Botnets – taking over the world even as you read these words.
Gone are the days of the lone teenage hacker breaking into computers for fun: Botnets are the only game worth their time now. Serious hackers with rent to pay have abandoned their anarchic principles to build vast global armies of home computers – perhaps even including yours, or that of someone you know.
Cloaked by increasingly sophisticated security, these so-called botmasters dodge justice to claim bragging rights from their peers – and, of course, to make a fortune by renting their creations to hardened criminals. Stealing your credit card and banking details, spamming, phishing, extorting money through DDoS (distributed denial-of-service) attacks and even hosting child pornography can all now be carried out with just a few mouse clicks. Depending on the payload that’s downloaded to each of the enslaved ‘zombie’ computers, these activities are only the tip of a growing iceberg.
While a botnet’s zombie software may take only tiny amounts of your CPU’s time, individual botnets are becoming so huge overall that some experts are starting to seriously worry about the sheer power that botmasters are making freely available for criminals to rent.
“In terms of power, the botnet utterly blows all of the supercomputers away,” says Matt Sergeant of MessageLabs.
What’s more, sophisticated construction kits are now being packaged into point-and-click products, ready for use by non-computer-literate criminals to build their own botnets. A growing market for add-on packages that can expand a botnet’s functionality is also developing, and botnet software that can even replace one infection with its own is already in the wild. The state of the art in malware design has never developed faster. And yet judging by infection rates and the sheer amount of stolen information available for sale online, home users are oblivious to the risks they run every time they use the internet. Most have never heard of botnets or botmasters, but with an average detection rate currently standing at around 47 per cent for the most widespread type of botnet software, your computer could be infected right now and you wouldn’t know it.
So just who is controlling our computers and how exactly are they making money out of doing so? To find out, we sought out the botnet hunters who fight back.
The scale of the problem
Sitting at his desk at Trend Micro, Rik Ferguson taps at his keyboard. “We’ve got one vendor here who has 8,000 UK cards in stock,” he says, “and they’re priced by BIN [back identification number], and they’re priced at $10 per card. If you buy in bulk, if you buy 100 cards, you get them for $350. Bank accounts are normally priced at a percentage of the available balance in the account, rather than a fixed price.”
He then reels off a list of accounts at UK high street banks being openly advertised on the underground forum he’s infiltrated.
Calculating how many botnets and zombies there are is very difficult, as Luis Corrons, Technical Director of PandaLabs Security, explains. “Most of the time we cannot know the exact number of bots,” he says “If you can gain access to the C&C [command and control] servers, you can see the stats; otherwise you can only guess.
“In the case of [the Mariposa botnet], we believed it was around 100,000 to 200,000 computers. However, once we had the ability to redirect the traffic from the C&C to our sinkhole, we found out that the amount of different IP addresses connecting there were in the millions.”
The Mariposa botnet is now known to contain 12.7 million infected computers, and this is just one botnet in a sea of many thousands of others. “Zeus Tracker right now is tracking 1,400 command and control servers of one particular Zeus botnet,” says Ferguson.
“There are somewhere over 1,000 different Zeus botnets out there, and that’s one piece of crimeware. The figures are scary.The number of spam bots – that is, compromised IP addresses that are sending spam which we track – we’re tracking about 23 million unique IP addresses. That’s just spam bots, so you could say that there’s probably a similar number of information-stealing bots out there as well.”
The total number of zombies Corrons and Ferguson alone track is near to 60 million, and the sizes of other botnets mean that they already outclass even huge computing facilities. The massive Conficker botnet easily dwarfs Google’s one-million-CPU cloud computing facility, with its mere 1,500 Gb/sec bandwidth. Conficker is thought to contain at least 18 million hijacked CPUs with a total bandwidth of 28Tb/sec. What it does next depends entirely on who rents it, and renting is both very easy and very cheap.
According to iDefense, VeriSign’s security intelligence service, an average of $9 (roughly £6) currently buys an hour of botnet time to use as you wish. Just $67 (under £45) will buy you a full 24 hours, and brings the hourly rate down to just $2.79 (about £1.83).
The potential payback, however, is absolutely huge. “Mindboggling sums make their way into the pockets of people in the botnet business,” comments Yuri Namestnikov of Kaspersky Lab. “In [2008], spammers made about $780million sending messages. An impressive result for adverts that nobody wants, isn’t it?”
“It’s now accepted by many that botnets can and do make serious money,” agrees Dale Pearson of Security Active. “There have been many under-20s who have set up botnets earning in excess of £30,000 per rental session. Obviously, the amount a botmaster earns is very dependent on the size and processing power of the army they control.”
The range of sophisticated uses for botnets makes them the Swiss Army Knife of online crime, as Catalin Cosoi, head of the BitDefender Online Threats Lab, explains. “Many botmasters now employ a ‘middleman’ approach – renting out their botnets for just a couple of dollars to launch large-scale spam campaigns, to automatically ping pay-per-click systems, or to use for several other features.
“These could include hosting phishing and pornographic websites on different infected computers, performing ‘brute force’ password attacks against different websites, using the networks as an anonimisation tool and so on.”
