Detailed Information

A botnet (also known as a zombie army) is an assembled network of computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. By turning your computer into a zombie and having their bulk mail originate from your DSL line, spammers bypass the filters of ISPs trying to thwart illegal bulk mail. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. According to a report from Russian-based Kapersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.

Computers that are co-opted to serve in this unaware army of the "walking dead" are often those whose owners fail to provide effective firewalls and other safeguards. A zombie or bot is often created through an Internet port that has been left open and through which a little Trojan horse program can be left for future activation. At a certain time, the zombie army "controller" can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.

The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic - a distributed denial-of-service (DDoS) attack - or, in the case of spam distribution, to many computers. The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor. The motivation for a zombie master sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies."

Here are other recent news items offering insights into the new and growing threat of the Zombie Bot-Nets:

Botnet Stalkers Share Takedown Tactics at RSA
February 8, 2007 By Matt Hines  Source

SAN FRANCISCO—A pair of security researchers speaking here at the ongoing RSA Conference Feb. 7 demonstrated their techniques for catching botnet operators who use secret legions of infected computers to distribute malware programs and violent political propaganda. 

The botnet experts, both of whom are employed by anti-malware software maker FaceTime Communications, based in Foster City, Calif., detailed how they identified and pursued individuals believed to be responsible for running a pair of sophisticated botnet schemes, which have been subsequently shut down or significantly scaled back. 

Addressing a packed room of conference attendees, Chris Boyd, director of malware research at FaceTime Security Labs, and Wayne Porter, director of special research for the company, detailed their efforts to infiltrate the botnet community and find the people responsible for running underground networks believed to have harbored as many as 150,000 compromised computers. 

One of the botnets uncovered by the researchers was based in the United States and was used to deliver malware code including spyware that stole credit card data from e-commerce systems for the purpose of committing fraud. The other crimeware distribution campaign appears to have been used by radical Middle Eastern ideologists to espouse violent messages of world domination and steal money to buy satellites, radios and computer equipment. 

Porter and Boyd offered a rare inside glimpse into the world of botnet herders, which the researchers entered by hanging out on the shady online bulletin boards and chat relays where the schemers meet to share the tricks of the trade and their malware programs. By luring the prolific fraudsters to offer details about their work, and spying on the criminals, the researchers claim to have pieced together the identities of several of the unsavory individuals and helped take down their networks of subverted machines. 

In the case of the U.S.-based botnet, which was actually made up of two zombie networks, the operators secretly distributed a commercially available remote computer management application made by Famatech to unsuspecting end users via instant messaging systems and hid the program on their devices. Once the software was installed, the devious parties used it to load malware onto the machines, including a Perl script dubbed "Carder," which takes advantage of holes in several e-commerce shopping cart applications to steal people's usernames, passwords, credit card numbers and PayPal account information. 

Starting with a tip from another malware researcher identified only by the screen name "Rince" about the people believed to be responsible for running the zombie network, FaceTime's Boyd—who is often identified by his own online alter-identity, "Paper Ghost"—said the sophisticated con game began to unravel. 

Is the botnet battle already lost? eWEEK goes to one company's research facility to study live botnets in action. Click here to see what they found. 

After laying out so-called honey pots in hopes of finding the signature work of two of the suspected botnet purveyors, known by the comic booklike villain monikers MC-Zero and Ink, Boyd said the researchers found their quarry and began examining posts the individuals made to shadowy sites in which they bragged about elements of their attacks. 

"You have to be careful that people aren't just yanking your chain, but we tried to use social engineering to get as much information as possible about these botnets," Boyd said. "You have to get information from nontraditional channels, and working with Rince we were soon looking at live feeds of their IRC chats." 

By taking the information the scammers unknowingly handed over to the researchers—which included pictures of their homes and cars—and determining where the individuals lived and carried out their work, the security experts were able to partner with ISPs to get the criminals' respective botnets shut down. 

In the case of the other zombie net, run by a group identifying itself as the Q8Army, individuals used IM-borne adware programs to deliver malware rootkits that stole credit card information for the purpose of committing fraud. The programs also served up pop-ups that carried URLs of militant Arabic Web sites that endorse violent means for achieving "world domination," the researchers said. 

Using a paper trail left by some of the URLs and related fraudulent transactions, the researchers traced the group's origin to unidentified positions in the Middle East and observed that some of the stolen funds were being used to buy mobile communications gear and used PCs. 

After discovering the Q8Army's homepage, which carried custom hacking tools, programs for generating Trojan viruses and other malware applications, the researchers were able to have a set of U.S.-based servers used by the group taken offline, although the individuals remain active on systems located in Germany and the Middle East, according to Boyd. 

