Botnets: Who Really "0wns" Your Computers?
Sometimes it's satisfying to leave the confines of the NOC and take a stroll through the cube farm, secure in the knowledge that the machines on your network are secure and in hand. Except, perhaps, when they're not.
A "botnet" is a collection of computers that have been infected with remote-control software. An IRC "bot" is the software that gets installed by a virus, which in turn connects to an IRC (Internet Relay Chat) server — the control plane for sending commands to the bots.
A typical botnet scenario involves thousands of compromised Windows machines and a single "attack" command issued by the owner of the botnet, resulting in once innocent computers executing an attack on an unsuspecting Web site. This article will explore common methods of infection and the capabilities the bots have, for the sake of better understanding these perils.
When an unpatched Windows computer connects to the Internet, survival is an unlikely prospect. Within minutes, the computer can become infected with a trojan or virus that installs an IRC bot. The bot will immediately "phone home" by connecting to an IRC server then stand by, awaiting commands. SANS has cited 24 minutes as the average amount of time a freshly installed Windows XP computer can last on the internet before infection. If you're running a fresh install of MS-SQL server, the time is considerably shorter. Some have cited sub-minute survival times for new, unpatched SQL servers.
What Can They Do?
Botnets have various capabilities, including denial of service attacks, spam relays, theft of personal information, and they even start web servers on infected computers to aid in phishing attacks. These are all illegal activities, and definitely not something you want coming from your computer. There's nothing worse than receiving e-mail from a different company's security officer with evidence you've been attacking them or sending spam.
Reading the source code for one specific IRC bot leads to much enlightenment, and fright. The repertoire of tasks a bot can carry out on its owner's behalf is truly astounding. Here's a brief list of a few of the more interesting things bots can do:
- Run their own IRC server, becoming a master for other bots to connect to
- Capture or "harvest": CD Keys from the Windows registry, AOL traffic including passwords, and the entire Windows registry itself
- Start flooding a specific IP or network using TCP, UDP, or ICMP
- Add/delete Windows services from the registry
- Test the Internet connection speed of the infected computer
- Start the following services: http proxy, TCP port redirector, and various socks proxies
- Scan and infect other computers on the local network
- Send spam
- Download and execute a file from a given FTP site
And if that wasn't horrific enough for you, consider the following: all of the IRC bots (that I've seen) also have modular capabilities. So if someone programs a new module to extend the bots' capabilities, the owner of the botnet simply runs a single command to install and use the new module on every bot. The capabilities listed above were taken from the agobot source code, but other popular ones probably have similar, if not better, functionality.
What Can You Do?
IRC bots are normally installed via known vulnerabilities, so preventing your computer from being taken over should be as easy as keeping up to date on Windows Updates and virus definitions. Windows file sharing (ports 135-139 and 445) and MS-SQL (1433, 1434) should never be allowed in from the Internet. In a case where a new computer is being installed, it is common for an infection to take place before Windows update has a chance to complete. Installing in a secure area with the appropriate ports blocked should allow for a safe installation and update, assuming no internal computers are infected and trying to fan out. NAT (define) is the obvious solution for this, but doesn't always work in enterprise environments doing unattended installations of Windows.
Tracking IRC bots has become quite a hobby for some people. From a network perspective, most anomalous traffic these days is turning out to be IRC bot related. IRC bots will respond to an "infect" command, and start scanning the local network and infecting others. This type of activity (scanning) normally raises a few eyebrows on carefully managed networks. Intrusion detection systems, like snort, also have signatures for some of the more common IRC bots.
For example, if the string "Exploiting IP" is seen in an IRC message, chances are very high that this is an IRC bot reporting home. They don't attempt to conceal what they are doing most of the time, as can be seen by running ngrep "#exploit" on a network monitoring host (#exploit is the IRC channel name). Even though you will be able to see the IRC traffic once you have identified which host is possibly infected, detecting infected computers on your network is not always a simple task. Snort does a fair job, if you've updated the signatures to tell it what to look for.
Owners of a botnet are always looking to expand operations. They are in a constant struggle to own more and more slave computers. The more high quality the botnet, the more revered the owner will be. Corporate and educational owned computers are prime targets, since they are normally well connected in terms of Internet bandwidth. The sad part is, in general, infecting corporate and educational networks is just as easy as infecting residential computers.
Sdbot, rxbot, and agobot are a few of the most common bots at the moment. It doesn't really matter which bot is running on a computer, since they all provide complete control to the new owner of the compromised computer, resulting in a very bad day for the original owner.
Antivirus software, along with the new Malicious Software Removal Tool from Microsoft, are both able to detect existing bots. Some bots have been known to propagate via e-mail as well, making the infection a bit harder to block.
Aside from user education, the best method to prevent previously unseen infections from taking over a computer is to simply block the above mentioned ports. New Windows vulnerabilities may exist in the future, but for the time being, you should be relatively safe.