Pierluigi Paganini August 17, 2012

Article Published on The Hacker New Magazine – August Edition “Botnet”

Introduction

The nightmare of millions of infected computers synchronized to conduct an attack on specific target finds materialization in the concept of botnet.

In the classic architecture each machine, named bot, executes orders sent by a master unit called bootmaster, which can instruct the various components of the malicious network to perform an attack rather than exchange communication messages. The model of botnet could be used for various scopes, in military as cyber weapon, in industry for cyber espionage, in cybercrime to steal sensible information such as banking credentials.

As we will analyze in the article other factors are helping the development of this kind of cyber threat, the evolution of mobile scenario and also the diffusion of agents specialized for social network platforms. The phenomenon of the botnet is worrying due its rapid growth and due the evolution of the model and the continuous improvement we are assisting.

But let’s start from the beginning, the infection phase that represents the recruiting of the machines due the diffusion of different types of malware developed with specific and profoundly different characteristics. The most common way to build a botnet is to send the victims infected mails, containing link to compromised web site or that have attacked the malware agent that once executed on the machine it transforms it in a bot.

Usually the infected machines try to contact the C&C (Command & Control) server to receive operative instructions. Botnets are created for various purposes such as denial-of-service attacks, creation of SMTP mail relays for targeted spam campaign, implementation of various fraud schemas (e.g. banking information gathering).

Botnets represent one of the most dangerous cyber threats due their adaptive capabilities and the massive diffusion, recent events have demonstrated that every platform could be attacked. One of the most aggressive malware is Flashback Trojan, a malware created to conduct click fraud scam by hijacking people’s search engine results inside their web browsers, stealing banking or login credential. Of course one infected the system it could be used as part of a botnet causing bigger damages. The botnet related to the Flashback Trojan is called Flashfake also designed by cyber criminals to conduct a click fraud scam, taking advantage of pay-per-click campaigns by advertising companies. Flashback was created in September 2011 to disguise itself as an Adobe Flash Player installer, using Flash player layout. Once installed the malware searches for user names and passwords stored on the victims.

Which is the status of botnet diffusion?

According the data proposed in the by McAfee Labs in its McAfee Threats Report – First Quarter 2012 the cyber threat botnet is growing creating great concern between security experts due their diffusion, millions of compromised computers connected to the Internet are in fact daily used to realize scam and cyber attacks. Observing the volume of messages exchanged between bots and command server is possible to have an indicator on the level of the threat and its diffusion. Overall messaging botnet growth jumped up sharply from last quarter, mainly in Colombia, Japan, Poland, Spain, and the United States.

Many of the leading messaging botnets (Bobax, Cutwail, Grum, Lethic and Maazben) showed a minor growth or a decline with the exception of Cutwail botnet which increased significantly.

Behind the principal botnets there is the cybercrime industry that is pushing on the diffusion of malware to infect an increasing number of machines,but also proposing new models of business, such as botnet rental or the commerce of the agents for botnet creation. The business is reaching important figures in a short time mainly due to the opportunities provided by the Deep Web.

Considerable is discovery made by a group of experts of the AlienVault, led by Alberto Ortega, on a new service that offers cyber-attack tools and hosting as part of malware-as-a-service.

Once again cybercrime operates as enterprise, the products proposed are tools for the organization of cyber attacks such as spam of malware, malware hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement of botnets.

The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), it provides technological support to criminals who haven’t necessary knowledge to conduct a cyber attack or to arrange a cyber scam.

In the simplest way, users can access to a Web portal that offers the possibility to create customized version of malware, to access to a management console to control bot of the infected networks.

Few steps for criminal that need to create a botnet without having particular knowledge.

The most popular malware on the portal are RAT (Remote administration tool), software created by to let the attacker spy on the victims with actions like keylogging, password stealing, command execution and remote access and controlling and screen capturing.

These tools are continually updated and improved to meet customer’s requirements, an excellent work made by specialists. The platform also offer hosting service for the malware, once logged in the client can choose destination of the agent from a list of fake domains that appears like legitimate ones.

Criminal models such as the one introduced make affordable production of malware, also contribute to the diversification of the agents making complex their detection due to subsequent processing and improving. These groups are led by professionals that are familiar with the mechanisms of antivirus detection of the manufacturers of security products. The spread of malware in this way could be used by terrorists or other groups wishing to conduct cyber attacks providing new and powerful weapons at low cost and without any special risks associated with their acquirement and detention.

