Botnet 101: Don't Get Own3d!

You wouldn't want to be at someone's beck and call, especially if they wanted you to perform illegal acts for them. What about your computer? It could easily be turned into a robot, or bot, and go over to the “Dark Side”, taking and giving away important information about you, and you might never have a clue that it is happening.

This short primer covers bots and botnets, and how you can protect yourself from them. The few minutes you take to review it could keep you and your computer out of someone's evil clutches. Read on.

What's a botnet?

A botnet is a network of compromised computers, each acting as a robot (or bot) under the control of a remote user. The botnet communicates with its owner via an external control mechanism, usually an Internet Relay Chat (IRC) channel¹. Unfortunately, the programmer generally creates these botnets for disreputable but very lucrative reasons, such as identity theft.

Individual bots are often carefully hidden and run various programs in the background (trojans), scanning for information, vulnerabilities and the opportunity to propagate itself. Hackers often seek out prime breeding grounds for their botnets, such as servers with high-speed connections, which can easily support a large group of bots. Using the computers of others helps hackers to stay anonymous and harder to catch, plus they can use these systems for free!

Botnets with thousands of connected bots are no longer uncommon. The combined capacity of the large number of bots make it possible to disrupt networks through Distributed Denial of Service (DDoS) attacks² anywhere and anytime the hacker specifies. You could be a “member” of one of these botnets and not even know it!

Why are botnets such bad news?

Attackers can use botnets to carry out an assortment of nasty tasks, such as: keystroke logging³, sniffing traffic, sharing pornography, spewing spam and launching phishing attacks, using your computer to infect other systems, installing just about anything available on the Internet onto your computer, stealing passwords, scanning local area networks for vulnerabilities, distributing pirated media, exploiting vulnerabilities including “backdoors” left open by other worms and Trojans, supporting extortion by threatening DDoS attacks, and encrypting then holding your data hostage (called “ransomware”).

Law enforcement authorities have noted that the driving force behind the spread of botnets is pure and simple: money. There are now big bucks available for little work (most botnet scripts can be easily located and purchased on the Internet) attracting organized crime to the growing potential for profit. Whether collecting $1,000 an attack for temporary access to a botnet that could launch a DDoS, or extorting much larger sums from big businesses (such as online casinos) to cease an attack, easy money can be made sending spam or selling personal information. Here are a couple of figures from 2005 provided in Symantec's Internet Security Threat Report 8th Edition:

• In the first six months of 2005, Symantec observed an average of 10,352 active bot network computers per day
• During this period, the daily volume of phishing attacks was 5.70 million messages (up from an average of 2.99 million messages a day during the previous six-month period)
• Denial-of-service attacks grew from an average of 119 per day to 927 per day during the first half of 2005 - a 680 percent increase over the previous reporting period. The most frequently targeted industry was education, followed by small business and financial services.

Read more . . .
about hacker Jeanson Ancheta, who recently pled guilty to charges for crimes that included infecting machines at two U.S. military sites, earning him more than $61,000, and for infecting 400,000 computers with adware. Ancheta faces up to 6 years in prison and must pay the federal government restitution.

... or about recent Federal charges against Christopher Maxwell and two unidentified conspirators, who launched a botnet attack against Seattle's Northwest Hospital, shutting down the ICU and disabling doctor's pagers. If convicted, Maxwell could face up to10 years in prison and a $250,000 fine.

How easy is it to get “Own3d” (i.e., assimilated into a botnet)?

The most common way to become the home of a bot—also known as being "own3d"—is being tricked into inviting it into your computer. The clever bot master lures you into clicking on a link in email or on the Internet, which then runs a script that will load the malicious software onto your computer, installing the bot or fetching it for installation. Once installed, the bot dutifully calls home for further instructions.

You can also become "0wn3d" by connecting to the Internet with an un-patched vulnerability on your computer or with a weak or non-existent password for your Administrator account. Eventually, some botnet will find its new candidate for assimilation.

View a short animated video . . .
that separates the bots from the worms, and viruses as well. Find out how your computer might be letting trouble sneak in.

If it's so bad, what's Brown doing to protect us?

Botnets are very difficult to detect. We monitor network traffic and look for evidence of botnet activity, however this method is not fool-proof. Botnets have the ability to communicate in many different ways, and some even use encryption. We do detect the result of a botnet infection, such as a Denial Of Service attack or spam being sent from a University owned machine. The best defense is prevention: don't get infected with a bot in the first place. See the next section.

Can't I just let Brown take care of this for me?

Nope. There are some responsibilities you need to assume to complete the protection package. Here are the five most important things you can do:  

1. Keep your computer current and patch any vulnerabilities. Use the Automatic Update feature of your operating system. See “Auto Update On? Firewalled?” for instructions.
   You should keep other software up-to-date too. There are tools such as versiontracker.com that can be helpful, even if you just check this site only periodically for updates. Another tool is called “Belarc Advisor”, which provides a list of the patches and software installed on your system, including the latest versions.
2. Don't open unexpected attachments.
3. Look before your leap. Ignore enticements to click on strange links, whether in emails, chat rooms or unknown web sites. There could be a bot catcher waiting for you at the other end.
   You may wish to try an alternate web browser such as Firefox for general web browsing. You can also run your browser in a lower privilege mode using a program like “Dropmyrights”.
4. Set your web browser so it won't automatically run scripts. For Internet Explorer, click Tools > Internet Options > Security. Then click the Security tab and select the Internet icon and click "Default Level" button. Select "High" security level for this zone and click OK.
5. Keep your antivirus software up to date. If you don't have antivirus software, install it now. It's free and available for download.

What do I do if I'm Own3d?

If you suspect that your system has become part of a botnet, the best thing to do is contact the Help Desk (3-HELP or help@brown.edu). You can find information about the latest threats from the CIS home page.

Sources:

• "Beware the Botnet: Swiss Army Knife of Chaos!!", University of Missouri-Rolla,
• "The Evolution of Malicious IRC Bots", John Canavan, Symantec Security Response
• "It's All about the Botnets", Paul Asadoorian, SANS Advisor newsletter, August 2005, vol 1, no. 2
• "Botnet", Wikipedia
• "Bots, Drones, Zombies, Worms and other things that go bump in the night", SwatIT.org

Brown University
Author: Pat Falcon
Contributor/Editor: Paul Asadoorian, GCIA, GCIH
Date: February 9, 2006

1 - In 1993, Robey Pointer created a bot, called Eggdrop, for a legitimate and useful purpose: to watch over a chat channel. In those days, Internet Relay Chat (IRC) was used to communicate with others in disparate locations having similar interests. Eventually, scripts were written to automate several tasks, such as handling access privileges, file distribution, log stats, or run games. It also allowed IRC operators to link many instances of the bot together and leverage their collective power.

Eventually, someone discovered other, less legitimate uses for this powerful mechanism. In June 1999, PrettyPark.Worm emerged as the first worm to make use of IRC as a means of remote retrieval of a variety of information about the compromised machines. By 2003, high profile worm outbreaks such as Blaster and Sasser resulted in publicized hunts for the perpetrators and increased cooperation between law enforcement organizations and software vendors such as Microsoft. For a complete history, see “The Evolution of Malicious IRC Bots” by John Canavan, Symantec Security Response, at http://securityresponse.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf .

2 - For a complete definition of “DDos”, see the WhatIs.com article at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557336,00.html

3 - A keystroke logger (or keylogger) ia a program or device that once installed will collect the keystrokes of the computer's unaware user (such as user IDs and passwords). Keystroker loggers are often unknowingly downloaded as spyware.

• Secure IT! Archives