Botnets Behind Most Modern Malware Infections

Command-and-control conduit in most malware makes infected machines bots
Turns out most modern malware attacks have one thing in common: a botnet communication channel between the attacker and the infected machine.

It used to be that botnets were mainly for spewing benign, but annoying, spam. Many of today's largest botnets still do just that, but they are also now being deployed for more nefarious missions, such as banking fraud via sophisticated Trojans and targeted attacks on businesses. And many of the botnets that go after a business are unknown and small -- a handful to a few hundred bots versus their massive predecessor armies of tens of thousands, or even millions, of bots.

Botnets are networks of infected machines that are controlled by an attacker's command-and-control (C&C) that serves as the attack orders and a conduit for updating the malware on a victim's machine. This attack model has become a handy way for the bad guys to prevent their attacks from being detected or blocked, as well as to keep themselves hidden behind the bot army.

So does that mean most attacks now generated via botnets? If the malware in an attack has a centralized C&C function, then the victim's machine is technically a member of a botnet, security experts say.

"A botnet will have a command and control of some sort -- whether it has an actual server that it connects to in order to receive commands, or a peer-to-peer mechanism where they can send updates or cryptographically signed commands," says Joe Stewart, a researcher with SecureWorks' Counter Threat Unit. "The end goal of many malware attacks are so that bots can be installed, which then can be directed by some command and controller. "

This phenomenon of C&C malware is basically modern malware, and that's a botnet, says Ashar Aziz, CEO of FireEye. "I'm very comfortable calling it a botnet," Aziz says.

That doesn't mean every malware attack comes from a botnet or that every victimized machine is automatically a bot. "There's a lot of classic malware still out there," says Gunter Ollmann, vice president of research for Damballa. "The issuing of commands is what distinguishes a botnet [from a traditional malware infection]."

Ollman doesn't think most malware attacks are executed by botnets. "Drive-by-download attacks are the most frequently encountered sources of malware today -- having overtaken malware attached to spam a couple of years ago -- and many of the techniques used for serial variant production of malware have been refined by the cybercriminals behind these drive-by attacks," he says. "That said, botnets do feature extensively in the drive-by business."

Most malware can be remotely controlled, but turning all of the infected machines into a functional botnet requires centralized C&C management, Ollman says. Meanwhile, if a C&C channel exists on an infected enterprise machine, then it's more than just an infection, he says. "Then you're talking about a breach: You've been hacked," Ollman says. There's a "different contextual relationship" with the enterprise when a C&C channel has been established on the victim's machine, he says.

The botnet model lets an attacker avoid getting shut down via IP address filtering, for instance, and basically gives the attacker a more sustainable model for his attack.

Rohyt Belani, managing partner and co-founder of The Intrepidus Group, says using a botnet helps an attacker evade detection and lets him subtly spread his attack vector across multiple machines in a distributed environment. "Now you have multiple drones all over as bots, conducting activities for you, and you get anonymization," Belani says. "This is a more viable model."

The recently revealed hack of German banks with the sophisticated URLZone Trojan used a botnet for the attack, which pilfered online bank accounts around the world by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks. "It's a botnet architecture specifically for bank operations," says Yuval Ben-Itzhak, CTO of Finjan, which discovered the attack. "The main goal of the Trojan is command and wakes up the machine when the user goes to the bank."

And a large amount of phishing attacks use botnets. Intrepidus Group's Belani says once a phisher infects a machine with a zero-day vulnerability in an application, for instance, he can easily automate the phishing process. "He can have phishing emails sent out and sit there, and as people fall victim, collect the shells in an automated manner," Belani says.

The botnet gives the attacker a foothold into a corporate network in a targeted attack. The attacker can have the bots grab files from folders and upload them to his own server, where he can view them offline. "They troll around on their own servers instead of connecting into the [enterprise's] machine. They have a piece of malware designed to suck [the data] and upload it," FireEye's Aziz says.

Some mini-botnets also rely on some hands-on C&C. Damballa's Ollmann says some of these botnets infiltrating enterprises rely on the attacker remotely controlling four or five machines via C&C and issuing commands to navigate network shares, retrieve files, or access databases, he says.

"One interesting thing about small botnets is they are very strongly associated with a lot of insider knowledge," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5