Botnets and cyber warfare

The creation of botnets is also considered in cyber warfare scenario as a military option for offensive purposes or cyber espionage.

Through the establishment of a botnet is possible to attack the nerve centers of a country, isolated attacks can target its critical infrastructures, create serious problems in areas like finance, communications and transport. That is cyber warfare, no matter if behind the attack there is a foreign government or ruthless criminals, the risk is high and face the threat has high priority.

The US government is taking in serious consideration the cyber threat related to the botnet, recently administrative officials belonging to U.S. President Barack Obama’s team declared that the government had started IBG (Industry Botnet Group) a coordinated project that involves private enterprises and trade units.

One of the key features of the program is the increasing of the level of awareness on the botnet world through the cooperation of government and private sector.

White House Cybersecurity Coordinator Howard Schmidt has deep knowledge of the problem for this reason he’s convening federal agencies, law enforcers and private companies to define a common strategy to deal with the threat.

The components of the botnets could be located everywhere in the world involving several countries, different social contexts and different laws and regulations, for this reason is quite difficult to arrange a unique front to face with the threat.

During the McAfee Public Sector summit in Arlington, Va,  on April 11th, Schmidt declared:

“There’s been a lot of discussion about botnets…trying to identify how many are out there, what they’re doing, what they could do and what the impact could be. I’ve asked my office to engage in a private-public partnership to enhance the nation’s cyber security by fighting against bot networks,”

“We’re teaming U.S. internet service providers, search engines, internet vendors, privacy rights advocates and groups and trade associations to tackle this on all fronts. We’re working on developing best practices and an industry code of conduct within the next 90 days.”

The group of work led by Schmidt is spending a sensible effort in the battle, working to reach the following four main goals:

1. To develop principles for addressing the botnets.
2. To establish high-level strategies to increase public awareness on the botnets.
3. Leverage available consumer-focused information tools and resources to prevent the botnets from the beginning.
4. Identify ways of measuring progress.

Fundamental aspect is a deep analysis of the current situation and the definition of methods to measure of extent of spread of the threat elaborating a set of indicators, globally recognized, that can provide a status on the evolution of the phenomenon. Another key to fighting the proliferation of botnets is able to increase the level of awareness of the threat in each sector while also providing the tools necessary to tackle the problem.

According to Schmidt it is necessary to act immediately due the diffused offensive of botnet chat represents a serious threat for both military and private sectors threatening the security of the nations. What most worries the U.S. government is the high rate of spread of malware in the private sector, not easy to contrast the phenomenon. That it has-been estimated one in ten Americans has some kind of malicious software on their devices.

“We’re looking at what [botnets] might do to a business’s infrastructure, to personally identifiable information – identity theft, credit card fraud, et cetera – but it goes beyond that. What we’re beginning to see is about 4 million new botnet infections every month…it’s a moving target,”

 “One of the clear issues we won’t be doing anymore is to just sit back and admire the problem. We’ve done that for too long. We’ve written strategy after strategy…it’s time to move beyond the strategies and actually move into an environment where we’re executing on these strategies,”

Botnet, a model in continuous evolution

Meantime worldwide security expert are searching for a common strategy to decapitate the botnets, the cybercrime industry is providing new efficient solution to avoid any type of detection and mitigation.

The real innovation in the last months is represented by the creation of botnet based on the P2P (peer to peer) communication protocol that not relies on command and control (C&C) servers for receiving commands. The new variant is based on a new instance of the Zeus, a malware used mainly to steal information, such as bank credentials, from infected pc. At the end of 2011 it has been identified a new Zeus variant that uses P2P communication to transfer commands from compromised hosts in a botnet. Symantec experts have discovered as spread mechanism the distribution of fake antivirus programs.

The interesting feature is that P2P communication is used as a backup system in case the C&C servers are not reachable, creating an autonomous peer networks in which each node can operate as a slave or as master giving orders to other PC operating and exchanging information acquired illegally by the victims.

The Symantec experts Andrea Lelli declared:

“Every peer in the botnet can act as a C&C server, while none of them really are one,”

“Bots are now capable of downloading commands, configuration files, and executable from other bots — every compromised computer is capable of providing data to the other bots,”

In similar botnet, each bot works as a Web server thanks to the presence of nGinx, that equips the malware. The communications between the nodes in the network are based on HTTP protocol.  The new type of botnet is really worrisome because it hard to fight due the absence of  point of failure represented in a classic botnet architecture by the C&C servers, distributed peer networks are so very difficult to identify. Tracking systems such as ZeusTracker are not able to track this variant due the impossibility to add the complete list of components of a P2P network instead only the IP addresses of C&C servers.

To avoid tracking and dump of traffic the communications mainly use UDP protocol, because TCP is easily detectable. The bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data, this feature could be used to exploit the network.

The handshake phase between bots is possible using a homemade UDP and after successful connection the nodes start to exchange TCP data (e.g. configuration files, list of other peers, etc).

What is still a mystery is how the information is received by botmaster, that’s why analysis are still ongoing. It has been hypothesized that specific conditions can trigger the communication with a specific server to transfer for example the stolen information. Preliminary researches suggest that stolen information are still transmitted back to botmasters using classic methods rather than relayed through the P2P network.

The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux botnet (aka Kelihos).

This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux / Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.

The event has demonstrated that it is becoming hard to tackle new generation of botnets, due the usage of the peer-to-peer technology also implemented in Kelihos. The new variant of malware incorporates P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.

To provide another example of botnets we can remind the Alureon / TLD4 botnet that can survive indefinitely in absence of its C&C servers making difficult their detection. The new trend in the development of botnet is to provide them the capability to be “independent” from control servers, surviving and becoming anonymous for long periods, infecting many machines.

The battle is difficult, the changes observed in botnet scenario are the result of a development model of malware that has nothing to envy to the development of products of legal industry.

The mobile scenario, business opportunity and related cyber threats

One of the IT sector that is interested by the major growth is without doubt the mobile, an increasing number of platforms and related application has been developed in the last mouth consolidating the trend. Of course with growth has been observed a sensible increasing of cyber attacks on the mobile sector, today still vulnerable on the security perspective. To an impressive growth in the demand is not corresponded the awareness of the threat, the user ignores most of the time the potential of its smartphone and threats which it is exposed.

To remain in topic a mobile botnet is a botnet that targets mobile devices such as smartphones, attempting to gain complete control of the mobile. Mobile botnets take advantage of unpatched exploits to provide hackers with root permissions over the compromised mobile device, enabling hackers to send e-mail or text messages, make phone calls, spy on users, access contacts and photos, and more.
The main problem is that botnets go undetected and this make really difficult to tackle.  The malware spread themself sending the agents to other devices via e-mail messages or text messages.

Examples of mobile botnets are DreamDroid and TigerBot (SMS Controlled Android Malware) malware that compromised Google Android devices, Zitmo (zeus varian) that targeted Blackberry platform and CommWarrior which affected Symbian devices. The last in order of time is TigerBot, a new form of Android malware controlled via SMS messages that can record phone calls, upload the device’s GPS location, and reboot the phone, among other operations executable in the command preventing the message from being seen by the user. TigerBot tries to hide itself from the user by not showing any icon on the home screen and by using legitimate sounding app names (like System) or by copying names from trusted vendors like Google or Adobe. ”TigerBot”, differs from “traditional” malware in that it is controlled via SMS rather than from a command & control (C&C) server on the Internet. The polymorphism of the threats and the genesis of new variants are the issues that most concern, these hacks and malware would essentially turn the phones into “zombies” in order to respond to external orders.

The rapid spread of botnet based on mobile devices, it is favored by the almost total absence of protection mechanisms so difficult to tackle and by the difficult to trace the agents composing the network. This cyber threats must alert private industry but especially institutional environment, the risk of data exposure is really high and due the young growth of the sector we are still too vulnerable. Cyber criminals and government agencies are aware of the importance of information gained from our mobile and therefore are showing high interest in the field. In particular it has been observed an exponential growth of malware designed to attack mobile systems and steal sensitive information, useful for the accomplishments of frauds, very impressed the banking sector.

The scenario of a mobile attack is always the same, the App stores that is the sites for software download and the mobile apps serve as programs users download onto our mobile devices. Users who download from app stores may download compromised app infected by malware. The number of application available on the store is increasing day by day especially for the open platforms like android. Let’s consider also that there are also third-party stores that provide alternative apps for users, but downloading from these unofficial channels it’s very dangerous for final users. The main problem related alternative app stores are that they are not sufficiently controlled or that can be managed by cyber criminals to provide fake copy of legitimated application modified to realize the fraud. Due the different malware targeting the Android OS several companies have tried to categorize them depending on the fraud and attack schema implemented. Following the categorization proposed by Trend Micro.

As previously mentioned, Android Market has less restrictions when it comes to registering as a developer. The strategy is implemented to encourage app developers to adopt the platform, of course this also makes it is easier for cybercriminals to upload their malicious apps or their Trojanized counterparts.  Following some of noteworthy incidents, listed by Trend Micro, that leveraged this loophole:

We analyzed several Trojanized applications found in the Android Market detected as ANDROIDOS_LOTOOR.A. One of these apps is the game Falling Down, which renders similar to the clean version. Once installed, the Trojanized version asks for more access permissions. It also gathers device information like IMEI and IMSI numbers and roots affected devices.

One of the malware variants found in the Android Market is the notorious DroidDreamLight variant. Trend Micro researchers found an app that promotes itself as a .APK file management tool. However, instead of helping users, this app (detected as ANDROIDOS_DORDRAE.M) collects device-related information and uploads it to remote servers. It was immediately taken off the Android Market.

Google released the Android Market Security Tool in the Android Market. Cybercriminals, on the other hand, were not deterred by this tool and even released a Trojanized version. Detected as ANDROIDOS_BGSERV.A, it acts as a backdoor that gathers information from the device and sends these to a remote URL.

Cybercriminals have also created and distributed malware using the names of popular apps that are not yet available on the Android Market. Android users anticipating these games are the likely victims of this ruse. A recent example is a fake version of Temple Run we found in the Android Market. The reports alert mobile users regarding the extension of common threat to mobile environments like advanced persistent threats (APTs). For the implicit nature of the attacks they are considered “campaigns” rather than singular “incidents,”.

The introduction of mobile devices has considerably incremented the attack surface making this attacks most frequent. Mobiles are simple to infect through any infected media.

Present projects for future threats

The US government is financing several activities to investigate and hack into the technology spread in every device that ordinary surround us. This is the next step of the warfare, spy and attacks foreign enemy simply accessing to the devices that are presents in their offices, in their houses and in their cars.
Every device connected to internet could be target of a possible attack, the intelligence which is fitted can be used for numerous purposes, exploiting the lack of awareness in the cyber threat.

The U.S. government recently promoted a project to hack into video game consoles requesting for the “Development of Tools for Extracting Information from Video Game Systems.”

The idea is simple as efficient, today consoles are totally equivalent to a computer, they are connected to internet in the same way and they provide many services to the final customer. Last generation of gaming console have pushed on the communication aspect, using the devices the users are able to communicate to every other player connected to the gaming platform, well those communication and any other sensible information stored in the console are object of interest of US intelligence agencies.

The U.S. Navy has reported that scope of the project is to hack into used consoles to access to any sensitive information exchanged through their messaging services, it has also guarantee that the spying technology will be used only on nations overseas due the internal law restrictions that don’t allow this practices on US citizens.

But let’s think for a moment to the power of these networks and to the possibility to create a large botnet to attack every type of target. We are facing with an incredible war machine that could destroy and enemy computer system coordinating a cyber attacks of unimaginable dimension or to arrange a large scale infiltration with cyber espionage purpose. Well, this is cyber war and di implementation of botnet using gaming platform is an option examined by the most advanced and technological countries.

Regarding the specific project the official U.S. Navy statement is:

“This project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems.”

The description from the actual contract from the Federal Business Opportunities website, posted on March 26 is:

“R & D effort for the development and delivery of computer forensic tools for analyzing network traffic and stored data created during the use of video game systems.”

The project has been assigned it to the California-based company Obscure Technologies, signing a contract of $177,237.50 for the job.

Will we see in the future botnet composed by gaming console?

Of course yes … but don’t’ ask me about consequences!

Conclusions

The fight against the proliferation of botnets, in my judgment, goes through some key factors such as:

• The promotion of joint operations that involve government agencies and the major private industry players. In this sense, some large companies have already embarked on a close collaboration with governments, as in the case of Microsoft.
• Fundamental is a timely and methodical study on evolution of technological solutions on which are based botnets. It’s important to define, a universally recognized set of indicators to deterministically qualify the threat and its evolution.
• Awareness on the cyber threats and divulgation of best practices for the containment of the infection.
• Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.
• ·

Despite the good intentions we are still far from global agreement of the definition of the proper action against botnet diffusion, both on legislative and operative perspectives.

We need to hurry!

Pierluigi Paganini

(Security Affairs – Botnet)