BOTNETs: What They Are and What You Can Do

Don’t be BOT and Sold –

Winning…DUH!

In malware-speak, a”botnet” is a collection of computers that are all infected with malware used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g., an email attachment) that has bot software embedded in it. A botnet is considered a botnet if it is taking action on the client itself via IRC channels without the hackers having to log in to the client’s computer. A botnet consists of many threats contained in one. The typical botnet consists of a bot server (usually an IRC server) and one or more botclients.

Hello. My name is Inigo Montoya. You killed my father. Prepare to die.         
– – Inigo Montoya

 

SONY BOT & SOLD?

Recently, the Sony and PlayStation brands have taken a huge hit following last month’s attack on their PlayStation Network. Sony shut down the PlayStation Network on April 20 after discovering the breach and announced on April 26 that customer personal data had been compromised. The networks remain down; Sony spokesman Patrick Seybold says that the company is working to relaunch them “as soon as possible.”

Vizzini: Finish him. Finish him, your way.

Fezzik: Oh good, my way. Thank you Vizzini… what’s my way?

Vizzini: Pick up one of those rocks, get behind a boulder, in a few minutes the man in black will come running around the bend, the minute his head is in view, hit it with the rock.

Fezzik: My way’s not very sportsman-like. 

FATALITY?

Consequently, Sony’s shares have fallen more than 6 percent since the beginning of the two-week crisis. One of the big intangibles is the damage to Sony’s brand image. That could be immeasurable, but to get a flavor of what we are talking about.  Recently, 3 out of 10 respondents to a USA TODAY Game Hunters poll about the Sony network breaches say they don’t trust Sony to protect their personal data. Still, 54% of the more than 2,100 respondents said they will continue to use their PlayStation 3 or PlayStation Portable online. Naturally, since there are many unknowns, the estimates of possible losses are all over the place, from a mere $1.6 million to more than $1.25 billion.  Incidentally, this is going beyond the breach, whispers of SONYGATE and why it took so long to report the breach, and why there still not fessing up to the lost credit card information of millions of customers.

But that’s not what he said—he distinctly said “To blave” and as we all know, to blave means to bluff, heh? So you were probably playing cards, and he cheated         – Miracle Max

What Can I Do?

If you are diagnosing a single machine, there are several steps you can take to discover a possible bot infection. On the other hand, if you are investigating an entire network, you can uncover a slew of infected drones or a botnet command and control (C&C) itself.

Ha ha! You fool! You fell victim to one of the classic blunders – The most famous of which is “never get involved in a land war in Asia” – but only slightly less well-known is this: “Never go against a Sicilian when death is on the line”! Ha ha ha ha ha ha ha! Ha ha ha ha ha ha ha! Ha ha ha…

                                                                  – Vizzini

Just a single machine

1.      AntiVirus – I can’t quit you… Don’t even think the conventional anti-virus is sufficient, for many BOT infections will simply not be detected.

2.      Rootkit detection packages are a plus.

3.      Watch for modification of the windows hosts file

4. Random unexplained popups are likely an adware infection, however it this could be clickfraud or a little league version of a BOT.

5.      Machine slowness. Well this admittedly is a useless symptom, for who doesn’t experience this.  However in many situations it is massive spyware infections. Whether it is botnet related or not is another story. Scan your machine for spyware.

6. Check the machine’s default DNS resolution servers. Are they what you would expect to see (a company’s or ISP’s DNS servers, or that of your internal LAN’s router?) If not, malware may be redirecting DNS requests to a shady source. For extra precaution, you may want to investigate the DNS traffic on the network itself with a trusted clean host.

As you know, the concept of the suction pump is centuries old. Well, really that’s all this is except that instead of sucking water, I’m sucking life. I’ve just sucked one year of your life away. I might one day go as high as five, but I really don’t know what that would do to you, so let’s just start with what we have. What did this do to you? Tell me. And remember, this is for posterity, so be honest.  How do you feel?

                                                                                – Count Rugen

Monitoring a Network

1.   Since IRC is usually rare in a corporate network, seeing any IRC traffic, across typical IRC ports, may be worth looking into.

a. IRC traffic usually manifests itself in clear text, so sensors can be built to sniff particular IRC commands or other protocol keywords on a network gateway

b. Look for the most commonly used default irc port: 6667. The full port range specified by the RFC: 6660-6669,7000. Also, since many IRC services utilize ident, port 113 is a (less common) heads up parameter. However, well known or default ports are less likely to be used by the big boys, take a look at outbound connection attempts on any suspicious ports.

2. If you have access to a list of known botnet command and control (C&C) servers, you can simply look for outbound connection attempts to these services and/or ranges.  This is key, although there are signature designed for applications like snort IDS, this is predominately reactive, i.e., tell me about the ones that are so old, that companies have defined a well-known signature for them, the new one, I guess we’ll let by?  Try to find a tool that measures outbound traffic against bad destinations as well, this way, you don’t care if we thoroughly understand the malware enough to have it well known enough to have the commercial space evaluate, distill, and stamp out a unique signature.

3. If a large quantity of machines in your direct control are making the same DNS requests, or accessing the same server at once, you can rest assured you likely have a problem on your hands.

4. Similarly, check your DNS caches. Many BOT Command and Control (C & C) mechanisms will make use of a DNS domain that the BOT herder can easily change if he needs to relocate his C&C infrastructure.

5. Malware detection on your network:

a Installing a malware-base honeypot in your internal network will allow you to detect malware propagations from infected machines you may have control over. If your network is penetrated, so too eventually shall an appropriately placed honeypot.

b. Keep an eye on the ports of any typically vulnerable or exploited service. If you see a lot of traffic on 135,139,445 (windows file sharing), you may have a malware propagation scheme attempting to spread its payloads.

c. Portscan traffic is an obvious symptom of any infection. Again, use a proper IDS signature to find these, and then investigate the machine.

6. Keep an eye out for a massive amount of SMTP outbound traffic. Such patterns, especially coming from machines that are not supposed to be SMTP servers, will likely point to a malware spam bot that has implanted itself in your organization. e.g.SpamThru

7.    Does your organization make use of an HTTP proxy? If so, malware processes may reveal themselves by requesting http data external to the proxy, and you may catch binary download attempts in your firewall logs if you monitor outbound port 80.

Westley: Give us the gate key.

Yellin: I have no gate key.

Inigo Montoya: Fezzik, tear his arms off.

ellin: Oh, you mean *this* gate key.

In summary, there are many tools out there that address this type of detection; however, don’t discount the tools that simply look for outbound connection attempts to these services and/or ranges.  Not only does this do the trick, it does it fast and addresses the new BOTs out there that don’t have a signature yet, i.e., can be detected day 0 of origination, unless you’re willing to wait till a chosen manufacturer discovers, analyzes, authors, tests, and distributes a unique signature for the particular malware.  Frankly, by then… who cares – your data is long gone…

__________________________________________________________________

 About Affant Communication

Affant Communication is a leading provider of Network/Security Solutions and one of the nation’s premier infrastructure solution providers. Offerings include, but are not limited to Telco/Network & Security Solutions, Software Programming, 24 x 7 Network/Security Monitoring, and Wireless Broadband and Mobile Solutions.

 

About Rick Ricker

An IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

for more information, contact Rick at (714) 338-7137

Want more information on topics covered in this article? Contact us at sales@affant.com or check out our staff page for individual contact information.

Go to top