Security experts say rootkits are not just for hackers—private companies and cyber-criminals have a real interest in them. Click here to read more. 

The researchers said there will need to be even more widespread cooperation on the part of security experts, law enforcement officials and government regulators if more of the zombie computer networks are to be shuttered in the future. However, Boyd said it is smarter to take a slow approach that yields detailed information and more powerful results in identifying the scams, versus merely attacking the hijacked computers from which their work is being delivered. 

"There are an awful lot of botnets out there, which encourages a whack-a-mole approach to shutting them down," said the researcher. "By following the people who are actually responsible and building a case behind the scenes, we can actually do a lot more damage to them." 

FaceTime's Porter warned that the groups of criminals funding many of the zombie networks have amassed significant resources via their work and are increasingly luring unemployed programmers in countries including Russia to create new malware exploits that will help them continue to steal with success. 

While many botnets last for only days and do relatively little damage, based on the shoddy nature of their execution, the most sophisticated operators will continue to find new ways to stay one step ahead of their pursuers, according to the expert. 

"These groups now have significant research and development budgets, and we've literally seen billions of dollars flowing through these networks," said Porter. "Even more scary—these botnet operators are mastering the art of contextual marketing and may become even more successful at delivering their attacks." 

Pump-and-Dump' Spam Surge Linked to Russian Bot Herders
November 16, 2006 By Ryan Naraine   Source

The recent surge in e-mail spam hawking penny stocks and pe nis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan.

According to Joe Stewart, senior security researcher at SecureWorks, in Atlanta, the gang functions with a level of sophistication rarely seen in the hacking underworld.

For starters, the Trojan comes with its own anti-virus scanner—a pirated copy of Kaspersky's security software—that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

Stewart, a reverse engineering expert with expertise in deconstructing malware samples, gained access to files from a SpamThru control server and found evidence that the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 (Service Pack 2) machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft's operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder's control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop.

"They're breaking into sites that are somewhat related to the stock market and stealing e-mail address from those databases. The thinking is, if they get an e-mail address for someone reading stock market and investment news, that's a perfect target for these penny stock scams," Stewart said in an interview with eWEEK.

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. "This gives the spammer the ability to reach individuals who have never published their e-mail address online or given it to anyone other than personal contacts," Stewart explained.

"It's a very enterprising operation and it's interesting that they're only doing pump-and-dump and pe nis enlargement spam. That's probably because those are the most lucrative," he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random "from" names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots—the botnet controls about 73,000 infected clients—are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a "massive distributed engine for sending spam," without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day. "This number assumes one recipient per message, [but] in reality, most spams are delivered in a single message with multiple recipients at the same domain, so the actual number of separate spams landing in different inboxes could be even higher," Stewart said.

According to data from Barracuda Networks, an enterprise security appliance vendor in Mountain View, Calif., there has been a 67 percent increase in overall spam volume and a 500 percent increase in image spam since Aug. 2006.

Stephen Pao, vice president of product management at Barracuda Networks, echoed Stewart's findings, noting that the bulk of the spam is linked to the trading of penny stocks. "Across the board, we are observing more spam and more sophistication in sending the spam," Pao said.
 

Spyware Researchers Discover Massive ID Theft Ring
By Ryan Naraine August 8, 2005   Source

Spyware researchers picking apart one of the more notorious spyware programs have stumbled upon what appears to be a massive identity theft ring hijacking confidential data from millions of infected computers.

Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch" application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.

"We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.

In an interview with Ziff Davis Internet News, Eckelberry said the sophistication of the operation suggests it's the work of a "massive identity theft ring" that used keystroke loggers to grab confidential information that could be used to create fake online identities.

"I'm not being dramatic. This is the most repulsive thing I've ever seen. It's very painful to see what's in these log files that are being uploaded in real time. We're seeing a lot of bank information and usernames and passwords to get in," Eckelberry said.

He said the log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.

"There are lots of eBay account information and names and addresses of the people owning those accounts. Names, passwords, all matched up," Eckelberry added.

He said the server, which is hosted out of a data center in Texas, was effectively a "massive repository of stolen data" that was being replenished in real time.

"As the [log] file gets to a certain size, it gets taken down and a new file starts generating. This goes on nonstop. We've been watching it for a few days while trying to get to the FBI, and it just keeps growing and growing."

While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company.

Eckelberry said the huge size of the log files is a clear indication that thousands of machines are pinging back daily.

In some cases, where users appeared to be at immediate risk of losing a considerable amount of money, Sunbelt has contacted the affected individuals.

Eckelberry said the "CoolWebSearch" payload included a typical adware download that immediately scanned the infected machine for e-mails to use for spam runs. It then sets up a "very intelligent keylogger" that looks for very specific information.

