BOTNET - A Network of Compromised Systems

Dr. Sanjeev Sofat,Prof. Divya Bansal Mayur Gupta

Department of Computer Science
Punjab Engineering College, Chandigarh
mayurgupta73@gmail.com

I. INTRODUCTION II. BACKGROUND

A collection of bots form up a botnet. The term bot is A. Elements of Botnet

derived from “ro-bot “.Bot is used to describe a script or set
of scripts designed to perform predefined functions in
automated fashion like computer robots.
A bot is the compromised machine that waits for commands
from a certain controller, Several compromised machines
form up a botnet. They are remotely controller from a
Command and Control (C&C) machine that is also a
compromised machine used to protect the real IP of the
controller. Initially bots were used to automate some tasks
in the server environment i.e.to run as a daemon process on
legit machines and to help the chat room owners in keeping
their channel nice and tidy. One of these bot is the Eggdrop.
These bots could communicate between themselves to form
a botnet. Thus originally botnets were used for creative
purposes.
Like many other things these botnet also possess the two
notions promotion and degradation.. So, a bot in the
"degredation" notion could be defined as a computer
program installed without user's knowledge; running
hidden, on a Windows or UNIX platform that connects to a
pre-defined server and chat room and awaits for commands
from a master. These are the compromised machines also
known as “zombies”.
• Bot: is typically an executable file, capable of
performing a set of functions, each of which could
be triggered by a specific command. A bot when
installed on victim machine copies itself into a
configurable install directory & changes system
configuration to start each time system boots. An
off-the-shelf bot generally used by less
sophisticated attacker can be downloaded from
warez site on internet & edited to include, desired
server to connect, remote TCP port to use for this
connection, channel to join on that server and
authentication password referred to as ‘key’ to gain
access to attackers private channel.
A more sophisticated attacker can even manipulate the bot
characteristics like files created after installation and install
directory where the bot files reside after installation. Bots
are not the exploits for OS or application, they are the
payload carried by worms or means used to install backdoor
once a machine has been comprised [1].

Now the days Botnets are used for various purposes,

mostely for illegitimate activity. Some of their uses includes
launching distributed denial-of-service (DDoS) attacks,
sending spam, trojan and phishing email, illegally
distributing pirated media, serving phishing sites,
performing click fraud, and stealing personal information,
among others. They are also the sources of massive exploit
activity as they recruit new vulnerable systems to expand
their reach.

Botnets have developed several techniques in their malware

and infrastructure that make them robust to typical
mitigation techniques. Due to their large volume, various
capabilities, and robustness they pose a significant and
growing threat to the Internet as well as enterprise networks.
Due to the threats to the reliability and utility of the Internet
for different applications, a much better understanding of Fig 1: Elements of typical bot Attack
the individual botnets is needed to formulate appropriate
mitigation strategies.

1
 ƒ Victim machine: is the compromised internet host
on which the malicious bot is installed after the
attacker has exploited an application or operating
system vulnerability or has duped the user into
executing a malicious program. Once infected the
target host are also referred to as Zombies.
ƒ Attacker: is the one that configures the bot, it
comprises a machine to install a malicious bot,
controls & directs the bots once it joins the
designated IRC channel.
ƒ Control channel: is a private (IRC /HTTP) channel
at server side created by the attacker as rendezvous
point for all the bots to join once they are installed
on infected machine & are online, it comprises of a
channel name & a password ‘key’ to authenticate.
ƒ Server: is a system which provides services to its
users or clients, this could be a legitimate public
service provider like DALNET etc. or another
attacker’s compromised machine.
ƒ Botnet: All the bots once connected to control
channel form a botnets i.e. network of bots,
awaiting the attacker command.
B. Botnet working:
Most modern bots are controlled via IRC. IRC servers by
default use Port 6667.IRC Servers also usually listen on
several other ports by default including 6660, 6661, 6662,
6663, 6664, 6665, 6666, 6668, 6669 and 7000. These other
ports are often used so that the more commonly known Port
6667 is not shown in Netstat as a remote port that the
computer is connected to. Many IRC servers used by
botherders are modified and may run on almost any port.[2]
The figure 2 shows a typical botnet and the steps a bot
infected system will go through.
Figure 2 – Botnet Overview
2
When a bot signs in for duty, it does so to an IRC server
which is running a specific channel [2] for the bots and bot
masters to log in to. Typically these ‘bot’ channels will
hidden as much as possible to stop the IRC server
owner/admin from finding the botnet channel and killing it.
To do this the bot master will almost use the following
modes for the channel at the very minimum:
ƒ +s (Mark the channel as secret so that it cannot be
seen in channels list)
ƒ +u (Hide the userlist)
ƒ +m (Make the channel moderated. So that a user
cannot send text to that channel unless they have
operator @ access or +v voice)
ƒ +k (Make the channel password protected).
Botnets usually use dynamic DNS names from any of the
providers that offer free dynamic DNS services. These when
configured are setup with a very short TTL (Time-to-live),
so if the botnet‘s current IRC server gets disconnected the
botnet is headless [command and control disabled] only for
a short while until a new IRC server is specified or the
original comes back on-line on a new IP address. Other IRC
commands may well, in the case of private IRC servers,
have been removed and discourage anyone who finds the
server, or to warn the botnet owner that their server has been
found.
So, once the ‘zombie’ system signs on for duty to the IRC
control channel, it will almost certainly receive some
instructions, these may well be to firstly try and find other
‘victims’ to press-gang into service as partof the botnet it
has joined.
Figure 4, shows number of ways that a bot can get installed
on a new victim system.
Figure 4 – Bot Spreading and Updating
Methods
 IRC networks or build their own. Private IRC servers can be
Other than scanning for new victims to infect, the zombie collocated at “bullet proof”[a] (BP) hosting providers that
may be requested to update the bot executable or install new guarantee uptime, or the software can be installed on one of
components.Any bot infected system can become the master the compromised systems.
command and control IRC server. This makes it quite
difficult to ‘behead’ a botnet, as in reality it can ‘re-grow’ a The IRC channel topic can instruct compromised systems
new head almost at will. within the botnet to perform a specified action. The channel
topic shown in Figure 6 directs the system to perform the
Prime Targets/Victims following functions:[5]
The most desired profile of victims by the botherders are the
one connected to internet, thereby most vulnerable to bots
infection are less monitored, high bandwidth, home
computers or university servers[4].

ƒ High bandwidth: one of the most sorts after
internet hosts by attackers are machines connected
to internet by broadband access, giving attackers
large cumulative attack bandwidth to target servers
for DDoS or host pirated files or software.

ƒ Availability: the attacker prefers machines that are

“always on”, highly available to carry out their
commands round the clock.

ƒ Low user awareness & monitoring capability:

Users with low internet security awareness & with
limited resources to invest in access control devices
are specially targeted for bots infection. Lack of
updated operating system and/or application in
addition to non-existence of access control devices
like firewall gives the attacker the opportunity to
break into system & maintain the bots over a long
period of time without being identified or traced. Fig 5 - IRC Command and Control.

ƒ Location: the attacker target machines, which are
geographically far away from their own location &
with relatively low probability of law enforcement
officers being able to trace the bots back to
attacker.
Thus the most likely profile of the victims is that of a
residential broadband connection or university servers those
are connected to internet via broadband connection & are
most of the time available i.e. ‘on’. The attackers generally
target residential broadband connectivity providing ISP
subnets or university subnets that have low or no access
control devices, with minimal monitoring of internet
connection.
III. COMMAND AND CONTROL TECHNOLOGIES
A. IRC servers for command and control
The most commonly used C&C server type is internet relay
chat (IRC). These servers are
favored because they require very minimal effort and
administration for use in C&C. Attackers can use public
• .advscan – botnet command to scan for
vulnerable systems
• lsass_445 – attempt to exploit vulnerable hosts
using VU#753212
• 150 – the number of concurrent threads
• 3 – the number of seconds to delay between
scans
• 9999 – specified amount of time to perform the
scanning activity
• -r – the IP addresses it attempts to scan should
be generated randomly
• -s – the scan should be silent and not report its
findings back in the channel
B. Web-based command and control
Another method attackers use to control a botnet is HTTP.
Attackers most commonly configure bot malware to instruct
the compromised system to access a PHP script on a web
site with its system-identifying information embedded in the
URL. A web interface can be created to track and control
the botnet.
[a] The term “bullet broof” hosting means that the services
offered can not be shutdown. These facilities tend to be

