The Zombie Army
Before discussing defensive measures, it’s first important to understand what bots are and how they are used to compromise computers. “Bots are agents that give an attacker control of a machine” by opening a door that a hacker—or anyone else given access privileges by the hacker—can then enter surreptitiously at will, explains Ed Skoudis, senior security consultant and cofounder of security firm Intelguardians.
But the bot does more than leave a door ajar. Once on an infected machine, a bot will connect back to a single point of control, typically a particular channel on an Internet Relay Chat (IRC) server.
Since bots provide a back door to an attacker, the attacker is free to come in and exploit the system’s vulnerabilities. And as new vulnerabilities are discovered, an attacker can put new worms on these infected machines and have them scan for more vulnerable machines.
Like Trojan horse programs such as Back Orifice, bots allow complete remote control of a computer; but unlike Trojan horses, bots yield huge numbers of infected computers that are controlled at a single point. “It’s an army of zombies that are centrally controlled,” says Joe Stewart, senior security researcher with LURHQ’s Threat Intelligence Group. This army is often referred to as a botnet.
Bots began to appear in the payloads of worms such as Netsky that hit in 2004, but botnets have grown considerably. Going back five years, Skoudis says, botnets were generally 500 or 1,000 infected computers; on rare occasions they might have as many as 10,000 zombies. But Skoudis has seen a botnet that’s 171,000 bots strong. “I wouldn’t be surprised if, in the space of a couple of years, we’ll see botnets that get into the multihundreds of thousands, maybe even millions of bots, under single control,” he says.
Part of the reason for the growth is that recent computer worms use easily exchanged modules. This means that serious programming skills are no longer necessary to create bots; instead, even a novice can take an existing program from the Web and easily update it with, for example, a module containing an exploit against a newly discovered vulnerability. Bots can also be altered or updated with ease to do anything from logging keystrokes to sending spam (more on these capabilities below).
The author of Zotob used a worm called Mytob and added an exploit aimed at a newly discovered vulnerability in the Windows operating system. “They all work like that nowadays,” says Stewart. “They’re like huge open-source projects, and they’re very modular.”
Malicious bots began on Internet relay chat (IRC) channels as weapons. “They started as denial-of-service [DOS] attack tools to knock somebody off a channel if they said something you didn’t like, or if they didn’t let you on their channel,” Stewart explains. Disgruntled users got the IP address of the person they wanted to attack and used simple programs that would flood that address with requests for a connection until the victim could no longer connect to the chat server.
As botnets grew ever larger, Stewart says, it didn’t take long for their masters to realize that there was money to be made simply by knocking someone off-line. For example, attackers would threaten an online gambling site just before big sporting events, such as college basketball’s March Madness tournament. To prove the threat was real, Stewart says, the attackers would actually flood the site for a short time. In exchange for a payment, the hackers would spare the site from an attack that would have prevented gamblers from laying bets on its Web site.
In a recent report on computer security trends, antivirus vendor Symantec estimated that more than 900 denial-of-service attacks occurred each day on average between January 1 and June 30 of this year, an increase of some 680 percent. Botnets have moved well beyond the simple job of DOS attacks, however. They are increasingly being used to hijack computers that can then be used as testing grounds to ensure that new vulnerabilities can be exploited, says Bruce Hughes, senior antivirus researcher at Trend Micro. Infected machines serve as “R&D testing grounds,” he says, so exploits can be tested repeatedly until they are deemed effective.
Spam. Hackers can also rent out the botnets that are under their control. Spammers are becoming favorite customers, says Stewart, as their old ways of sending their bulk e-mails are increasingly being shut off.
In the past, spam was sent via open relays, essentially unprotected mail servers that allowed spammers to send mass messages without leaving a trail. But eventually open relays were identified as the primary sources of spam, and the antispam community went to work to educate administrators on the importance of securing those mail servers, cutting down on the ability of spammers to use them to get their mass mailings out.
“People with botnets were the perfect solution for spammers,” Stewart says. Botnets could include thousands of computers, so enterprising botnet masters added a proxy-server module to the bots which allowed spammers to use those zombies to send spam. Open relays are no longer needed, and since spam can now come from so many different sources, it’s impossible for companies to keep blacklists current to block these spammers.
Size of the Problem
Despite the growth of botnets, the threat that they pose to corporate and government networks has been held in check by progress being made on the other side.
“The fact is, we have gotten better in the defensive community,” says Skoudis. He compares the hundreds of thousands of machines that were quickly compromised by the Blaster worm in 2003 to the lesser number hit by Sasser in 2004. “Flash forward to August 2005,” he says, “and we did even better. We had less infection and less downtime and less problems.” And while Zotob received plenty of publicity, the fact that media outlets were infected is likely the reason, rather than the seriousness of the attack itself, Skoudis says.
Although large corporations are getting better at defending their networks, the threat remains serious. Even one infection can hurt a company’s bottom line and reputation. Security professionals need to understand how some companies are still getting infected so that they can protect their own organizations.