Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Black Hat: Botnets Go One-on-One

Botnets are changing channels and fighting back at researchers

The most savvy and sophisticated botnet operators are bringing out the big guns now -- operating deeper underground and staging massive distributed denial-of-service attacks on their adversaries.

Jose Nazario, senior software and security engineer with Arbor Networks, will give an inside look at the latest botnet movements and strategies in a briefing at Black Hat DC next week. Nazario, who is among the researchers who track botnets, says big changes are now underway in the botnet world. (See Botnets Don Invisibility Cloaks.)

"The two biggest shifts we're seeing are HTTP for very specialized botnets and the successful deployment of peer-to-peer botnets," Nazario says. "That's pretty frightening, if you think about it."

There's been an especially dramatic jump in peer-to-peer botnets, he says. The peer-to-peer approach is tough to detect because it's not centralized, and each bot can send commands on its own.

Nazario and fellow researchers at Arbor last year started noticing a few botnets chatting it up with their bots or zombies via the more inconspicuous Web-based connections, rather than through conventional Internet Chat Relay (IRC) channels. "Now we're seeing an even larger shift away from IRC for botnets," he says. "Botnet operators are realizing that most IRC botnets can be tracked and monitored quickly."

IRC is basically a peer-to-peer system for real-time text conversations and is easily detected by IDSes and IPSes. It's long been a favorite hacker hangout, as well as a botnet operator's conduit to its victim machines.

There are some major botnets that still use IRC, but with a twist: They use counterintelligence, such as "anti-sandboxing" techniques, to throw researchers off their trail. Or in some cases, the botnets merely shut researchers out of IRC rooms when they realize they're being tracked.

It's not that IRC botnets are dead -- Nazario says IRC-based bots were responsible for a major distributed denial-of-service attack on the anti-phishing CastleCops site this month -- but botnet operators are looking for stealthier ways to stay alive and keep spamming or spreading viruses.

Sometimes, botnets even stage DDOS attacks on one another to kidnap bots to add to their armies. "They were involved in fistfights and shouting matches before. But they're bringing the big guns now," Nazario says.

Researchers tracking botnets are having to catch up -- fast -- just to keep up. Trouble is, the research community is still honed in mostly on IRC-based botnets. "We know the code, we have the tools designed to let us take them apart and infiltrate them and look inside. The problem is the elite botnets aren't IRC anymore. They know they are being monitored," Nazario says.

The more sophisticated botnet herders are also conducting counterintelligence, by poisoning researchers' honeypots and other methods. "They inject a binary and see who shows up. They know that they are being tracked," he says. The botnet operators are tracking the good guys posing as bots or bad guys in IRC channels, and banning them when they find them out.

Nazario says a few botnets are also starting to encrypt their IRC communications as a way to elude researchers.

He and fellow researchers have been closely studying three large botnets: Nugache, Storm, and Stration. "We chose Storm and Stration because they appear to be at war with each other," he says. "They stage huge DDOS attacks back and forth to disrupt each other's network."

Nugache, which has somewhere between 20,000 and 100,000 hosts, is the most intriguing because it's a peer-to-peer botnet that also uses encryption, according to Nazario. "It's lurking quietly in the corner, which is why we chose them," he says. Even more unnerving, researchers don't know for sure what the botnet operators are using Nugache for, he says.

Storm, meanwhile, is a 100,000 node, peer-to-peer and HTTP botnet used to send spam. "They aren't using encryption, but their own communications vocabulary atop the eDonkey protocol," Nazario says. That makes it easy for a client to join the botnet, and for the botnet to stay up and running. eDonkey is a peer-to-peer file-sharing network.

"But it obscures the traceback. It's making the job of finding out where and who is behind it -- and what they are doing at any one time -- a lot harder," he says.

"Nugache and Storm's resilience comes from the peer-to-peer" mode, he says. "You don't know who's injecting commands and updates."

Stration is an HTTP-based botnet used mainly for spam. "We found that the malware authors didn't change the initial code all that much," Nazario says. "They were very aggressive and took the world by storm. But it was easy to come up with generic filters to stop it."

It typically preys on machines that don’t practice good anti-malware hygiene and remain infected, he says.

But Nazario says it's Nugache that's most worrisome. "Nugache is a harbinger of things to come, [a botnet] for malicious purposes."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.