured to be part of abotnet are known as zombies–and these “walking dead” computerssilently are waiting to be awakened by the BotMaster and performsome nefarious task. Very simply, individual computers arecompromised via a virus or Trojan horse that opens up acommunication channel so the infected computer can be manipulatedand controlled remotely.

Most users will never know their machine has become part of a“zombie army” and may be responsible for sending pornographice-mails or bringing down a major site such as Yahoo through a DDoS(Distributed Denial of Service) attack. By the way, this is allaccomplished through the use of malware (malicioussoftware). I had to add new words to my spellchecker five times in this paragraph. These things have become thenew bad boys of the Internet. Kasperky Labs and Symantec havestated independently bots and Trojans are on the rise andmass-mailer viruses are on the decline. A report issued by theHoneynet Project in March 2005 indicated more than a million hostsare compromised and can be controlled by malicious attackers.

How Do I Become a Zombie?

It is very easy. Take an unpatched computer running Windows 2000or XP and connect it to the Internet. Chances are, it will becomeinfected immediately. Unpatched, unfirewalled machines arevulnerable to a port probe that will find an open port (say, TCPport 135) and install a bot or Trojan. Four ports–445/TCP, 139/TCP,137/UDP, and 135/TCP–account for 80 percent of botnet traffic. Moretypically machines are first infected with a virus (such as SoBigor MyDoom) that exploit vulnerabilities in the operating system orInternet Explorer.

There seems to be a never-ending list of buffer overflowexploits that eventually allow unauthorized code execution. After amachine is compromised, a bot may use a variety of available tools(trivial FTP, FTP, HTTP, CSend) to transfer code to the compromisedbox. The executable is run and connects to an IRC (Internet RelayChat) server, where it may receive instructions. It is notnecessary to use IRC, but it provides a ready-made, time-testedcommunications channel a user can hide behind.

So What?

PC viruses have been around since the first PCs. Viruses areannoying but rarely do any “real” damage. Right? Wrong. The hackingworld is evolving. Most people “writing” and distributing maliciouscode still are disaffected young men who are copying someone else'scode, making minor modifications, and unleashing it on theInternet. Most of these guys can create havoc only by accident. Andthat does happen. But there is a new breed of hacker lurking about.It used to be the real genius hackers who actually wrote theoriginal code to exploit vulnerabilities just did it as anintellectual exercise or, at worst, as a kind of modern-dayanarchist statement. The new generation, though, has figured out itcan make money writing malicious code.

You have written your bot code; you have distributed it to20,000 PCs connected to the Internet. Those 20,000 zombies aresitting there, waiting for your command–your command to do what?There was a time when having the Tricolor pop up on the screen andplay “La Marseillaise” on July 14 was cool enough in itself. Notanymore. How about if you could have your zombies all attempt todownload a file from www.BigTargetCompany.com at the sametime? Twenty thousand requests for a 500K PDF just might bring thatsite to its knees. Even better: What if BigTargetCompany's biggestcompetitor offered to pay you $5,000 to take www.BigTargetCompany.com offline foran hour. This is starting to sound pretty attractive. Getting paidto do what you love best–wreaking havoc on the Internet.

This is not supposition but fact (well, almost–names andquantities have been changed). There are recorded cases ofindividuals paying for a botnet to run a DDoS against specifictargets.

From Where Spam Spawns

Do you really think the 35 e-mails you got last night advisingyou to invest in vending machines came from a legitimate mailserver sitting in a legitimate hosting facility? The truth is theyprobably came from 35 unwitting zombies scattered across theInternet. Keep in mind once you have compromised a computer, youcan download just about any kind of software you want. Many botswill open a SOCKS proxy (the SOCKS protocol is an Internet protocolthat allows a host behind a firewall to access resources outsidethe firewall). They then can set up the machine to send spam orphishing e-mails. The bot also could grab all available e-mailaddresses on the machine and spam them as well as the initial list.Again, this is a for-profit operation. The spammer is paying thebotmaster to deliver all that C*I*A*L*I*S mail to your desktop.

At National Underwriter (parent company of Tech Decisions), weuse Google AdSense on some of our Web pages. We get paid a fee forso many click-throughs per ad per month. Google is smart enough tofilter out obvious abuse. If I sit at my screen all weekend andclick an ad 25,000 times, we are not going to get a big, fat checknext month. In fact, we probably would be asked to leave theprogram. But what if I paid a bot-meister to have his 25K slaveseach click through those ads a single time next week? The clicksall would come from different IPs and from different geographicregions (presumably). Google may suspect something's up, but itwould have a hard time proving it.

There are lots of things that can be manipulated this way.Online games and polls can be manipulated using a bot grid. Thereare reports of online game “tokens” offered for sale on eBay.Presumably these valuable tokens were obtained by botnets playingcertain parts of the games relentlessly. None of this is reallynew–computers by their very nature are tools capable of beingprogrammed to perform repetitious mundane tasks. (If an electronicslot machine can be programmed to pay a jackpot every 1.35 x 106pull, then a computer can be trained to pull it 1.35 x 106 times.)The difference is this is not permission-based computing. This isthe bad guy taking all those wasted CPU cycles and using them whilehiding behind enough layers of obfuscation to escape detection.

Don't Forget Des Moines

What about those 252 workstations in the claims center. What ifthey were compromised? The malware could be capturing keystrokes(and thus passwords or credit card information). It could besniffing packets on the internal network. If the traffic is notencrypted (which it probably isn't internally), then any piece ofinformation in that data center is vulnerable. Just how valuable isthat data?

In fact, most companies with a responsible IT departmentprobably will be free of bot software and other Trojans. Firewallscan monitor and control IRC traffic (on any port). Chances are yourworkers won't become part of a zombie network. But that does notobviate the risk or potential for damage. You still could be thevictim of a DDoS attack from a botnet–or spam or phishing e-mails.The ad click scenario is real and scary for advertising-supportedWeb sites. Plus, there is the risk of the compromised and infectedlaptop coming in the door and jumping on your WiFi network. Yourentire network could be in trouble in minutes. Never assume justbecause you are safe today, you will be safe tomorrow. Bringingmoney into the hacking game has changed the playing field. They areno longer playing for fun–they are playing for real.

For more information on botnets, I suggest you check out theHoneynet Project at http://www.honeynet.org.