Growing threat
It’s not difficult to see the criminal appeal of botnets. Once the C&C servers (usually also hijacked) that each infected machine will contact to receive its orders are established, to make money, botmasters need to build, secure and maintain the biggest botnet possible. The emergence of social networking has helped them immensely, aided by some specialised botnets.
“Some botnets have particular purposes,” says Ferguson. “Koobface is a great example of that. It’s designed to be spread through social networks and is aimed purely at stealing social networking credentials.”
Compromised social networking accounts are then made to post links to malicious websites. Each can result in hundreds of new infections as friends absent-mindedly take the bait. But creating a new botnet also attracts the attention of botnet hunters, and so the overall structure of botnets has also had to quickly evolve in an ongoing game of cyber cat and mouse.
“Conficker is a prime example of how botnets now use peer-to-peer communication channels to receive instructions, without requiring a communication channel that leads directly to the operators,” reveals Jeff Horne, Director of Threat Research at Webroot.
“Effective P2P botnet communication makes the operators more difficult to track, making it an obvious technique to be deployed in future botnets.”
Electronic techniques aren’t the only ones being employed, though. According to David Harley, Senior Research Fellow at ESET (www.eset.co.uk), techniques such as ‘cutouts’ (human go-betweens that break the electronic trail that links online criminals) betray the involvement of ex-spies. “There is some indication that organised crime … especially in Eastern Europe, has indeed provided an opportunity for dishonest toil for ex-spooks. In China, too, there are indications of links between hacker groups and the military.”
Botnets can also evolve at bewildering speed in order to take advantage of new online technologies. An example is the Twitter-based botnet discovered last year by Jose Nazario of Arbor Networks. “Basically, what it does is use [Twitter] status messages to send out new links to contact,” he says. “These contain new commands or executables to download and run.”
With a shift in computing towards becoming more mobile, will the botnet menace also evolve in the same direction? “I think so,” says David Emm of Kaspersky Lab. “We’re seeing the beginnings of that threat, but I think the thing that’s missing with mobiles is that people aren’t routinely using them in the same way they would a laptop.
“I do online computing, but I don’t use my smartphone to do it, so we’re not in a position where people are reliant on them for moving money around and making financial transactions. I think when they are, that’s when the floodgates will open.”
However, Emm also believes that diversity will help slow the spread of mobile botnets. “There are also some braking factors involved,” he says. “On the desktop and laptop platforms, Windows is king. Therefore, as a malware writer, I’d write for Windows and know I’d get a big hit. If I write something for Symbian, it won’t work on Mac OS. If I write something for Mac OS, it’s not going to affect Windows Mobile.”
Building new botnets has also become easy for non-computer-literate criminals. “Botnet creation kits and control consoles permit someone with little or no programming knowledge to create and control botnets,” says Horne.
So are these applications edging towards becoming products in their own right? Ferguson says: “They are products, but how big the market is, it’s difficult to say.”
An example of how easy it is to build a simple botnet is a new construction kit called TwitterNET Builder. “All in all, a very slick tool, and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones,” says Christopher Boyd of Sunbelt Software in a blog entry about TwitterNET Builder’s existence.
With TwitterNET Builder, all the budding botmaster needs to do is enter the name of a Twitter account that infected machines must monitor for commands, and then press a button.
The software creates a custom executable. The botmaster then sends the executable to victims to infect themselves. He then posts plain text commands such as ‘Visit’ to the Twitter account to have the zombies repeatedly visit a page for the purposes of click fraud, or ‘Download’, which makes them download new payloads.
Criminals who don’t want to pay for state-of-the-art botnet software are increasingly pirating it. This has led to a curious situation, exemplified by the latest version of the Zeus botnet builder software.
“The author has gone to great lengths to protect this version,” say Kevin Stevens and Don Jackson, Security Researchers at SecureWorks Counter Threat Unit, in their online analysis. “The author of Zeus has created a hardware-based licensing system for the Zeus Builder kit that you can only run on one computer.
“Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer. This is the first time we have seen this level of control for malware.”
Botnet kit authors are also cashing in with secondary modules. For $1,500, you can add the Backconnect module to your growing Zeus botnet. This enables direct connection to an infected computer for the purpose of logging in, perhaps to empty stolen bank accounts. When the authorities raid the computer’s owner, they find nothing more than a hapless householder with an infected PC.
Money and motivation
According to BitDefender’s Catalin Cosoi, it’s not just money that motivates botmasters. “Although it is easy to view botmasters as purely motivated by criminal gain, the factors of competition, kudos and building reputation play a key role in motivating many.
“We can broadly split motivations into two classes: the cyber criminal motivated by money and looking to maximise financial gain from their activities; and secondly, communities where several botmasters co-exist, leading to a strong competitive element. For a botmaster, having hundreds to thousands of machines at their command provides a good sentiment of power and arrogance.”
Of course botnets are also about profit, as Trend Micro’s Ferguson explains. “Money is made by criminals selling access to infected machines. Money is made by criminals distributing other criminals’ software, and by using their botnets for that distribution. Money is made by renting out access to botnets for sending out spam, or carrying out distributed denial of service attacks.”
