Botnet and Anti-Botnet

In the following article I will review the topic of botnets, explain what they are and how they work. Once we understand how this works, we can also understand how to defend against this threat.

What is a Botnet?

A bot is a term for a software component that operates according to a certain pattern - activated by a triggered command, or in response to some digital process. In our context - a bot is a computer infected with a Trojan horse, while a botnet is a group of computers infected with the same Trojan horse.

A Trojan horse can be used for less malicious purposes. For example - learning the user’s behavioral patterns for advertising targeting or marketing templates. But in many cases a Trojan horse is used to spy on passwords - passwords for the user’s financial tools, or to use his computer for attacking a third party.

Attack Configuration:

A third-party attack using a bot allows the attacker to maintain anonymity. An attacker who has successfully distributed and leveraged his means, infected many computers with the same Trojan horse. He can then leverage the power of the attack or its profits in several ways:

• Through a DDoS attack - an attack where the load on the target grows in proportion to the number of infected computers activated by the attacker’s command.
• By expanding the distribution circle of spam.
• Increasing the number of targets from which data can be stolen.

How Does It Work?

First, the intrusion into the computer itself.

Initial infection of a computer with a Trojan horse can occur in one of several ways:

1. An innocent user clicks on a link on some website or email. Without realizing it, they approve the download of a software component to their computer.

2. A user downloads free software from some download site. They don’t know that a bit of content has been added to the software’s installation - for example, malicious code or even a small separate program installed as an add-on to the original software.

3. A direct breach of a computer in which the attacker installs the Trojan horse on the target computer.

In most cases, the initial infection occurs in one of the first two ways. These allow the attacker to leverage the spread and range of damage relatively easily.

A direct attack is blocked by the firewall, so phishing and Trojan horses are used instead.

Second, the bot’s operation.

In order to receive commands from the attacker or to send collected data to him, the bot must maintain some form of contact with the attacker. This can be a service running in the background waiting for a response, or a dormant service. According to a timed schedule at certain intervals, it wakes up briefly to communicate a little with the entity controlling it. This is why the bot earned the nickname “zombie.”

An attacker activates a bot component on a remote computer

In the case of a botnet, the attacker usually sets up a server that sends commands and collects information from all the bots. The larger the botnet, the more complex and distributed the hierarchy. One master server controls several proxies. Each serves as a relay station for more proxies, and each of those controls a number of bots… and so on.

An attacker creates a command-and-control system and from it distributes and activates bots

More sophisticated attackers prefer to use a more distributed rather than hierarchical network. A distributed network allows for redundancy and transmission of data and communication through other channels - allowing it to survive if key points in the command hierarchy are blocked or taken down.

For example - the difference between a hierarchical botnet and a distributed botnet:

A hierarchical botnet is controlled in a command chain by a single attacker from a single focused location

A distributed botnet is controlled simultaneously from many points on the network

The Botnet Gospel:

The bots earned the nickname “zombies” - not only because they operate automatically, or can remain dormant for a long time and then wake up and act on command.

Like any proper zombie loyal to their duty and faithful to their cause, some bots have an embedded feature that causes them to try and infect additional computers with the same Trojan horse, thus creating a zombie army.

Another very significant danger to a computer attacked by a botnet - it’s not just the direct damage caused by the attacker through spam floods, spying, and extracting data and finances. A computer that has become part of a zombie network can end up on various blacklists that block it and its network address - because the computer is then marked as an infected computer, an address used for attacks and spreading spam.

A computer or organization that ends up on these blacklists will find that communication options with various entities and websites across the network have been blocked for them.

Like other cyber threats, the forms and methods by which botnets arrive and operate are diverse and develop rapidly. They hide in many forms, software components, pass through different protocols and serve many purposes. Their code changes from one Trojan horse to another. Even the same botnet can change the addresses and servers it uses for command and communication, to make fighting it more difficult.

Therefore, the means of combating botnets must always be updated and alert to different addresses and new threats.

Anti-Botnet.

If so, the fight against botnets must be conducted on three fronts: prevention, containment and cleanup, and counterattack.

While the first two methods are the share and duty of every user in the digital space - certainly of organizations and large entities, the third and final effort is shared by the largest entities in the cyber industry, in cooperation with governmental bodies.

I will briefly review each of those fronts - how they operate and what is required to do the job.

Prevention:

Prevention and protection steps against bots

Above I reviewed the way attackers infect computers with Trojan horses. From that come the prevention methods, which we will divide into three according to the attack methods:

1. Private or organizational users learn to be wary of suspicious emails - those containing demands to click on links for various reasons, phishing websites and the like.

2. Software installation should only be done from trusted sources - usually from the manufacturer’s website. Care should be taken with lesser-known software from lesser/unknown manufacturers. There you need to research the manufacturer and scan and check the installation files as much as possible - to verify that the installation contains no malicious components.

   One must be wary of various free software repositories. These intermediaries collect all kinds of software from various sources and store it on their servers. In many cases, download links on such websites redirect to spam or to the download of malicious software components.

3. Protecting a device or network from all the common methods attackers use for direct intrusion:

• Complex passwords
• Closing unnecessary ports
• Software and security system updates
• Attention to security vulnerabilities in ports that must remain open

Prevention Requires Detection:

Because botnets are so easy, widespread and dangerous, this is one of the biggest headaches for large information security organizations. Their systems against botnets operate on these three fronts. In cooperation with large antivirus and information security databases, the data centers of large companies are updated very quickly. The lists are updated with new methods and types of Trojan horses that create zombies, and IP addresses that spread malware and other attacks.

These blacklists are constantly being updated, the data is analyzed, processed and updated again as needed. Using this data, it is possible to block Trojan horses from the start and keep them outside the system - either by blocking the addresses they come from, or through DPI - analysis of the content of data packets passing through the firewall (network routers) and identifying suspicious character strings. In such a case, the router will block and not forward the data (including the suspicious code) to the target device.

If a Trojan horse nevertheless managed to slip into the system, we move to the next stage - containment and cleanup.

An attacker introduces a bot as a Trojan horse into an organizational computer via phishing

Containment:

How, for example, do Fortinet or Check Point (among the largest information security companies in the world) stand in the second circle of defense?

If the system has identified an infected computer (or any other device), the system isolates the device from the network and blocks it until the system is cleaned. Without a network, the malware is useless, since its entire mode of operation depends on communication.

A zombie disconnected from the network cannot receive commands from the attacker or send him collected data. Nor can it attack other computers and spread - trying to infect them or send spam.

Antivirus and other less sophisticated systems do not isolate the entire device from the network. These present warnings to the user about malicious software components. Sometimes there is a warning about ordinary programs that a malicious parasite is working with and through (for those who weren’t careful in point 2 of the attack methods).

Botnet activity on a computer in an organizational network

It is important to pay attention to such warnings, and immediately neutralize the offending component. In such a case, it is also advisable to perform a more thorough re-scan of the computer - because it is essential to ensure that it is cleaned of all malicious code that may be operating within it.

Of course, for this purpose one needs to maintain an antivirus and security systems that are constantly being updated. Only constant updating provides the ability to identify every type of malicious code present on a device connected to the network.

And here we arrive at the third stage - the counterattack.

Counterattack:

Throughout all these processes, the various defense systems collect data. Data that is concentrated, processed and passed on, then processed again, concentrated and passed on again. The key is worldwide information sharing between all kinds of systems - information security systems and large organizations that provide or monitor various network services. The data is used to block attackers and attacks - also close to the point of origin. And thus prevents attacks and disables attackers before they gather momentum and manage to cause damage.

A counterattack against a botnet and its operators

A counterattack also takes place in three ways.

Blacklists:

1. The simpler form of counterattack is blacklists. Anyone who has entered their inbox and thrown a suspicious email into the spam folder knows that the sender has been blocked. All mail that arrives thereafter from the same email address is automatically sent to the spam box.

