Is Your Computer a Zombie or Part of a Botnet?

Published: November 3, 2011

Edited: November 5, 2011

Botnets burst into notoriety through the mainstream media in the year 2007 with the discovery of a Trojan named Peacomm and nicknamed Storm by the research community. The Trojan was nicknamed Storm because of a common theme of the subject header contained in the e-mail that delivers the Trojan: “230 dead as storm batters Europe ” (Hidalgo, 2007). Why is there so much concern over a simple e-mail?

The e-mail is not the concern but the delivery mechanism of the threat, which is a Trojan that delivers a rootkit with the end goal of joining the computer to a botnet. Botnets, however, exist in relative obscurity because the vast majority of computer users do not know what botnets are or the threat they pose. The threat of botnets recently resurfaced with renewed media attention attributed to the proliferation of the Stuxnet worm, which took out a nuclear processing plant in Iran and the Dunadup worm, which has infiltrated over 20 million computers by some estimates.

The Stuxnet worm targeted a specific type of Programmable Logic Controller (PLC) and Dunadup affects Windows systems with unpatched vulnerabilities. Does this mean that you are vulnerable to these threats if you do not use PLCs and your Windows systems are up to date? Of course not but there are other vulnerabilities and threats that should raise your state of concern. The first of these threats is that of rootkit download.

The term rootkit is derived from the UNIX operating system, in which root is either the highest access privilege or directory level, depending on the context. When used in the context of a rootkit, root refers to the highest level of access to the system.

Dowada (2006) reported that a rootkit is used to conceal the presence of the intruder by concealing system data, files, and processes. With the intruder's presence hidden, that intruder may then perform system-level, administrative, or root functions on the host computer without the fear of detection. The user has no idea that a hacker has taken control of the system. Operating systems vulnerable to rootkit infection include Windows, Linux, and Solaris.

In layman’s terms, a rootkit is a module injected into an operating system by a third party to take over specific tasks of the operating system and is not necessarily malicious in nature. Many rootkits were originally designed as aids for developers in Unix environments. Therefore, there are some valid uses for a limited number of rootkits.

The threat that rootkits pose is determined by the intentions of the hackers who use them. There are two basic types of rootkits: persistent and non-persistent rootkits. The difference between the two is that persistent rootkits have the ability to load and run following a system reboot whereas non-persistent rootkits do not. For the discussion of the threat of botnets, rootkits are assumed to be of the persistent type.

Some well-known rootkits frequently turn up on infected machines. As stated earlier, rootkits do not gain entry to a system but permit re-entry to an infected system. Examining the functions of some of the well-known rootkits sheds light on how they help the intruder accomplish the notorious purpose for the intrusion. These rootkits are listed here along with brief descriptions of their functions:

• Hidden32 hides applications (Schiller, 2007)
• HideUserv2 adds an invisible user to the administrative group (Schiller, 2007)
• HideWindow hides instances of the Microsoft IRC client (Bacher, Holz, Ketter, and Wichershi, 2005)
• FU hides processes (Dawada, 2006)
• Hacker defender in some newer versions will render some anti-virus and rootkit applications ineffective (Dawada, 2006)
• Sony BMG DRM introduced by Sony corporation as a form of copy-protection for CDs (Dawada, 2006)
• Apropos Spyware prevents un-installation or removal of payload packages (Dawada, 2006)

Rootkits are used by hackers to mask the presence of payload modules they install, add invisible users with root or administrative privileges, and disable the effectiveness of antivirus and rootkit detection tools. This kind of power enables the hacker to regain access to an infected system and perform any desired actions, which leads to the next section.

Once a system is compromised and a number of rootkits installed, the hacker is then free to download payload applications to perform the hackers will without the knowledge or permission of the legal user. A system that has been compromised in this way becomes a zombie computer because the computer is no longer under the control of the rightful user but rather the hacker, and the user may have absolutely no idea what the computer is in fact doing. Zombie is a term that refers to the infected computer, the more common reference in the security industry is to the programs that perform the hacker’s purpose. These zombie programs are known as bots.

“In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources” (McDowell, 2006). Valid uses for bots include web-crawlers that search the web for new sites to index so not all bots are bad. Botnet refers to grouping a collection of zombie computers into a network of directed bots. Botnets are a major threat to individual users and organizations alike and their malicious functions can have far reaching effects.

Attackers can use rootkits and botnets to access and modify personal information, attack other computers, and commit other crimes, all while remaining undetected. By using multiple computers, attackers increase the range and impact of their crimes. Because each computer in a botnet can be programmed to execute the same command, an attacker can have each of them scanning multiple computers for vulnerabilities, monitoring online activity, or collecting the information entered in online forms. (McDowell, 2006).

Actively seeking out vulnerable systems is not a typical method that hackers use to develop botnets. Many of the vulnerabilities that enabled hackers to actively seek out the targets for their exploits have been patched in the targeted applications and operating systems. This state of technology and the availability of exploit kits to deliver Trojans led to a method using social-engineering techniques to infect computers. Refer to McDowell, (2004) for methods to avoid social engineering attacks. Hackers entice users to download Trojans using spam containing links to malware or by enticing users to visit malicious web sites.

A hacker who controls a botnet is called a bot-herder. After successfully gaining control of a number of bots, the bot-herder needs a method to control the bots. The most common method, as illustrated by Schiller (2007), is to employ a Command and Control (C&C) system that communicates with the bots using Internet Relay Chat (IRC). A discussion of this C&C structure follows.

According to Schiller (2007), the first thing that a new bot does is to call home using a process known as rallying and designed to protect the bot herder by passing information through an IRC server. This provides the hacker or bot-herder a layer of protection by preventing the bot-herder from communicating directly with the bot. The bot may be discovered but not the bot-herder. When the rallying process is complete the bot takes up station to monitor the C&C channel for commands.

According to Gu, Zang, and Lee (n.d.), the C&C channel for IRC-based bots conforms to one of two styles, which are the push or pull botnet IRC command and control methods. Whichever style the particular botnet follows, the bot-herder loads the commands on the C&C server. The C&C server then pushes commands to the botnet and waits for responses from individual bots or the bots contact the server and requests commands depending on whether the push or pull style is used.

These commands are used to cause a bot client to update its software and initiate other activities, including the following:

• participate in a DDoS attack
• participate in various money-making schemes
• search for and infect other systems
• control other systems
• store and distribute stolen software, movies or music
• gather identification and authorization information
• retrieve new spam email templates
• update the list of future command and control servers

The list of commands is unique to each bot family, but all bots share some functionality related to things that most bots do. (Schiller, 2007).

The C&C structure of bots varies between the specific bot families but regardless of the type of bot, the bot herder leverages a great deal of control over the bot sometimes including the ability to command the bot to deactivate and cover the tracks left behind if the bot-herder believes that the bot has been discovered or has aged to the point where the bot’s usefulness is limited. The one good characteristic of bots is that they function for a limited amount of time.

What are your thoughts?

As always, the author appreciates all comments.