"This won't get caught by a typical anti-spyware application," he said, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application. The tool is available for the Microsoft Windows XP, Windows 2000, Windows Millenium Edition and Windows 98 operating systems.

A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center.
Source

The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages.

Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Compromised "zombie" machines were recently found on the networks of the U.S. Defense Department and Senate.

IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. In February the FBI shut down a large IRC provider, Ohio-based CIT/Foonet, saying it was operating a DDoS-for-hire scam. CIT operator Jay Echouafni is now a fugitive, charged with paying hackers to use botnets of between 5,000 and 10,000 host to launch crippling digital attacks on the websites of business rivals.

The CIT case demonstrates the difficulty of defending against DDoS attacks from huge botnets. One of the victims, WeaKnees.com, shifted its hosting to Rackspace, which has touted its ability to defend against DDoS attacks. The attackers subsequently changed tactics and launched an attack that kept WeaKnees offline for two weeks, according to affidavits filed with the court case.

"There are enormous bot networks out there that can do a lot of damage," Akamai chief scientist Tom Leighton said after the attacks on his company. "It's a tremendous problem, and presents a threat to the Internet."

Hacker arrested for breaching DOD systems with ‘botnets’   

by Rob Thormeyer GCN 11/4/05   Source

A California man will be arraigned Monday on federal charges that he breached computer security at Defense Department installations and profited by creating a so-called “botnet”—a network of computers used to launch viruses or send out huge amounts of junk e-mail, federal prosecutors said.

The arrest Thursday of 20-year-old Jeanson James Ancheta of Downey, Calif., is the first of its kind and a stark reminder that even the most secure computer system is vulnerable, according to the U.S. Attorney’s Office in the Central District of California.

“The good news is he did not breach the network for obtaining proprietary information,” said James Aquilina, assistant U.S. attorney for Cyber and Intellectual Property Crimes. “The concern is that he would be able to do it” if he wanted to, Aquilina added. “That’s the scary part.”

According to the 17-count indictment, Ancheta wrote malicious computer code that was spread to armies of infected computers. Access to this “botnet” was then sold to others for the purpose of distributing denial-of-service attacks and sending junk e-mails.

Ancheta’s desire to profit from the botnets makes the case unique, a spokesman for the U.S. Attorney’s Office said.

The indictment alleges Ancheta tapped into computer systems at the Weapons Division of the U.S. Naval Air Warfare Center in China Lake, Calif., as well as computers owned by the Defense Information Systems Agency.

Ancheta allegedly modified a known code for the botnet that, once past the systems’ firewalls, got stronger and affected other computers, Aquilina said.

Aquilina could not disclose the level of damage to the federal systems, and added that the Defense Department was “instrumental in helping to identify the breach.”

DOD’s networks “are very strong,” he said, but “no system is impervious [to attack].”

Viruses 'a thing of the past'

By Shawna McAlearney, News Editor 25 Apr 2005   Source

No longer are antivirus experts as concerned with attention-grabbing viruses and worms causing mass destruction. Instead, they're hot for the bot.

A quarterly report released today by California-based McAfee Corp. noted says the "steady increase in Trojans and bots continues to grow while mass-mailer viruses taper off." It confirms similar findings reported last week by Russia-based Kaspersky Labs and in March by Cupertino, Calif-based Symantec Corp.

"Botnets are the greatest threat to the Internet as we know it," according to Kaspersky's report. "They stimulate the creation of new malicious prograWindows Defender they require constant refreshment, both in terms of new malware and new zombie machines to extend the network. Detection and prevention of botnets should be a priority for both the IT industry and end users, since the future of the Internet depends on coordinated action now."

Experts say millions of bots have been secretly installed on PCs, creating multitudes of malicious programs awaiting commands from a herdmaster. Vinny Gullotto, vice president of McAfee's Oregon-based Antivirus and Vulnerability Emergency Response Team, said the creation of botnets is motivated by money. "Attacks will become more subversive to steal data or use your machine for adware," he said. "Forget virus attacks -- they're a thing of the past. Bots, rootkits, Trojans and other surreptitious methods will rise. "

All of these infected machines are being actively used by cybercriminals as spamming platforms to make money, Kasperky said in the report. "Botnets can also be used in DoS attacks and to spread new malware -- such threats often lead site owners to pay cybercriminals not to attack their sites. Botnets are also used to mail out more and more new Trojans that harvest and send banking information to the controller."

Alexandr Gostev, Kaspersky's senior virus analyst, said the virus industry is more concerned with botnets than just about any other type of malware. "Any fresh new exploit for Microsoft Windows is used first of all for attacks on vulnerable systems [which are then infected] with bots and not with viruses, adware and worms."

