Botnets: Who Really "0wns" Your Computers?
Executive Overview: With the survival time of a fresh Windows install sometimes measured in seconds, knowing a little about some of the more pervasive bits of malware out there and how to ferret them out on your network can't hurt.
Sometimes it's satisfying to leave the confines of the NOC and take a stroll through the cube farm, secure in the knowledge that the machines on your network are secure and in hand. Except, perhaps, when they're not.
A "botnet" is a collection of computers that have been infected with remote-control software. An IRC "bot" is the software that gets installed by a virus, which in turn connects to an IRC (Internet Relay Chat) server — the control plane for sending commands to the bots.
A typical botnet scenario involves thousands of compromised Windows machines and a single "attack" command issued by the owner of the botnet, resulting in once innocent computers executing an attack on an unsuspecting Web site. This article will explore common methods of infection and the capabilities the bots have, for the sake of better understanding these perils.
When an unpatched Windows computer connects to the Internet, survival is an unlikely prospect. Within minutes, the computer can become infected with a trojan or virus that installs an IRC bot. The bot will immediately "phone home" by connecting to an IRC server then stand by, awaiting commands. SANS has cited 24 minutes as the average amount of time a freshly installed Windows XP computer can last on the internet before infection. If you're running a fresh install of MS-SQL server, the time is considerably shorter. Some have cited sub-minute survival times for new, unpatched SQL servers.
What Can They Do?
Botnets have various capabilities, including denial of service attacks, spam relays, theft of personal information, and they even start web servers on infected computers to aid in phishing attacks. These are all illegal activities, and definitely not something you want coming from your computer. There's nothing worse than receiving e-mail from a different company's security officer with evidence you've been attacking them or sending spam.
Reading the source code for one specific IRC bot leads to much enlightenment, and fright. The repertoire of tasks a bot can carry out on its owner's behalf is truly astounding. Here's a brief list of a few of the more interesting things bots can do:
- Run their own IRC server, becoming a master for other bots to connect to
- Capture or "harvest": CD Keys from the Windows registry, AOL traffic including passwords, and the entire Windows registry itself
- Start flooding a specific IP or network using TCP, UDP, or ICMP
- Add/delete Windows services from the registry
- Test the Internet connection speed of the infected computer
- Start the following services: http proxy, TCP port redirector, and various socks proxies
- Scan and infect other computers on the local network
- Send spam
- Download and execute a file from a given FTP site
And if that wasn't horrific enough for you, consider the following: all of the IRC bots (that I've seen) also have modular capabilities. So if someone programs a new module to extend the bots' capabilities, the owner of the botnet simply runs a single command to install and use the new module on every bot. The capabilities listed above were taken from the agobot source code, but other popular ones probably have similar, if not better, functionality.