Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2007
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat: Botnets Go One-on-One

Botnets are changing channels and fighting back at researchers

The most savvy and sophisticated botnet operators are bringing out the big guns now -- operating deeper underground and staging massive distributed denial-of-service attacks on their adversaries.

Jose Nazario, senior software and security engineer with Arbor Networks, will give an inside look at the latest botnet movements and strategies in a briefing at Black Hat DC next week. Nazario, who is among the researchers who track botnets, says big changes are now underway in the botnet world. (See Botnets Don Invisibility Cloaks.)

"The two biggest shifts we're seeing are HTTP for very specialized botnets and the successful deployment of peer-to-peer botnets," Nazario says. "That's pretty frightening, if you think about it."

There's been an especially dramatic jump in peer-to-peer botnets, he says. The peer-to-peer approach is tough to detect because it's not centralized, and each bot can send commands on its own.

Nazario and fellow researchers at Arbor last year started noticing a few botnets chatting it up with their bots or zombies via the more inconspicuous Web-based connections, rather than through conventional Internet Chat Relay (IRC) channels. "Now we're seeing an even larger shift away from IRC for botnets," he says. "Botnet operators are realizing that most IRC botnets can be tracked and monitored quickly."

IRC is basically a peer-to-peer system for real-time text conversations and is easily detected by IDSes and IPSes. It's long been a favorite hacker hangout, as well as a botnet operator's conduit to its victim machines.

There are some major botnets that still use IRC, but with a twist: They use counterintelligence, such as "anti-sandboxing" techniques, to throw researchers off their trail. Or in some cases, the botnets merely shut researchers out of IRC rooms when they realize they're being tracked.

It's not that IRC botnets are dead -- Nazario says IRC-based bots were responsible for a major distributed denial-of-service attack on the anti-phishing CastleCops site this month -- but botnet operators are looking for stealthier ways to stay alive and keep spamming or spreading viruses.

Sometimes, botnets even stage DDOS attacks on one another to kidnap bots to add to their armies. "They were involved in fistfights and shouting matches before. But they're bringing the big guns now," Nazario says.

Researchers tracking botnets are having to catch up -- fast -- just to keep up. Trouble is, the research community is still honed in mostly on IRC-based botnets. "We know the code, we have the tools designed to let us take them apart and infiltrate them and look inside. The problem is the elite botnets aren't IRC anymore. They know they are being monitored," Nazario says.

The more sophisticated botnet herders are also conducting counterintelligence, by poisoning researchers' honeypots and other methods. "They inject a binary and see who shows up. They know that they are being tracked," he says. The botnet operators are tracking the good guys posing as bots or bad guys in IRC channels, and banning them when they find them out.

Nazario says a few botnets are also starting to encrypt their IRC communications as a way to elude researchers.

He and fellow researchers have been closely studying three large botnets: Nugache, Storm, and Stration. "We chose Storm and Stration because they appear to be at war with each other," he says. "They stage huge DDOS attacks back and forth to disrupt each other's network."

Nugache, which has somewhere between 20,000 and 100,000 hosts, is the most intriguing because it's a peer-to-peer botnet that also uses encryption, according to Nazario. "It's lurking quietly in the corner, which is why we chose them," he says. Even more unnerving, researchers don't know for sure what the botnet operators are using Nugache for, he says.

Storm, meanwhile, is a 100,000 node, peer-to-peer and HTTP botnet used to send spam. "They aren't using encryption, but their own communications vocabulary atop the eDonkey protocol," Nazario says. That makes it easy for a client to join the botnet, and for the botnet to stay up and running. eDonkey is a peer-to-peer file-sharing network.

"But it obscures the traceback. It's making the job of finding out where and who is behind it -- and what they are doing at any one time -- a lot harder," he says.

"Nugache and Storm's resilience comes from the peer-to-peer" mode, he says. "You don't know who's injecting commands and updates."

Stration is an HTTP-based botnet used mainly for spam. "We found that the malware authors didn't change the initial code all that much," Nazario says. "They were very aggressive and took the world by storm. But it was easy to come up with generic filters to stop it."

It typically preys on machines that don’t practice good anti-malware hygiene and remain infected, he says.

But Nazario says it's Nugache that's most worrisome. "Nugache is a harbinger of things to come, [a botnet] for malicious purposes."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17545
    PUBLISHED: 2019-10-14
    GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
    CVE-2019-17546
    PUBLISHED: 2019-10-14
    tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
    CVE-2019-17547
    PUBLISHED: 2019-10-14
    In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
    CVE-2019-17501
    PUBLISHED: 2019-10-14
    Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
    CVE-2019-17539
    PUBLISHED: 2019-10-14
    In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.