Massimiliano Romano, Simone Rosignoli, Ennio Giannini
What you will learn...
• what are bots, botnets, and how they work,
• what features most popular bots offer,
• how a host is infected and controlled,
• what preventive measures are available and how to respond to bot infestation.
What you should know...• how malware works (trojans and worms in particular),
• mechanisms used in DDoS attacks,
• basics of TCP/IP, DNS and IRC.
The late nineties and the beginning of a new millennium brought a new strategy of attack against network systems. The notorious Distributed Denial of Services (DDoS) was born. Many important dotcoms felt the rage. The reason why such attacks are sowidespread is mainly their simplicity and difficulties in tracking down the parties involved. This type of attacks, despite our vast experience and knowledge, still represent a severe threat today, and still give an attacker the edge. Let's see what these attacks are all about and let's look into the product of their evolution: botnet attacks.
Introduction to Bots and Botnets
The word bot is anabbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of arobot, or bot (as we will call them from now on) – an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread.IRC
IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer).
An IRC serverconnects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user.
IRC bots are treatedno different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them.
An important feature of such bots is the factthat they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet.
In recent past zombie (another name for bot–infected computers) networks were controlled with the use of proprietary tools, developedintentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also...