3
located overseas or offshore where laws may not be present
or as strict.
Figures 6 and 7 present web-based C&C interface views.
Attackers use the interface to send commands to an
individual system or to the entire botnet via the HTTP
responses. A more covert way for the malware to receive its
commands is for it to query a web site under the attacker’s
control. The malware knows what information to expect and
how to interpret it into valid commands.
Fig 6 - Web-based Command and Control - Reporting
Interface.
Upon infection, the compromised system attempts to contact
the web-based C&C server and notify it of the machine’s IP
address, what port its proxy is running on and its machine
identification string, which can be used to identify and
communicate with individual bots.
Figure 7 - Web -based Command and Control - Command
Interface
4
The cmd.php page shown in Figure 7 is an example of a
web page used by bot herders to
send commands to compromised systems within the botnet.
These commands are entered into the page and, upon
submission, a command file is created(cmd.txt).The
compromised systems query for the cmd.txt file every 5
seconds and then perform any of the commands issued to
them. Some of these commands direct bots to
• download and execute files from a URL execute shell
commands
• adjust the storage location of screen captures and URL
logs
• adjust the hosts file on the compromised system
C. P2P command and control
Peer-to-peer (P2P) is another C&C architecture used by the
attacker community to control botnets. The key feature of
P2P as a command and control structure is that it has no real
central server that can be shutdown to disable the botnet.
Two of the more established pieces of botnet malware that
have implemented this C&C structure include
Phatbot[6a,6b] and Sinit.[7].
Phatbot utilizes the Gnutella cache servers to establish its
list of seed peers. The P2P protocol used on the
compromised systems is a modified version of the
WASTE[8] protocol. Sinit establishes its list of peers by
randomly sending out packets and utilizes digitally signed
code to ensure only specified files are executed.
D. DNS command and control
The attacker community will continue to adapt and look for
new botnet communication channels. Now the days
botherders uses a piece of malware that constructed a DNS-
style name using a hard-coded domain name, which it then
attempted to resolve using the gethostbyname() API. The
DNS server authoritative for the queried domain responded
with an answer that contained encoded information for the
system. This made the C&C traffic look like legitimate DNS
resolution traffic. The biggest advantage to using DNS as a
C&C mechanism is that DNS is used by everyone and is
permitted through the majority of firewalls. Even when a
localized DNS server is used and DNS queries are blocked
by the firewall, the local DNS sever could still forward
queries to the authoritative server and the C&C traffic
would still pass through the firewall.
IV. THE BOTNET LIFE CYCLE
Botnets follow a similar set of steps throughout their
existence. The set of steps can be termed as life cycle.
Figure 10 illustrates the common life cycle of a botnet
client.[9]
A. Exploitation
The life of a botnet client, or botclient, begins from its
exploitation. This exploitation to botclient can be done in
different ways. Some of methods are as follows
Malicious Code
Exploitation through malicious code may cause various
types of vulnerabilities including:
■ Phishing e-mails, which lure the user to a Web site that
installs malicious code in the background,
■ Enticing Web sites with Trojan code (“Click here to see
the Dancing Monkeys!”).
■ E-mail attachments that when opened, execute malicious
code. www.syngress.com
■ Spam in instant messaging (SPIM). An instant message is
sent to someone by some know person with a message like
“You got to see this!” followed by a link to a Web site that
downloads and executes malicious code on victims
computer.
Fig 8: Botnet Life Cycle
Attacks against Unpatched Vulnerabilities:
To support spreading via an attack against unpatched
vulnerabilities, most botnet clients include a scanning
capability so that each client can expand the botnet. These
5
scanning tools first check for open ports. Then they take the
list of systems with open ports and use vulnerability-specific
scanning tools to scan those systems with open ports
associated with known vulnerabilities. Botnets scan for host
systems that have one of a set of vulnerabilities that, when
compromised, permit remote control of the vulnerable host.
A fairly new development is the use of Google to search for
vulnerable systems
The hacker community is counting on millions of users that
do not update their computers promptly. Modular botnets
are able to incorporate new exploits in their scanning tools
almost overnight. Diligent patching is the best prevention
against this type of attack. If it involves a network protocol
that one don’t normally use, a host-based firewall can
protect against this attack vector.
However, if it is a protocol that one must keep open it will
need intrusion detection/protection capabilities.
Unfortunately there is usually a lag of some time from when
the patch comes out until the intrusion detection/protection
updates are released. Sometime antivirus software may be
able to detect the exploit after it happens, if it detects the
code before the code hides from the A/V tool or worse,
