Next Generation Viruses
Sándor GYÁNYI
Óbuda University
Kandó Kálmán VK, HTI
H-1084 Budapest, Tavaszmező u. 15.-17.
gyanyi.sandor@kvk.uni-obuda.hu
Abstract - Computer networks are playing a more and
more important role in our everyday life. As the popularity
of the Internet (the global computer network) is increasing,
our dependencies on it are increasing too. There are new
groups of criminals and terrorists appearing and trying to
use the power of the Internet for their own goals. Besides the
classic malware (malicious computer programs, like viruses,
worms, and trojan horses) a new threat has appeared. Many
computers in the world are infected with next generation
viruses which combine classic malware functions. They
infect PCs like a virus, open a backdoor like a trojan horse
and provide control to the attacker. These PCs (called
”zombies” or ”bots”) can connect with each other and act as
a single entity. This presentation will show how dangerous a
botnet is and how criminals can use it against the entire
Internet.
Figure 1. Centralized botnet architecture
I.
Cyber criminals, hacktivists, and cyber terrorists
People who commit crimes on the Internet have
different motivations: money, fame in the hacker
community or protest against certain organizations
(hacktivism1). These actions need tools. Earlier, these
were individual actions (cracking into computer
networks, defacing web sites, etc.), but a few years ago a
new, powerful threat appeared, the so called botnet.
A botnet is a network, made of infected computers (so
called zombiePCs or bots), that can run coordinated,
distributed functions, and share resources under the same
commands. Parts of a botnet include:
- Botmaster or herder: the owner of the botnet, who
assigns jobs and gathers information provided by the
„herd”.
- C2 server: bots need a Command & Control channel.
All of the bots connect to the C2 server and wait for
the command (in centralized botnets, there are
several new technology botnets which can operate in
P2P - peer to peer- model). The C2 server receives
commands from the botherder and distributes them
to the botnet. In the past, the most popular C2
technology was IRC (Internet Relay Chat).
- Drop server: stores data gathered by the botnet.
- Botnet (herd): infected computers, workers.
1
The act of “black hat” hacking that is not specifically
motivated by malice, curiosity or criminal intent, but for political
purposes. This may include altering the content of a website
(defacement), or preventing or inhibiting communication (such as
through a denial of service attack). This term describes motive only, as
the techniques employed are similar or identical to those of crackers.
– Definition of “Hacktivism” by the Parliament of Victoria,
Australia
A botnet consisting of many computers provides
control of its member’s resources for the botmaster.
These resources can be applied for many purposes:
- Information theft;
- Abuse of advertising systems, click fraud;
- SPAM sending;
- Coordinated attacks, a.k.a. Distributed Denial of
Service (DDoS).
Information theft
The botmaster installs an application on the infected
computers which can steal the owner’s personal data, and
send it to the drop server. Authentication data, electronic
banking codes, and credit card information can be
acquired this way, which can be used directly (selling on
the black market) or indirectly (attempting other actions
in the name of the user).
Click fraud
Certain advertisers (for example: Google AdSense) do
not pay for ad viewing, only for click through traffic (for
example clicking on a banner). A large botnet capable of
generating a significant amount of click throughs, can
provide a large income to media owners.
Spam sending
Botnets can use the bandwidth of bots for sending
unsolicited bulk emails (SPAM2). These emails aren’t
efficient in general but a very large amount of emails can
generate significant turnover, so there are advertisers who
pay for it. There are many products (fake Rolex watches,
fake diplomas, and drugs) which cannot be advertised
2
The term of SPAM refers to a Monty Python’s Flying Circus
scene, where the waitress offers only spam for everyone.
legally. These junk emails consume a lot of resources,
and everyone pays for it (Internet Service Providers
include the price of bandwidth in their monthly bills).
Botnets can also ”recruit” new members by junk emails.
DDoS
The target (a network or a single computer or server)
can be overloaded by a Denial of Service (DoS) attack,
rendering normal operation impossible. Distributed
Denial of Service (DDoS) is similar, but in this case
many computers are involved in the attack, making
defense harder.
user Internet connection has a few hundred kilobit/s
upload bandwidth. Any average bot can generate
hundreds of requests per second. When this is
multiplied by 1000s of bots (the size of an average
botnet), the danger becomes very significant.
Mail bomb – Electronic mail (e-mail) is a very useful
information service. Simple Mail Transfer Protocol
(SMTP) is very simple, so a mail sender program can
be written in a few kilobytes. Almost every bot client
program includes an SMTP engine which is very
useful for sending spam or sending infected emails.