Not surprisingly, malware that exploits existing infections is also appearing. Earlier this year, researchers saw the first instances of a new botnet toolkit called SpyEye, containing functionality to spy on the data being captured by computers infected with the Zeus software. It can even kill and replace the existing infection with its own zombie code.
“There’s also a battle between the more advanced people who write their own code, as opposed to nicking code that’s freely available, or stealing other people’s botnets,” says Dale Pearson of Security Active. “Someone will try to uncover the botnets that other people have, then take control over them to build up their own net, as opposed to doing the hard work of phishing and spamming and getting people infected.”
Finding the botmasters
So where in the world are the botmasters? “It’s a good question; it’s an interesting question,” says Ferguson “The straight, flat-out truth is that in terms of people who are running botnets, the phenomenon is truly global. I mean, if you take the example of Zeus, which is probably the most widespread crimeware kit, there’s a great website called Zeus Tracker, and they will show you a live map of where the command and control servers for the botnets are. Obviously there are geographical concentrations, but they exist pretty much globally.”
“Anyone from any country can be a botmaster,” says PandaLabs’ Corrons. “Your neighbour could be one, even if he’s not an expert computer user, as we see from those involved and arrested in connection with the Mariposa botnet.”
“Botnet herding seems to be an international pastime, like football,” agrees Aryeh Goretsky of ESET, where he has the title of Distinguished Researcher. “We have seen botmasters from all around the world with varying skills and knowledge, ranging from minors in America who did not understand what their botnet did because it was passed to them when their previous owners became liable for prosecution as adults, to sophisticated criminal organisations in Eastern Europe.”
“China is noted for its targeted malware,” says Goretsky’s colleague David Harley, “but it is also the second most prolific sender of spam (first is the USA) and has a flourishing DDoS industry. Brazil and Russia both have long track records in the development of banking trojans. Russia probably has the lead in developer resources, with such goodies as Zeus malware and innumerable exploit packs.”
Fighting back
The lifecycle of a botnet is now well understood, but how to beat them for good isn’t quite so well defined. “Once a botnet command and control server is created, botnet distributors just have to get their malicious code on a host,” says Webroot’s Jeff Horne. “They might infect victims’ computers with exploit kits on drive-by download sites, email attachments, or use social engineering techniques.
“Once infected, the victims’ computers register themselves with the C&C servers for constant communication, or check in to the server at regular intervals for new instructions, code, or to send information to the server, like keyboard logs, passwords, credit card information…”
Once established, waves of spam sent out by the botmaster himself and pointing to specially infected websites recruit more zombies and so the botnet grows – but it also draws attention, and an arms race develops between the botnet’s writer and the antivirus companies.
Keeping the botnet’s malware up to date isn’t difficult, even for a non-coder, as BullGuard CTO Claus Villumsen explains: “The botnet master pays around $250 to have a new virus created, and an additional $25 a month to keep it upgraded, to try to avoid detection by virus scanners.”
And with so many people still not running up-to-date antivirus software, as the botnet grows, it becomes clear that the best thing to do is track down the botnet and disconnect its lines of command.
“[It’s done by] taking out the command and control elements of botnets by targeting their servers,” says Catalin Cosoi. “This is not an easy task since most botnets have several C&C servers and they all have the possibility to update their code, like any other software product. In order to be successful, you have to take down all the C&Cs at the same time.”
“Finding [the C&C servers] is the difficult thing,” agrees Security Active’s Dale Pearson. “They’re all in private communities, so part of the battle is getting yourself immersed in that scene.”
However, even if you can take all of a botnet’s C&C servers permanently offline, the army of zombies remains, regularly phoning home. “The Mariposa framework had infected nearly 13 million machines and that framework is still alive,” says Rik Ferguson. “The fact that the guys were arrested didn’t take the botnet out.”
The ISP issue
The one aspect of the botnet crisis we haven’t covered is the role the ISPs might play. Surely they can break botnets by simply denying them bandwidth?
“There’s a few things they could attempt to do,” says Pearson. “They can use packet filtering software to identify when a botnet is running across their network and locate the zombie computers. The way to kill a botnet is to disconnect the machines, but that’s going to annoy their customers. They can also throttle [outgoing mail] traffic if it’s being used for phishing and spam, but again that impacts on their own users.”
Another problem for ISPs is that botmasters don’t tend to rent out the full power of their creations all at once. Using their full power at one time draws too much attention from both the ISPs and the botnet hunters, as David Emm explains. “We’re beginning to see [botnets] used as a rapier, rather than a blunderbuss, for activity, so it makes it difficult for ISPs to see what activity there is without the help of the industry. There are industry initiatives that are trying to work on these issues. The Conficker working group is possibly the best known of these.”
ISPs, security companies, the authorities and perhaps even reformed hackers working together is the best way of fighting the botnet menace, but does this mean lazy home users can carry on without proper protection?
“In terms of countermeasures, detection of malware is a significant part of the process, but it’s just one layer,” says ESET’s David Harley. “We work with other groups such as law enforcement, coalitions like the Conficker Working Group, and some rather more shadowy groups that don’t appreciate the glare of publicity – we know the bad guys watch us as carefully as we watch them.”