NEWS AT SEI
This article was originally published in News at SEI on: February 1, 2008
This column is based on a podcast recorded with Nick Ianelli and posted to CERT’s Podcast Series: Security for Business Leaders. Nick Ianelli is a member of the CERT Coordination Center, conducting artifact analysis on malicious code. Julia Allen, who interviewed him, manages CERT’s Podcast Series and conducts research in security governance and software assurance.
Part 1: The Threat
Julia Allen: Would you describe what botnets are (short for robot networks) and why they are on the rise?
Nick Ianelli: A botnet is made up of compromised hosts, which are commonly referred to as bots or zombies.Botnets are collections of compromised hosts, centrally managed, or managed from multiple points, but they’re logging into a location that’s easily manageable.
It’s hard to say with absolute certainty why these things are ongoing and rising. The simple fact is the code is out there, it’s very easy to use, and if anybody has any questions, there’s free support on the Internet to assist in trying to get these things to run, operate, or exploit vulnerable machines.
Julia Allen: When you say “compromised hosts,” and you talk about the code, what that means to me is that someone’s taken a piece of software, one of these bot software packages, and actually installed it on a whole bunch of computers.Do I have that right?
Nick Ianelli: Yes.
Julia Allen: And then they have an ability to control that in some fashion, upon request.
Nick Ianelli: The most popular command and control method that’s being used is what’s commonly referred to as IRC, Internet relay chat. It’s a text-based chatting program that’s been around for years. Botnet attackers can log into IRC servers, go into specific channels, and see all of the users within that channel by issuing a command in that channel. All the compromised hosts there will respond and do the action requested by the person issuing the command.
Julia Allen: So is that one of the things that makes botnets so dangerous, this command and control structure, and why attackers find them so appealing?
Nick Ianelli: Yes, it’s very easy for attackers to log into a central location, issue one command, and if they have a botnet of 1000 compromised hosts, have them all do the same thing at the same time.
Julia Allen: So how would attackers find a compromised host to install one of these bot software packages on?
Nick Ianelli: They could buy compromised hosts from other attackers. There’s an underground economy, where attackers have a smorgasbord of items for sale:compromised hosts, stolen accounts, malware, botnet source code—you name it, they have it for sale.Some of these guys even start with infecting their own machine, or infecting a friend’s machine, and then get that particular machine to start scanning the network for other vulnerable hosts.And once they have one, they just keep trying to look for others, and then once those get compromised, they’re instructed to look for others. It’s an ongoing repeatable process for them to add more hosts to their botnet.
Julia Allen: It sounds like there’s a fair amount of information sharing that goes on within the intruder community about many topics, but about this topic in particular.Is that correct?
Nick Ianelli: Yes, it’s amazing.These people have no qualms about sharing information with other people, whether they’re direct competitors, senior people, or newbies. If somebody knows the answer to the question, or if multiple people know the answer to a question, they don’t hesitate to assist, provide information, provide pointers, and to even provide code to do what the person’s asking to do.
Julia Allen: That’s remarkable.Well, without disclosing specific cases, could you describe some of the impacts of a successful botnet attack?
Nick Ianelli: One of the biggest impacts is data theft or data exfiltration.Once a bot gets on your machine, whatever you as the user have access to, or whatever your system has access to, the bot malicious code now has access to.And the people who are running these botnets understand that. So they’ve built in features that permit them to access all of the resources on the infected system.They put in key loggers, they look for specific files, they look for .doc (Microsoft Word) extensions, and spreadsheet .xls (Microsoft Excel) extensions. Once they find this information, they upload it to a specific location or they send the information to a central site where they can parse through it and decide what they want to do with the information.
Julia Allen: So pretty much anything that I would be doing on my laptop, be it at home or in the office, if there is bot code installed on my computer, an attacker can see or access everything I’m doing.
Nick Ianelli: That is correct.So if you have access to network shares for example, where other people store their backup files, the bot malicious code has the capability to potentially access that network share and have access to all of those files.All of your mail contacts, your address book—botnet malware has the ability to capture all of that.In addition, bots have the ability to send email from your machine as you to the people in your address book.
Julia Allen: Some pretty scary thoughts here, wouldn’t you say?
Nick Ianelli: I’ll say.
Part 2: How Do I Know If There’s a Botnet on My Computer?