turns it off.
Vulnerabilities Commonly Exploited by Bots:
Agobot spreads via several methods including:
■ Remote Procedure Call (RPC) Distributed Component
Object Model (DCOM) (TCP
ports 135, 139, 445, 593, and others) to XP systems
■ RPC Locator vulnerability
■ File shares on port 445
■ If the target is a Web server, the IIS5 WEBDAV (Port 80)
vulnerability
SDBot Spreads through the following exploits:
■ NetBios (port 139)
■ NTPass (port 445)
■ DCom (ports 135, 1025)
■ DCom2 (port 135)
■ MS RPC service and Windows Messenger port (TCP
1025)
■ UPNP (port 5000)
■ Server application vulnerabilities
■ WebDav (port 80)
■ MSSQL (port 1433)
■ Third-party application vulnerabilities such as DameWare
remote management software (port 6129) or Imail IMAPD
Login username vulnerability (port 143)
■ A CISCO router vulnerability such as CISCO IOS HTTP
authorization (Port 80) vulnerability
Backdoors Left by Trojan Worms or Remote Access
Trojans:
Some botnets look for backdoors left by other malicious
code like Remote Access Trojans. Remote Access Trojans
has the ability to control another computer without the
knowledge of the owner. They are easy to use because only
few skilled users deploy them in their default
configurations,which causes anyone, who knows the default
password can take over the Trojan’ed PC.
SDBot exploits the following backdoors:
■ Optix backdoor (port 3140)
■ Bagle backdoor (port 2745)
■ Kuang backdoor (port 17300)
■ Mydoom backdoor (port 3127)
■ NetDevil backdoor (port 903)
■ SubSeven backdoor (port 27347)
B. Rallying and Securing the Botnet Client
Rallying is the initial phase of the life of a new botnet
client.. Rallying is the term given for the first time a botnet
client logins into a C&C server. The login may use some
form of encryption or authentication to limit the ability of
others to eavesdrop on the communications. Some botnets
are beginning to encrypt the communicated data. At this
point the new botnet client may request updates. The
updates could be updated exploit software, an updated list of
C&C server names, IP addresses, and/or channel
names.This will assure that the botnet client can be
managed. The next task of Botherder is to secure the new
client from removal.The client can request location of the
latest anti-antivirus (Anti-A/V) tool from the C&C server.
The newly controlled botclient would download this
software and execute it to remove the A/V tool, hide from it,
or render it ineffective. The botnet also start its rootkit
detector and hide and launch the password collection
programs.[10]
C. Waiting for Orders and Retrieving the Payload
After securing the botnet client, it will listen to the C&C
communications channel. Now onwards it is the Botherder
who sends some commands to Botclients, in order to
perform some operation.
The botnet client will then request the task or functions to be
done. These function can change at any time through
modular design. Updates can be sent prior to the execution
of any assigned task.The function of the botnet client can be
changed simply by downloading new payload software,
designating the target(s), scheduling the execution, and the
desired duration of the action.
V. BOTNET MITIGATION TECHNOLOGIES
A. Perimeter and Network Firewalls
To help minimise the chances of infected systems ‘phoning-
home’ once successfully infected by a bot one should ensure
to ‘‘deny-all’ policy on firewalls; both at the perimeter and
also on other firewalls used to partition the network. The
same goes for all other network aware applications that need
[or want] to connect to the internet or across network, use a
6
denial all firewall setup. Only open up ports that need to be
open for internet access. This will help not just in tackling
bots but malicious software in general. Firewall logs [and
DNS, Proxy, SMTP, etc.] should be reviewed regularly to
ensure that any bot and botnet traffic can be analysed,
infected systems remediated and further defences can be
considered or existing ones fortified by tightening
configurations, etc.
B. Application Firewalls (Proxies)
Where possible proxy all traffic destined for the Internet,
this that can be setup to use a proxy server. All traffic for
these protocols including IRC, HTTP, FTP and any other
protocol or application that do not use the proxies should be
blocked. All application can run using proxy server like
Netcat, SocksCap, and HTTP-Tunnel so one should be
aware that proxy is secured and enable logging so that user
can review the logs to look for any IRC traffic which has
passed through the proxy server.
C. DNS
Setup local DNS records for known botnet control sites, so
that the command and control for these botnets are disabled.
This is commonly called "nullrouting" or a “sink hole”,
because the DNS entries direct the offending domain or
subdomains to an inaccessible IP address. Some examples
of IRC botnet names that can be neutralised in this way
includes:[12]
• bleh.darkacidonline.us
• blackcarder.net
• pod2004.dyndns.dk
• metalhead2005.info
• d66.myleftnut.info
• m3t4lh34d.info
D. SMTP
Only ‘official’ SMTP servers are allowed to route mail to
the internet, all other SMTP traffic that does not use the
‘official’ SMTP servers should be logged and/or dropped as
it is the result of malware, either trying to spread itself or
sending SPAM, Phishing or Scam emails. These include file
extension such as in table 1.There are almost certainly a
number of other extensions/file types that should be blocked