The classic mail bomb has a compressed attachment
(such as a ZIP archive). This attachment is generally
very large (more than 2 gigabytes in size) but
includes only zeros, which can be compressed in a
very efficient way, so the compressed attachment is
only a few kilobytes in size. When the target mail
server receives this mail, and the built-in content
filter (if it has one) tries to examine the attachment, it
needs to decompress the ZIP file. The decompressing
needs 2 GB of memory, so if the attacker sends many
mail bombs to the target, the target’s memory
becomes full and its response time increases. If an
attacker has a large botnet, it is possible to send so
many emails that the target’s filesystem overflows
very quickly.
-
II.
DDoS attacks
There are several ways to commit a Denial of Service
attack, but some categories can be distinguished based on
the network layer where the attacker launches their
actions.
Network Flooding:
Flooding is a successful computer network attack
method, in the third or fourth layer of the ISO OSI3
model. There are several flooding technologies that are
known, that can be divided into the following categories:
- Bandwidth Consumption – Attackers try to flood the
target’s Internet connection. The attacking hosts
generate very heavy network traffic from and to the
target’s network service, so none of the legitimate
traffic can reach the target (or the target’s response
time increase beyond the clients’ patience).
- Malicious Packet Flood – The attacker sends
specially constructed network packets to the target,
causing failure in the target’s systems. If the target’s
operating system is vulnerable, fewer packets are
enough for a successful attack.
Application flooding:
In this case, the attacker sends multiple normal or
special requests to the target, increasing the server load. If
the server gets too many requests, the response time is
increased to an unacceptable value (when most visitors
have to wait more than 7 seconds for a single web page to
load, they do not wait and move on instead). These kinds
of attacks are launched in the application layer of the ISO
OSI model. Practically every application connected to the
Internet can be flooded, here are a few types:
- Web site Denial of Service – Web servers, like all
computers, have limited resources (bandwidth, CPU
speed, memory, etc.). Because of these limitations,
most administrators use safe settings in web server
configurations and limit the number of server
processes working at the same time. If an attacker’s
requests reaches this limit, the web server can’t
accept new connections, so the service is no longer
available. Since the World Wide Web protocol is
asymmetric, a request is significally smaller than a
response, which means, the attacker needs less
bandwidth than the target. A typical request to the
web search engines can fit in a few hundred byte size
packet, but the server must examine many large
databases to serve a response. Today’s typical end
3
OSI is an acronym for Open System Interconnection, it has
seven layers.
III.
History of botnets
The evolution of malware4 started with computer
viruses. Running an infected program starts the virus
code which makes itself resident in the computer
memory. Once the virus is active, it can infect other
programs in the main file system and in portable devices,
so the user can carry the infection to other computers.
Since the Internet era began, next generation viruses have
quickly appeared, that can infect computers via email
attachments or operating system vulnerabilities. These
malware (called worms) can infect a very large number of
computers in a few days. At the same time a new
malware arrived, called ”the remote administration tool”
by its authors. These applications open a backdoor to the
internet, and anyone can grab control of the computer. A
bot client program is basically a combination of two
kinds of malware: it infects like a virus and hijacks the
computer like a backdoor (sometimes called ”trojan
horse”).
The first bot was created in 1989 by an IRC server
administrator. It wasn’t a malicious application, just a
simple game using connected computers.
The first malicious botnet client was PrettyPark,
discovered in 1999. It was a real quantum leap in botnet
technology, the client application was able to steal users
personal information, launch Denial of Service attacks,
and make file transfers to external servers. In addition,
the client program was able to update itself automatically.
The next notable application was SubSeven. It had all
of the features of PrettyPark but also included a
keylogger (an application that saves user keystrokes) and
remote access capability. The author advertised SubSeven
as a remote administration tool, this was the first trojan
horse.
4
Acronym of MALicious softWARE.
2
The next generation botnet started in 2002, when a
russian programmer made SDBot. It was capable of
infecting Windows machines automatically, using
backdoors made by SubSeven and other trojan horses, it
was also open source, which meant that anyone with
some level of computer programming skill could modify
the source code and make a new bot client.
Nowadays, many modular bot client applications are
available, the wannabe botmaster can select the necessary
modules and start making a botnet.
IV.
Infection methods
There are two different approaches to making an
infection:
- Automatic infection, without the user’s cooperation;
- Infection with the user’s cooperation.
A flawless software cannot be compromised from an
outside network, but flawless software doesn’t exist.
Every program – including operating systems – have
program errors and security glitches, making it possible
for an intruder to install malicious code in the computer’s
memory. These holes are usually exploitable only within
a certain period of time, because most software
manufacturers provide security patches for known
vulnerabilities.
Based on these vulnerabilities, a bot client can scan the
network and infect exploitable computers.
Some notable infection types:
Conficker/Downadup worm infection.
Vulnerability in a Microsoft Windows Server service
may allow the remote attacker to execute code. [2] This
code may be a botnet client. The Conficker worm made a
very large botnet (more than 10 million Windows
machines) but fortunately, botmasters wanted money
only, so the Conficker botnet sends SPAM mails. [3]
Javascript trojan downloaders.
Javascript is a programming language, executed by a
web browser (such as Microsoft Internet Explorer and
Mozilla Firefox). Some Javascript implementations have
security holes. Prepared web pages contain malicious
code and when an unsuspecting visitor visits an infected
web site and the browser executes Javascript, an infection
occurs. In the past only untrusted web sites (mostly
pornographic websites and websites for obtaining illegal
software) were infected, but nowadays attackers hack into
trusted websites (like blogs, small portals, and corporate
websites) but instead of defacing them, they install
malicious Javascript code to the end of the HTML files 5.
Fortunately, some search engines can detect malicious
codes and make a blacklist, so popular web browsers can
check the url before downloading the content.
5
Most documents on the Web are written in HTML
(Hypertext Markup Language), which is a simple text format and
editable with any word processor.
Figure 2. Malicious Javascript code (source:
http://www.rohitab.com/discuss/index.php?showtopic=21954)
Psyb0t.
This bot client is a new threat, because it doesn’t infect
computers but routers (which are basically computers
too). Some ADSL6 modems and routers with MIPS7
processors have a vulnerability which allows the attacker
to execute special code in the device’s memory. This code
is stored in RAM and a restart deletes it from the memory
but routers tipically run in 24/7 mode. This means, that
every infected router can send SPAM and other junks
non-stop, day and night. The first affected modem was
the Netcomm NB5. [4]
Chuck Norris botnet.
Similar to its predecessor, Psyb0t, this worm can infect
some MIPS-based routers and ADSL modems, including
some D-Link devices. The malware got its name from a
comment in its source code: "in nome di Chuck Norris”
which means "in the name of Chuck Norris” in Italian.
[5]
V.
Notable incidents involving botnets
Strano Network
In December of 1995 the "Strano Network” group
attacked various French government Web sites protesting
against nuclear and social policies. These attackers were
real people who repeatedly reloaded Web pages in their
Web browsers, causing a service slow down. In this case
activists (hacktivists) acted like a botnet and made a
successful DDoS attack. [6]
DNS root servers
In February of 2007 a coordinated attack hit some
DNS root server instances. DNS is a service which
translates domain names (ie. www.example.com) to IP
addresses, so if someone can stop this service, practically
the whole Internet stops too. The analysis of this attack
proves that an HTTP-based botnet controlled the action.
[7]
6
ADSL: Asymmetric Digital Subscriber Line, popular access
method which provides continous Internet access.
7
MIPS: a microprocessor architecture, originally an acronym
for Microprocessor without Interlocked Pipeline Stages.
3
Estonian cyber war
2007 Estonia DDoS attacks. In April of 2007, the
Estonian government moved a Soviet World War II
memorial from Tallin. The Russian minority started
protesting. After some bloody incidents, the Estonian
government Web sites came under attack, which lasted
almost a month. The Estonian network security experts
claimed that some of the attacks originated from Russian
government IP adresses, but probably these were infected
PCs, members of a botnet. Some sources called this
incident "Cyber War I”. [8]
Georgian cyber war
2008 Georgia DDoS attacks. When Russia started
military actions against Georgia, cyber attacks started as
well. These cyber actions included the defacement of
Web sites and DDoS attacks – like the attacks against
Estonia just a year before. Web sites of President Mikheil
Saakashvili, Georgian Ministry of Foreign Affairs and the
National Bank of Georgia were defaced.
Figure 3. Picture of a defaced Georgian Web site (source:
http://i.zdnet.com/blogs/georgia_ddos3.JPG)
References
Matthew Boyd, „Botnets”
http://iboyd.net/wp-content/uploads/2008/05/ist-451-final.pdf
[2] „Vulnerability Note VU#827267”
http://www.kb.cert.org/vuls/id/827267
[3] „Kaspersky impressed with Conficker botnet's slickness”
http://www.zdnet.com/news/kaspersky-impressed-withconficker-botnets-slickness/303959
[4] Terry Baume, „Netcomm NB5 Botnet – PSYB0T 2.5L”
[5] Robert McMillan (IDG News Service), „Chuck Norris botnet
karate-chops routers hard”
http://www.goodgearguide.com.au/article/336938/chuck_norris
_botnet_karate-chops_routers_hard/
[6] Gunter Ollmann, VP of Research, Damballa, „The Opt-In
Botnet Generation”
[7] John Kristoff, Rodney Joffee; „Botnets and Packet Flooding
DDoS Attacks on the Domain Name System”; May 29. 2007
[8] Kertu Ruus, Cyber War I: Estonia attacked from Russia.
http://www.highbeam.com/doc/1G1-182202616.html
[1]
4