Black Hat: Botnets Go One-on-One

Botnets are changing channels and fighting back at researchers

FEBRUARY 22, 2007 |

The most savvy and sophisticated botnet operators are bringing out the big guns now -- operating deeper underground and staging massive distributed denial-of-service attacks on their adversaries.

Jose Nazario, senior software and security engineer with Arbor Networks, will give an inside look at the latest botnet movements and strategies in a briefing at Black Hat DC next week. Nazario, who is among the researchers who track botnets, says big changes are now underway in the botnet world. (See Botnets Don Invisibility Cloaks.)

"The two biggest shifts we're seeing are HTTP for very specialized botnets and the successful deployment of peer-to-peer botnets," Nazario says. "That's pretty frightening, if you think about it."

There's been an especially dramatic jump in peer-to-peer botnets, he says. The peer-to-peer approach is tough to detect because it's not centralized, and each bot can send commands on its own.

Nazario and fellow researchers at Arbor last year started noticing a few botnets chatting it up with their bots or zombies via the more inconspicuous Web-based connections, rather than through conventional Internet Chat Relay (IRC) channels. "Now we're seeing an even larger shift away from IRC for botnets," he says. "Botnet operators are realizing that most IRC botnets can be tracked and monitored quickly."

IRC is basically a peer-to-peer system for real-time text conversations and is easily detected by IDSes and IPSes. It's long been a favorite hacker hangout, as well as a botnet operator's conduit to its victim machines.

There are some major botnets that still use IRC, but with a twist: They use counterintelligence, such as "anti-sandboxing" techniques, to throw researchers off their trail. Or in some cases, the botnets merely shut researchers out of IRC rooms when they realize they're being tracked.

It's not that IRC botnets are dead -- Nazario says IRC-based bots were responsible for a major distributed denial-of-service attack on the anti-phishing CastleCops site this month -- but botnet operators are looking for stealthier ways to stay alive and keep spamming or spreading viruses.

Sometimes, botnets even stage DDOS attacks on one another to kidnap bots to add to their armies. "They were involved in fistfights and shouting matches before. But they're bringing the big guns now," Nazario says.

Researchers tracking botnets are having to catch up -- fast -- just to keep up. Trouble is, the research community is still honed in mostly on IRC-based botnets. "We know the code, we have the tools designed to let us take them apart and infiltrate them and look inside. The problem is the elite botnets aren't IRC anymore. They know they are being monitored," Nazario says.

The more sophisticated botnet herders are also conducting counterintelligence, by poisoning researchers' honeypots and other methods. "They inject a binary and see who shows up. They know that they are being tracked," he says. The botnet operators are tracking the good guys posing as bots or bad guys in IRC channels, and banning them when they find them out.

Nazario says a few botnets are also starting to encrypt their IRC communications as a way to elude researchers.

He and fellow researchers have been closely studying three large botnets: Nugache, Storm, and Stration. "We chose Storm and Stration because they appear to be at war with each other," he says. "They stage huge DDOS attacks back and forth to disrupt each other's network."

Nugache, which has somewhere between 20,000 and 100,000 hosts, is the most intriguing because it's a peer-to-peer botnet that also uses encryption, according to Nazario. "It's lurking quietly in the corner, which is why we chose them," he says. Even more unnerving, researchers don't know for sure what the botnet operators are using Nugache for, he says.

Storm, meanwhile, is a 100,000 node, peer-to-peer and HTTP botnet used to send spam. "They aren't using encryption, but their own communications vocabulary atop the eDonkey protocol," Nazario says. That makes it easy for a client to join the botnet, and for the botnet to stay up and running. eDonkey is a peer-to-peer file-sharing network.

"But it obscures the traceback. It's making the job of finding out where and who is behind it -- and what they are doing at any one time -- a lot harder," he says.

"Nugache and Storm's resilience comes from the peer-to-peer" mode, he says. "You don't know who's injecting commands and updates."

Stration is an HTTP-based botnet used mainly for spam. "We found that the malware authors didn't change the initial code all that much," Nazario says. "They were very aggressive and took the world by storm. But it was easy to come up with generic filters to stop it."

It typically preys on machines that don’t practice good anti-malware hygiene and remain infected, he says.

But Nazario says it's Nugache that's most worrisome. "Nugache is a harbinger of things to come, [a botnet] for malicious purposes."

No comments: