March 19, 2010
Hot Topics :

Botnets: Who Really "0wns" Your Computers?

Sometimes it's satisfying to leave the confines of the NOC and take a stroll through the cube farm, secure in the knowledge that the machines on your network are secure and in hand. Except, perhaps, when they're not.

A "botnet" is a collection of computers that have been infected with remote-control software. An IRC "bot" is the software that gets installed by a virus, which in turn connects to an IRC (Internet Relay Chat) server — the control plane for sending commands to the bots.

A typical botnet scenario involves thousands of compromised Windows machines and a single "attack" command issued by the owner of the botnet, resulting in once innocent computers executing an attack on an unsuspecting Web site. This article will explore common methods of infection and the capabilities the bots have, for the sake of better understanding these perils.

When an unpatched Windows computer connects to the Internet, survival is an unlikely prospect. Within minutes, the computer can become infected with a trojan or virus that installs an IRC bot. The bot will immediately "phone home" by connecting to an IRC server then stand by, awaiting commands. SANS has cited 24 minutes as the average amount of time a freshly installed Windows XP computer can last on the internet before infection. If you're running a fresh install of MS-SQL server, the time is considerably shorter. Some have cited sub-minute survival times for new, unpatched SQL servers.

What Can They Do?
Botnets have various capabilities, including denial of service attacks, spam relays, theft of personal information, and they even start web servers on infected computers to aid in phishing attacks. These are all illegal activities, and definitely not something you want coming from your computer. There's nothing worse than receiving e-mail from a different company's security officer with evidence you've been attacking them or sending spam.

Also on Network Security at ENP

  • Spy on the Spyware with tcpdump
  • Mind Your Packets with Ethereal
  • Audit Your LAN Before the Bad Guys Do with nmap
  • Bait Crackers With A Honeypot
  • Spy on Yourself with tcpdump
    • Reading the source code for one specific IRC bot leads to much enlightenment, and fright. The repertoire of tasks a bot can carry out on its owner's behalf is truly astounding. Here's a brief list of a few of the more interesting things bots can do:

    • Run their own IRC server, becoming a master for other bots to connect to
    • Capture or "harvest": CD Keys from the Windows registry, AOL traffic including passwords, and the entire Windows registry itself
    • Start flooding a specific IP or network using TCP, UDP, or ICMP
    • Add/delete Windows services from the registry
    • Test the Internet connection speed of the infected computer
    • Start the following services: http proxy, TCP port redirector, and various socks proxies
    • Scan and infect other computers on the local network
    • Send spam
    • Download and execute a file from a given FTP site

    And if that wasn't horrific enough for you, consider the following: all of the IRC bots (that I've seen) also have modular capabilities. So if someone programs a new module to extend the bots' capabilities, the owner of the botnet simply runs a single command to install and use the new module on every bot. The capabilities listed above were taken from the agobot source code, but other popular ones probably have similar, if not better, functionality.

    Continued on page 2: What Can You Do?

    12

    Networking Solutions





    Partners


















    The Network for Technology Professionals

    Search:

    About Internet.com

    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers

    Solutions

    Whitepapers and eBooks

    Intel Whitepaper: 2010 Intel Core vPro Processors Overview
    Article: Adobe Helps PHP Developers Create Rich Internet Applications
    Case Study: Microsoft IT Strengthens Security with Data Loss Prevention Solution
    Article: Reduce Your Infrastructure Costs with Microsoft System Center
    Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
    Article: Security Enhancements Abound in Windows Server 2008
    Article: Enterprise Social Computing with Microsoft SharePoint 2010
    Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
    		 Microsoft Whitepaper: Improve Communications and Collaboration
    Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
    Microsoft Personalized Whitepapers and Resources for You
    Microsoft Articles: Visual Studio 2010
    Adobe Article: Java Developers Finding a Home at Adobe Flex
    Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES

    Webcasts

    Video: How System Center Helps Reduce IT Costs
    IBM Cloud Computing for Developers Virtual Event, April 6-8
    Intel Video: 2010 Intel Core Processor Technologies
    		 Microsoft Video: OCS and Exchange: Platform Futures
    MORE WEBCASTS, PODCASTS, AND VIDEOS

    Downloads and eKits

    Adobe Download: Tour de Flex Application and Explore Flex
    HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
    		 Iron Speed Designer Application Generator
    MORE DOWNLOADS, EKITS, AND FREE TRIALS

    Tutorials and Demos

    Free Adobe Online Flex Training: Check Out this Video Training Course Here
    Learn Unified Communications
    Learn SQL Server 2008
    Learn Windows Server 2008 R2
    Internet.com Hot List: Get the Inside Scoop on IT and Developer Products
    		 Learn Forefront
    Learn System Center
    All About Botnets
    Learn SharePoint
    MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES