Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Black Hat: Botnets Go One-on-One

Botnets are changing channels and fighting back at researchers

The most savvy and sophisticated botnet operators are bringing out the big guns now -- operating deeper underground and staging massive distributed denial-of-service attacks on their adversaries.

Jose Nazario, senior software and security engineer with Arbor Networks, will give an inside look at the latest botnet movements and strategies in a briefing at Black Hat DC next week. Nazario, who is among the researchers who track botnets, says big changes are now underway in the botnet world. (See Botnets Don Invisibility Cloaks.)

"The two biggest shifts we're seeing are HTTP for very specialized botnets and the successful deployment of peer-to-peer botnets," Nazario says. "That's pretty frightening, if you think about it."

There's been an especially dramatic jump in peer-to-peer botnets, he says. The peer-to-peer approach is tough to detect because it's not centralized, and each bot can send commands on its own.

Nazario and fellow researchers at Arbor last year started noticing a few botnets chatting it up with their bots or zombies via the more inconspicuous Web-based connections, rather than through conventional Internet Chat Relay (IRC) channels. "Now we're seeing an even larger shift away from IRC for botnets," he says. "Botnet operators are realizing that most IRC botnets can be tracked and monitored quickly."

IRC is basically a peer-to-peer system for real-time text conversations and is easily detected by IDSes and IPSes. It's long been a favorite hacker hangout, as well as a botnet operator's conduit to its victim machines.

There are some major botnets that still use IRC, but with a twist: They use counterintelligence, such as "anti-sandboxing" techniques, to throw researchers off their trail. Or in some cases, the botnets merely shut researchers out of IRC rooms when they realize they're being tracked.

It's not that IRC botnets are dead -- Nazario says IRC-based bots were responsible for a major distributed denial-of-service attack on the anti-phishing CastleCops site this month -- but botnet operators are looking for stealthier ways to stay alive and keep spamming or spreading viruses.

Sometimes, botnets even stage DDOS attacks on one another to kidnap bots to add to their armies. "They were involved in fistfights and shouting matches before. But they're bringing the big guns now," Nazario says.

Researchers tracking botnets are having to catch up -- fast -- just to keep up. Trouble is, the research community is still honed in mostly on IRC-based botnets. "We know the code, we have the tools designed to let us take them apart and infiltrate them and look inside. The problem is the elite botnets aren't IRC anymore. They know they are being monitored," Nazario says.

The more sophisticated botnet herders are also conducting counterintelligence, by poisoning researchers' honeypots and other methods. "They inject a binary and see who shows up. They know that they are being tracked," he says. The botnet operators are tracking the good guys posing as bots or bad guys in IRC channels, and banning them when they find them out.

Nazario says a few botnets are also starting to encrypt their IRC communications as a way to elude researchers.

He and fellow researchers have been closely studying three large botnets: Nugache, Storm, and Stration. "We chose Storm and Stration because they appear to be at war with each other," he says. "They stage huge DDOS attacks back and forth to disrupt each other's network."

Nugache, which has somewhere between 20,000 and 100,000 hosts, is the most intriguing because it's a peer-to-peer botnet that also uses encryption, according to Nazario. "It's lurking quietly in the corner, which is why we chose them," he says. Even more unnerving, researchers don't know for sure what the botnet operators are using Nugache for, he says.

Storm, meanwhile, is a 100,000 node, peer-to-peer and HTTP botnet used to send spam. "They aren't using encryption, but their own communications vocabulary atop the eDonkey protocol," Nazario says. That makes it easy for a client to join the botnet, and for the botnet to stay up and running. eDonkey is a peer-to-peer file-sharing network.

"But it obscures the traceback. It's making the job of finding out where and who is behind it -- and what they are doing at any one time -- a lot harder," he says.

"Nugache and Storm's resilience comes from the peer-to-peer" mode, he says. "You don't know who's injecting commands and updates."

Stration is an HTTP-based botnet used mainly for spam. "We found that the malware authors didn't change the initial code all that much," Nazario says. "They were very aggressive and took the world by storm. But it was easy to come up with generic filters to stop it."

It typically preys on machines that don’t practice good anti-malware hygiene and remain infected, he says.

But Nazario says it's Nugache that's most worrisome. "Nugache is a harbinger of things to come, [a botnet] for malicious purposes."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-15
    Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...
    PUBLISHED: 2021-04-15
    Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining con...
    PUBLISHED: 2021-04-15
    Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read...
    PUBLISHED: 2021-04-15
    Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invali...
    PUBLISHED: 2021-04-15
    Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting ...