Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2007
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat: Botnets Go One-on-One

Botnets are changing channels and fighting back at researchers

The most savvy and sophisticated botnet operators are bringing out the big guns now -- operating deeper underground and staging massive distributed denial-of-service attacks on their adversaries.

Jose Nazario, senior software and security engineer with Arbor Networks, will give an inside look at the latest botnet movements and strategies in a briefing at Black Hat DC next week. Nazario, who is among the researchers who track botnets, says big changes are now underway in the botnet world. (See Botnets Don Invisibility Cloaks.)

"The two biggest shifts we're seeing are HTTP for very specialized botnets and the successful deployment of peer-to-peer botnets," Nazario says. "That's pretty frightening, if you think about it."

There's been an especially dramatic jump in peer-to-peer botnets, he says. The peer-to-peer approach is tough to detect because it's not centralized, and each bot can send commands on its own.

Nazario and fellow researchers at Arbor last year started noticing a few botnets chatting it up with their bots or zombies via the more inconspicuous Web-based connections, rather than through conventional Internet Chat Relay (IRC) channels. "Now we're seeing an even larger shift away from IRC for botnets," he says. "Botnet operators are realizing that most IRC botnets can be tracked and monitored quickly."

IRC is basically a peer-to-peer system for real-time text conversations and is easily detected by IDSes and IPSes. It's long been a favorite hacker hangout, as well as a botnet operator's conduit to its victim machines.

There are some major botnets that still use IRC, but with a twist: They use counterintelligence, such as "anti-sandboxing" techniques, to throw researchers off their trail. Or in some cases, the botnets merely shut researchers out of IRC rooms when they realize they're being tracked.

It's not that IRC botnets are dead -- Nazario says IRC-based bots were responsible for a major distributed denial-of-service attack on the anti-phishing CastleCops site this month -- but botnet operators are looking for stealthier ways to stay alive and keep spamming or spreading viruses.

Sometimes, botnets even stage DDOS attacks on one another to kidnap bots to add to their armies. "They were involved in fistfights and shouting matches before. But they're bringing the big guns now," Nazario says.

Researchers tracking botnets are having to catch up -- fast -- just to keep up. Trouble is, the research community is still honed in mostly on IRC-based botnets. "We know the code, we have the tools designed to let us take them apart and infiltrate them and look inside. The problem is the elite botnets aren't IRC anymore. They know they are being monitored," Nazario says.

The more sophisticated botnet herders are also conducting counterintelligence, by poisoning researchers' honeypots and other methods. "They inject a binary and see who shows up. They know that they are being tracked," he says. The botnet operators are tracking the good guys posing as bots or bad guys in IRC channels, and banning them when they find them out.

Nazario says a few botnets are also starting to encrypt their IRC communications as a way to elude researchers.

He and fellow researchers have been closely studying three large botnets: Nugache, Storm, and Stration. "We chose Storm and Stration because they appear to be at war with each other," he says. "They stage huge DDOS attacks back and forth to disrupt each other's network."

Nugache, which has somewhere between 20,000 and 100,000 hosts, is the most intriguing because it's a peer-to-peer botnet that also uses encryption, according to Nazario. "It's lurking quietly in the corner, which is why we chose them," he says. Even more unnerving, researchers don't know for sure what the botnet operators are using Nugache for, he says.

Storm, meanwhile, is a 100,000 node, peer-to-peer and HTTP botnet used to send spam. "They aren't using encryption, but their own communications vocabulary atop the eDonkey protocol," Nazario says. That makes it easy for a client to join the botnet, and for the botnet to stay up and running. eDonkey is a peer-to-peer file-sharing network.

"But it obscures the traceback. It's making the job of finding out where and who is behind it -- and what they are doing at any one time -- a lot harder," he says.

"Nugache and Storm's resilience comes from the peer-to-peer" mode, he says. "You don't know who's injecting commands and updates."

Stration is an HTTP-based botnet used mainly for spam. "We found that the malware authors didn't change the initial code all that much," Nazario says. "They were very aggressive and took the world by storm. But it was easy to come up with generic filters to stop it."

It typically preys on machines that don’t practice good anti-malware hygiene and remain infected, he says.

But Nazario says it's Nugache that's most worrisome. "Nugache is a harbinger of things to come, [a botnet] for malicious purposes."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    HackerOne Drops Mobile Voting App Vendor Voatz
    Dark Reading Staff 3/30/2020
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11565
    PUBLISHED: 2020-04-06
    An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
    CVE-2020-11558
    PUBLISHED: 2020-04-05
    An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
    CVE-2020-11547
    PUBLISHED: 2020-04-05
    PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
    CVE-2020-11548
    PUBLISHED: 2020-04-05
    The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
    CVE-2020-11542
    PUBLISHED: 2020-04-04
    3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.