Julia Allen: Why is the infiltration of botnet agents on our computers so hard to control?Couldn’t firewalls, anti-virus (AV), or intrusion-detection systems be used to find these agents on our computers and eradicate them?
Nick Ianelli: In most cases I would say yes, as long as everything is properly configured, and everything is patched, secured, hardened and up-to-date.But if you think about it, botnets tend to propagate in two ways.
The first way is vulnerability exploitation; attackers are looking for vulnerable hosts on the Internet.Once they find one, they try to exploit it.What we see in analyzing botnet malware is that the majority of vulnerabilities attackers attempt to exploit have had patches available for three, four, five years. Attackers are still attempting to exploit vulnerabilities that came out in 2003, 2004, 2005.If people were to patch their systems, these vulnerabilities would no longer work.
The other way we’re seeing is social engineering.As you may recall, I said I could send email, as you, to somebody within your address book. Sending email as you adds an extra layer of confidence in the person receiving that message.If I send email that says, “Hey, check out this attachment,” or “Check out this Word document,” and you double-click on it, there’s a chance that your computer is going to run a piece of code that could install bot malicious code on your machine, and now you’re infected and you’re owned (by the attacker).
Julia Allen: Right, because I’m assuming the email came from you, so I trust it.
Nick Ianelli: Correct.
Julia Allen: And then proceed from there without realizing that I’ve just done myself some serious damage.
Nick Ianelli: Right. You’re probably wondering, “Why didn’t my AV catch that? There was malicious code in that email.” You need to consider that attackers are in an arms race with the anti-virus community.Attackers will take a piece of code and they will try to obfuscate it so that anti-virus tools don’t detect it.
There are public and private websites where an attacker can upload his malicious code, get the AV results from 10, 20, 35 different AV engines.He may be only concerned with a couple of them, but as long as they pass those couple, he’ll try to exploit with that piece of malicious code.If the majority of the AV tools detect the attacker’s code, the attacker will attempt to obfuscate it in another manner so that those AV tools don’t detect it.
Julia Allen: Right, so effectively it flies under the radar screen and no one’s the wiser.
Nick Ianelli: Exactly, and that’s just trying to obfuscate it.Let’s say that this is a brand new piece of malware—the AV community has never seen it.First, they need to get a copy.If their existing signatures or heuristics don’t detect it, they need to get a copy, analyze it, and then they need to make a determination, “Do I adjust an existing signature?Do I create a new signature? Or do I adjust one of the heuristics to try to catch this?”Once they make these changes, then they need to push the updates out to all of their end users. All of this takes time but during this window, the botnet malware is propagating.
Julia Allen: Right, and that’s a reactive solution, because you’re analyzing the bot code after the fact, correct?
Nick Ianelli: That’s correct.
Julia Allen: How can business leaders determine if botnet agents are on their computers, or on their organization’s computers and networks, and if they do locate them, how can they get rid of them?
Nick Ianelli: They need to have logging on all their critical systems, including all of their systems that may touch the Internet.A primary example is if you have a router, you want to make sure that you’re logging net-flow data from that router. Then you want to see if you can correlate that data with any of your other logs, say for your mail server or your DNS (domain-name system) server.
See if you can correlate or even visualize that data. There’s a good chance that if there’s a botnet, an infected host, or one machine that’s in a botnet, and if you can quickly look at some net flow data, you have the potential to see quickly that there’s an infection on your network.Generally what we see is once a computer’s infected, it will try to scan for other computers. You’ll be able to pick that out right away by looking at net-flow data visually.
Julia Allen: In other words, if there’s an infected computer in my network, and it’s trying to scan other computers, I’m going to see a real up-tick in the number of messages or the types of messages that computer is sending out, right?
Nick Ianelli: Yes. If your company has an authoritative DNS server—if your machines are configured to ask your company’s DNS server first how to resolve a DNS name or a host name—you can set up some type of logging there, where you’re looking for anomalies or odd-looking domain names, and you can alert on them. You don’t have to drop the DNS request, but you can alert on them and then just manually review them.
With botnets, their DNS requests—the DNS names and the host names—are quite odd and obvious.That’s a pretty good indicator of a potential infection.
Julia Allen: So taking that kind of preventive monitoring action before things get out of hand?
Nick Ianelli: Yes.
Part 3: And What Can I Do About It?
Julia Allen: Let’s say that I’ve found this kind of activity through my logging or using an authoritative DNS service. How can I get rid of these guys?
Nick Ianelli: Your best bet is going to be to try to locate all the critical files on the system, pull them off or back them up, and then scan the files that you want to keep to make sure they’re clean. The best way to ensure that your computer is clean is to just wipe it and start from scratch.Rebuild the operating system and then load all of your applications. Load all of your files back onto the system after you’ve ensured that they’re not infected.It’s really the only way you’re going to know that your machine is no longer infected.
Julia Allen: So basically doing a thorough house cleaning?
Nick Ianelli: Yes.
Julia Allen: Are there any actions that business leaders and other users can take to get in front of this, both to prevent and to detect further infection?You had mentioned having your patches be up to date as one step.
Nick Ianelli: If you take a defense-in-depth approach, that’s a great starting point. You want to raise awareness, both with your senior management and your employees.You want to make them aware that this type of activity is occurring, and when it occurs, what the potential losses are that both the organization and the individual can suffer. Not only can the organization suffer, but if individuals are going to a website, and a key logger is turned on, and that website just happens to be their personal bank account, that information can be exfiltrated, and attackers can get their hands on it.
Provide education and training classes.They don’t have to be anything in-depth —maybe a lunchtime session to continue to keep this fresh in the people’s minds. If they’re doing the right thing at work, they’re generally going to do the right thing at home.That just makes the Internet a better place for people to surf and visit.
Make sure that all of your patches and your software are up-to-date.If you need to test before you apply a patch, just know that. Have a plan ready so you can secure the system. Lock it down as tight as possible, so that until you get it patched, your services aren’t down. Actively monitor this to make sure that nobody’s exploiting the unpatched vulnerability.
Julia Allen: It occurs to me, given that attackers are looking for vulnerable machines, if my machine is well-patched, up-to-date, and securely configured, they’re going to go somewhere else, right?
Nick Ianelli: Sure.A botnet logs into whatever command and control mechanism is in place (IRC or HTTP for example). These mechanisms use TCP port 80, so you’ve got to filter both inbound and outbound requests.You also have to watch the infamous peer-to-peer malware, such as the Storm worm, which operated on what appeared to be an edonkey peer-to-peer traffic.
So, yes, you need to watch this because when bot malware logs into its command and control server, if the command is to scan for a particular vulnerability, it will continue to scan for it as long as it’s programmed to, and that can mean hours, days, or weeks.So as soon as a machine is compromised, it logs into the IRC server. The next thing you know, the bot code on the compromised machine is scanning the entire Internet, starting with your network.
Julia Allen: Right, so one of the best preventive measures is to make sure that they don’t stop at my computer in the first place, right?
Nick Ianelli: Right.If you’re raising awareness and providing education to your employees, the chances that they’re going to get infected at work are slimmer and the chances they’re going to be infected at home are slimmer as well.
Julia Allen: If I do get in trouble, are there certain organizations I can contact and where are some good places to learn more about this?
Nick Ianelli: The first thing you want to make sure of is that you have contacted your upstream Internet service provider (ISP).You want to know who to call and when to call before you actually have a problem. When you have a problem, the last thing you want to do is fumble around and be saying, “Oh man, where is this number?Who do I call?What line?”The important thing is time. If a machine on your network has been instructed to perform a DDoS (distributed denial-of-service attack) against another company, you’re going to want to get that shut down. If there’s a DDoS attack being launched against you, you’re going to want to make sure you get that shut down. Your ISP is going to be your best friend in that case.
Know where to submit malicious code.Let’s say you found botnet malware on your machine.What do you do with it?Know what to do with that information. Again, it’s all about time.In a time of crisis, you want to make sure you’ve already defined a game plan.
Julia Allen: So another good preventive measure is to have incident response contacts and procedures in place, so that you can use them when you need them.
Nick Ianelli: Exactly.Being prepared ahead of time is going to save you in the long run.
Resource for More Information
CERT Podcast Series
Ianelli, Nicholas; Kinder, Ross; Roylo, Christian. “The Use of Malware Analysis in Support of Law Enforcement.” CERT Coordination Center, Carnegie Mellon University, July 11, 2007.
Ianelli, Nicholas & Hackworth, Alan. “Botnets as a Vehicle for Online Crime.” CERT Coordination Center, Carnegie Mellon University, December 1, 2005.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.