and a number of those on the list have caveats associated
with their use.
E. IDS and IPS
IDS is a system that tries to identify attempts to hack or
break into a computer system or to misuse it. IDSs may
monitor packets passing over the network, monitor system
files, monitor log files, or set up deception systems that
attempt to trap hackers”. IDS has two variants: [13]
(a) NIDS [Network based Intrusion Detection
Systems] and
(b) HIDS [Host based Intrusion Detection
Systems]
and they both use in the fight against bots and botnets.
Network based Intrusion Detection Systems:
NIDS monitors all network traffic passing on the segment
where the agent is installed, reacting to any anomaly or
signature based activity. Basically this is a packet sniffer
with attitude.They analyse every packet for suspected
nefarious activity, most will also look for anomalies within
the protocol.
There are many NIDS products on the market, probably the
best known are:
• Snort
• RealSecure
Host based Intrusion Detection Systems:
Most HIDS do one or more of the following to detect the
compromised systems
1. Integrity checking
2. System Log monitoring
3. Policy driven behaviour blocking
4. Kernel wrapping
5. Buffer overflow detection
Intrusion Prevention Systems:
IPS is an intrusion prevention system is any device which
exercises access control to protect computers from
exploitation. "Intrusion prevention" technology is
considered by some to be an extension of intrusion detection
(IDS) technology, but it is actually another form of access
control, like an application layer firewall. Intrusion
prevention systems were invented by vendors who decided
to make access control decisions based on application
content, rather than IP address or ports as traditional
firewalls had done.
Intrusion prevention systems may also act at the host level
to deny potentially malicious activity.According to some
researchers, IDS is dead and has been replaced by IPS
[Intrusion Prevention Systems]. Examples of IPS products
include: IntruShield from McAfee, Proventia from Internet
Security Systems and Attack Mitigator from Top Layer. Just
like with IDS there are both Network and Host based
solutions available. The IPS possesses the capabilities to
stop malicious traffic it recognises in its tracks, thereby
stopping an infected system infecting others on the
network.[14]
F. Anti-Virus
The use of anti-virus technologies as a detection method for
bot infected systems is most prominent, as many of the bots
are detected by anti-virus products. In some cases this
functionality may well be the first to be deployed, as a
dropper being spammed out. Once run the dropper lowers or
neutralises any local defences and then opens up the
backdoor, or just downloads more components as required
to complete the infiltration. The anti-virus tools can only
[normally] detect malware they know about. New malware
variants may well be detected by heuristics.
7
G. Anti-Rootkit Tools
Rootkit- A rootkit is a collection of tools an intruder brings
along to a victim computer after gaining initial access,
usually via hacking into the box manually or by getting a
user to execute a Trojan or Worm which will install a
backdoor for them to slither onto the system in the first
place. A rootkit generally contains network sniffers, log-
cleaning scripts, and trojaned replacements of core system
utilities.
There are a number of tools available to be able to detect
and remove rootkits, some of these includes:
• ChkRootkit
• Rootkit
• RootkitRevealer
• UnHackme
H. Personal Firewalls
These can be used to block unwanted applications from
being able to connect to the network, effectively. This
means that the bot can’t join the botnet, it won’t get the
orders that the bot-herder is issuing and therefore the risks
are reduced.
I. Anti-DDoS Products
Number of vendors offer products/services which can be
used to filter or drop DDoS traffic on network perimeter.
This is achieved by dropping traffic based on source IP
addresses and protocols. Many of these products/services
work by looking for anomalous traffic, they achieve this by
monitoring individual or aggregate traffic flows.
Network level defences (used to detect and filter/stop
floods)
• Arbor Networks [http://www.arbornetworks.com/]
• CS3 [http://www.cs3-inc.com/]
• Captus Networks
[http://www.captusnetworks.com/]
• Cisco Systems [http://www.cisco.com
• Lanscope [http://www.lancope.com/]
• Mazu Networks [http://www.mazunetworks.com/]
• Riverhead Networks [http://www.riverhead.com/]
• Reactive Network Solutions
[http://www.reactivenetwork.com/]
• Top Layer [http://www.toplayer.com/]
• IntruShield [http://www.mcafee.com/]
• Host level defences (detect, stop handler/agent
installation)
• Entercept [http://www.mcafee.com/]
• Tripwire [http://www.tripwire.com/]
• AIDE [http://sourceforge.net/projects/aide]
Dynamic middlebox invocation is critical for deployability
because it ensures that during peace time (i.e., when there is
no ongoing DDoS activity) customer traffic does not have to
pay the penalty of triangular routing through the
middleboxes. Dynamic middlebox invocation is also
important for the defense system itself because it focuses all
defense resources only on the connections whose
destinations are under attack, leaving other customers
unaffected. The defense system can thus benefit from
statistical multiplexing and potentially protect many more
customer networks with the same available resources.