Likewise:

• Addresses that have been flagged in various systems as addresses prone to attacks and spam distribution
• Websites that have been flagged as infected and dangerous to the user (containing suspicious links and infected programs)

All of these end up on the blacklists mentioned above.

Anyone who gets on one blacklist will quickly find themselves on almost every possible blacklist. Information security organizations learned long ago that their competition should manifest itself in product quality and usage functions - not in the amount of data collected. All the data must be shared with everyone, or everyone will fall victim to attacks - because there are attacks that the competitor detected but they themselves haven’t discovered yet.

Therefore, a blacklist of one information security organization generally synchronizes with many other blacklists around the world.

Those who are blocked cannot attack. Without communication, spam cannot be sent to computers. Bots cannot be activated on computers whose access is blocked. Data cannot be collected from computers whose access has been blocked.

Network Blocking:

2. Blacklist blocking is also a type of counterattack, but more defensive. The next type is more active - blocking central nodes.

The big goal of the large organizations fighting botnets is not only to block a specific address from which some lonely bot tried to spread spam or infect other bots. That’s exactly why the concept of a botnet was created - every individual computer that is blocked doesn’t hurt the attacker, only the victim. The attacker can still take over other computers from addresses not yet blocked, and create new command servers.

Therefore, large organizations invest much effort in deep investigations aimed at identifying the sources of attacks. This way it’s possible to take down entire attack systems at once. Here sometimes cooperation is needed with internet providers and with organizations like Microsoft or Check Point. Sometimes these succeed through joint work in identifying the source of attacks - and can then deal a serious blow to large zombie networks in one stroke.

Those who manage to map a network of command servers and controlled computers, can at once block the central nodes and perhaps also clean them - if the botnet’s command servers are operating without the knowledge of the server owner, such as in cases where the attacker broke into it and established the command center on their server.

Detection, Cleanup, Enforcement:

3. The third form stems from all the previous ones, but takes it one step further. The third form must add law enforcement agencies to the equation.

We learned that the first stage helps at a specific level, but in a bigger picture there is still a chance - because a botnet that has had several computers and addresses blocked, can still infect other computers and operate from other addresses. That’s why the second stage tries to take down larger parts of the network, including the command servers.

But in the third stage the attempt is to uproot the attack from the source.

Not only the seizure and confiscation of the attacker’s servers and network connections by law enforcement. But finding the attackers themselves.

An attacker whose botnet was taken down can tomorrow think of new malicious code that the systems don’t recognize yet - then activate it from new servers on a completely different continent, ones not yet on the blacklist. Within a month they have a new functioning botnet, and they continue as before.

Therefore, information security organizations collaborate with various law enforcement agencies around the world. Part of this effort relates to identifying the attackers themselves and cleaning up every source through which they connected to the network.

It’s somewhat harder to program a prison mattress to spread spam and create a new botnet.

The following article describes how Microsoft operatives, accompanied by the US Marshals Service, raided CNC servers that served the ZeuS botnet.

This is a small example of a large effort that achieved something - and it is still just a drop in the ocean.

Optimal cooperation minimizes bot activity on the network

In Summary:

At its core, the concept of a botnet is one. But it uses so many tools, code forms and network access sources. Likewise, there are so many people and devices connected to the network in the world - numbers that rise steeply every year - so the risk increases.

The fight against botnets is a continuous struggle that will not end. But through careful prevention and a stubborn, swift and updated counteroffensive, it is possible to maintain a generally safe level of network use.

The tools are education-awareness, definition-and-maintenance, and cooperation.

The more awareness of the issue grows, the danger decreases. Because the more careful the user, the greater the effort that must be invested to harm them - and not every attacker can invest that effort, certainly not distributed across a large number of users.

On the other hand, the more cooperation between the various organizations grows, the safer the network environment will be. On one hand, all organizations update to neutralize vulnerabilities and block attacks. On the other hand, it will be easier to locate the attackers themselves and neutralize them.