- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Ways to use botnets
Introduction
A "bot" is an abbreviation for "robot". Bots are the many single computers that participate in a "botnet". A botnet is controlled through a command and control center, by other bots and/or by an individual/organization. The bots in a botnet are usually "recruited" through infection techniques, and the computer owners are normally not aware of the fact that the computer participates in a (or several) botnet(s).
Botnets can be very sophisticated and complex, but obviously there is a person or an organization, which ultimately control the bots/botnet.
Two common ways to use botnets are
- to send spam/malware
- to participate in DDoS attacks
There are however, in principle no restrictions regarding how a botnet owner may use the bots that are under her command.
This article will not go in depth with regard to how the different botnets function technically. We shall rather examine some of the ways botnets may be used, study one successful method used for fighting this threat, and finally discuss the idea of botnets used for benign purposes.
Examples
DDoS attack as a service to be purchased
The security company Damballa has analyzed a botnet called IMDDOS. This is a relatively new botnet among the larger ones, and is estimated to have originated in March this year. When Damballa's analysis was made, IMDDOS is calculated to be among the most widespread botnets.
The interesting thing about IMDDOS in our context is that this is marketed as a commercial "service". It is possible to buy this service on a monthly, annually, or lifetime basis. Lifetime customers get 24x7 technical support. It is also possible to rent a part of the botnet - the price for this depends e.g on the desired computing power. IMDDOS also recruits agents to promote its business and sell the service.
IMDDOS seems to be based in China. Infected computers that are part of the IMDDOS botnet are found all over the world.
This shows another example of a type of malicious activity, which has evolved into a business handled in a similar was as ordinary, legitimate, businesses. We refer to our article - Cyber crime imitates legitimate business - for another example.
DDoS attack as a method to prevent illegal copying
Several Internet news sites report that Indian film industry in Bollywood uses DDoS attacks against web sites that host piracy movies.
According to Daily News and Analysis, the Indian company Aiplex Software has been hired to launch DDoS attacks on web sites hosting pirated movies that don't respond to copyright infringement notices sent to them by the film industry.
Managing director Girish Kumar was quoted:
When we detect a website offering a link or a download, we contact the server hosts and intimate them about the illegal activity. They issue a notice to the site owner. If the site owner does not comply, the site is either suspended or dismissed. (...)
The problem is with torrent sites, which usually do not oblige. In such cases, we flood the website with lakhs of requests, which results in database error, causing denial of service as each server has a fixed bandwidth capacity. At times, we have to go an extra mile and attack the site and destroy the data to stop the movie from circulating further.
To implement such drastic actions, in this case to protect against illegal use of copyrighted materiel, is coined e-vigilantism. Although it is admittedly not an ideal or recommended solution, it shows how far someone is willing to go when they feel that their business model is threatened.
Terminating botnets
One of the problems with botnets is that they are so difficult to take down. Antimalware companies, like Norman, will continuously detect new files that infect the computers (making them bots). However, it is a known fact that not everyone uses updated antimalware products, which makes it almost impossible to completely wipe out a botnet this way. Modern botnets also often use techniques to update themselves with new modules, which may not (yet) be detected by antimalware products.
Terminating botnets by focusing on the bots as the only focus is therefore not seen as a viable technique.
In our security article from late 2008 - Combattere i malware su due fronti - we discussed two successful examples on how to stop malicious/unwanted activities. Both targeted the problem at a higher level than the end users.
Microsoft's takedown of Waledac botnet
Another example is the Waledac botnet.
Earlier this year, Microsoft in cooperation with other security experts, were able to take down the huge Waledac botnet. This was accomplished by cutting off traffic to Waledac at the domain level, which resulted in severing the connection between the command and control centers of the botnet and the many bot computers around the world. A federal judge in the U.S. District Court of Eastern Virginia, USA, granted a temporary restraining order, which cut off almost 300 Internet domains in the Waledac botnet.
Early September the U.S. District Court of Eastern Virginia granted a motion, which aims to give Microsoft permanent ownership of the Waledac domains. The domain owners have 14 days to object and, if they do not (which seems unlikely in this case), the ruling will be final.
This example shows that an initiative from private organizations (Microsoft and others) resulted in legal actions, which effectively crippled a huge botnet setup.
It seems safe to assume that similar initiatives will be taken towards malicious botnets, which turn out to be difficult to stop by other means.
Microsoft comments on its official blog:
(...), the courts and the security community have paved the way for future takedowns in cases where criminals are abusing anonymity to victimize computer users around the world.
Benign botnets?
One possible idea based on our discussion above, might be:
- How about setting up a benign botnet based on the presupposition that most individuals and organizations are interested in combating cyber crime?
- The botnet's only purpose would be to attack Internet sites and domains that engage in criminal activity.
- Participation in the botnet would be on a voluntary basis.
One may imagine a setup which slightly resembles the seti@home system where volunteers install a client and contribute computer resources to Search for Extra-Terrestrial Intelligence (SETI). Instead of searching "outer space", the computers participating in such a network could be used to attack Internet resources that are used for malicious purposes.
Even though such a setup might seem like a captivating idea, there are for sure severe counter-arguments, for example:
- do we want an organization (or whatever entity that has the role) to have a role normally conducted by organizations under national or supranational control (police, court systems etc.)?
- who identify the offending Internet resources?
- what is defined as malicious and should therefore be taken down?
- who should be in charge of such a network and issue commands to the "bots" to attack an offender?
- what if someone is able to take over the network?
- how can a user know if an invitation to join a benign botnet is legitimate (and not an attempt to lure him to join a malign botnet)?
Our skepticism to such a system overrides the beguiling first impressions. E-vigilantism in any form should not be encouraged.
References
- The IMDDOS Botnet: Discovery and Analysis (Damballa Threat Research)
- Bollywood hiring cyber hitmen to combat piracy (Daily News and Analysis)
- Cracking Down on Botnets (Microsoft On The Issues blog)
- Microsoft vs. John Does (Complaint filed by Microsoft)
- Microsoft gets legal might to target spamming botnets (USA Today)
- R.I.P. Waledac: Undoing the damage of a botnet (The Official Microsoft Blog)
- SETI@Home web site