Table 1. FTP file extensions

[7]. Technical analysis can be located at:

REFERENCES http://www.lurhq.com/sinit.html.

[1]. Bots & Botnet: An Overview published by Ramneek
Puri,August 08, 2003 GSEC Practical
Assignment Version 1.4b Option 1 – Research on Topics in
Information Security.
[2]. Know Your Enemy: Tracking Botnets –
http://www.honeynet.org/papers/bots/
[3].Source URL: http://swatit.org/bots/gallery.html.
[4]Source URL:
http://www.netsys.com/library/papers/DDoS-ircbot.txt
[5] Paper The Zombie Roundup: Understanding, Detecting,
and Disrupting Botnets By Evan Cooke, Farnam Jahanian,
Danny McPherson ,Electrical Engineering and Computer
Science Department
[6]. a Technical analysis can be located at:
http://www.lurhq.com/phatbot.html.
b. Leyden, John. Phatbot arrest throws open trade in
zombie PCs.
http://www.theregister.co.uk/2004/05/12/phatbot_zombie_tr
ade/
[8]. Additional information regarding WASTE can be
located at: http://waste.sourceforge.net/.
[9]. Book on Botnet :BOTNETs –The killer Web App by
Craig A.Schiller, Jim Binkley, David Harley, Gadi Evron,
Tony Bradly
[10] Source URL: www.syngress.com
[11]Source URL
www.usdoj.gov/criminal/cybercrime/parsonSent.htm
[12] “Botnets, detection and mitigation – DNS based
techniques”
Source URL: http://aharp.ittns.northwestern.edu
[13] Symantec security check
Source URL:
http://security.symantec.com/sscv6/home.asp?j=1&langid=i
e&venid=sym&plfid=23&pkj=BINJ
ESLHFEPGEVVSDUX.
[14] Paper “Killing Botnets - A view from the trenches” by
Ken Baylor, Ph.D. CISSP CISM Chris Brown, CISSP CISM