The Kaspersky report said the RPC DCOM and LSASS vulnerabilities are most frequently targeted by bots, but several Windows flaws reported last year could be viable targets in the future. Kaspersky researchers estimate the number of bots increases by 50,000 every month, and pegs the total number of zombies at several million.

Mobile viruses, phishing, social engineering, identity theft and exploited vulnerabilities were cited as other major concerns. But the heavy emphasis in all three reports on botnets reflects a subtle yet significant change in malware over the past year.

How zombie networks fuel cybercrime
November 03, 2004  Source

Technology Trends report from New Scientist Print Edition by Celeste Biever

In June, the websites of Google, Yahoo and Microsoft disappeared for hours when their servers were swamped with hundreds of thousands of simultaneous webpage requests that they could not possibly service. It sounds a tough attack to orchestrate, but executing it could not have been simpler.

A hacker kicked off the assault by typing a simple command into an internet chat room. That command awakened dormant software “bots” that had been planted in tens of thousands of PCs around the world with the help of computer viruses.

When the bots read the command in an internet chat room they were monitoring, they began firing a blizzard of page requests at the servers hosting the company sites. Result: the servers effectively got tongue-tied trying to service the requests, and had to go offline until the attack ceased.

This modus operandi is fuelling a growing crime wave against e-commerce in which these networks of bots, dubbed botnets, are increasingly being offered for hire by hacking groups.

Want to take down a commercial rival’s website? Or how about spamming, perhaps sending out letters “phishing” for people’s passwords and bank account details? And gambling sites that need a continuous web presence to make money are a favorite target for botnet-based blackmail.

Disorganized crime
The distributed denial of service (DDOS) attack on Yahoo, Microsoft and Google was especially effective because it targeted one of their web-hosting companies, Akamai Technologies in Cambridge, Massachusetts. But Akamai is far from alone in falling prey to botnet sabotage.

For instance, just last week, UK online betting firm Blue Square fell victim to a botnet-based blackmail attempt. And an executive at a satellite TV firm in Massachusetts has been charged with hiring several botnets to disrupt the websites of three rivals, costing one of their web-hosting firms $1 million.

The case marks a watershed: “It’s the first time we have prosecuted individuals for the mercenary use of botnets,” says Frank Harrill of the FBI’s cybercrime squad in Los Angeles. “But it won’t be the last.”

While DDOS attacks are nothing new, they used to have a limited impact. A group of hackers would agree on a time to simultaneously contact the target web server manually, but they could rarely conscript enough attacking PCs to overwhelm every channel of a major-league website. But botnets make it a piece of cake to orchestrate distributed attacks from a vast ad hoc network. You could call it disorganized crime.

Zombie PCs
So how does an innocent PC become part of a botnet? First, a computer virus installs a “back door” program that leaves an internet port on a PC open. Both SoBig and MyDoom employed this tactic.

The hacker then probes PCs connected to the net to look for open ports and, when they find one, they install a bot on its hard drive. Security experts call these bot-loaded PCs “zombies”, since the hacker can wake them from the dead on command.

Because bots can be placed on any number of PCs, and chat rooms provide a useful central location from which to control them, there is no technical limit to the size of a botnet, says Viki Navratilova, a systems administrator at the University of Chicago.

And the Internet Relay Chat protocol that chat rooms run is a very convenient means of command and control, says David Dittrich, a systems administrator at the University of Washington in Seattle, because it allows the person who runs the chat room to communicate with all members (or bots) simultaneously.

In January, attacking botnets typically comprised around 2000 innocent computers. But by May that had risen to more than 60,000, according to the latest research from e-security firm Symantec Antivirus. Fuelling this is the increase in always-on broadband connections, which makes it much more likely that a large number of zombies will be logged onto a chat room at any one time.

Reliable income
The botnet controllers are cashing in. Eavesdropped chat-room exchanges reveal that a DDOS attack appears to cost between $500 and $1500, with smaller botnet attacks priced between $1 and $40 per zombie harnessed. “It’s such a reliable way to make money that hackers don’t need day jobs,” says Navratilova.

To detect zombies active in their networks, systems administrators check for telltale “master-slave” traffic. “If you see 10 of your computers receiving the same data from a computer in Romania, and then rapidly trying to contact a large site, like a government one, you know your computers have become zombies,” says Dittrich.

Once a zombie is found, the bot inside can be dissected to find the address of the controlling chat room so it can be taken down and the controller traced.

But hackers are now covering their tracks by encrypting the chat-room address or by making the bots corrupt their own program code when extracted.

“It’s kind of like cockroaches. You spray in the kitchen behind the wall but they find other ways to survive. You only get rid of some,” says Navratilova.