ethical.blue Magazine

// Cybersecurity clarified.

What Is a Botnet? Network of Zombie Machines

2022-05-26   Dawid Farbaniec
...

What Is a Botnet?

The term botnet can most simply be defined as a network of computers infected with malware that allows an evil hacker (there are good ethical hackers too - Mr. At) to control compromised machines.

It is worth noting that if someone has infected some computers with trojan horse, the word botnet is an oversize. A small botnet begins when several hundred to several thousand machines are infected. History says that the zombie computer army has grown to millions of bots. For example, the Bredolab botnet network comprised around 30 million machines. Following this, it can be concluded that the intentions of the evil hacker are different when the Remote Access Trojan is used and fewer computers are targeted than during a mass infection. If an evil hacker takes control of fewer machines, he can afford to browse files manually or other individual actions. However, the harmful effects change when it comes to tens of thousands of machines or more. It is then possible to efficiently execute a distributed denial of service attack, for example, causing a specific website to be disabled. The sales platform is the easiest example to imagine. Turning your site off equals stopping sales, which means no profit.

C&C (C2) Technology

The term Command&Control refers to sending commands to infected computers which allows them to be remotely controlled. This term can be found in various documents in abbreviated form as C&C or C2.

An evil hacker who programs a bot can employ various C&C topologies. The basic types of communication channels include:
- use of a central server (centralized topology),
- p2p direct communication (peer-to-peer),
- other unusual communication channel.

The use of a central server is distinguished by the fact that it is easy to design such an architecture. An evil hacker sets up a server/service and sends commands to the bot network. You can guess that if something has centralized control, then if the command place is detected, there is one object to seize.

Although not always.

A threat actor can program a behavior like:
- if this computer's IP address does not respond, use a different server address.
- if the prepared pool of IP addresses does not respond, then a file with a new communication channel will be under the specified domain.
- and so on...

Some may guess what steps should be taken to detect this type of behavior. The key is to get a malware sample - a bot here - and analyze its code.

The use of architecture based on a direct connection P2P (peer-to-peer) ensures decentralization. This means that seizing one or several bots may not be enough to break the entire botnet.

There are also other, less common C&C communication channels, such as the fact that one bot only "knows" about the existence of one, different bot. This can be compared to forwarding messages and forwarding them randomly until it comes across a bot. This is a decentralized solution and should ensure the botnet's longevity, but an attacker can expect missing commands or delays in their delivery.

DNS in Botnets

The use of the Dynamic DNS (DDNS) allows a threat actor to automatically change the IP address in DNS entries when the server's IP address changes.

Another solution used is multihoming. This increases the reliability of the connection through DNS type A entries.
botnet.example.ethical.blue A 127.0.0.1

botnet.example.ethical.blue A 127.0.0.2
botnet.example.ethical.blue A 127.0.0.3
botnet.example.ethical.blue A 127.0.0.4
botnet.example.ethical.blue A 127.0.0.5
(...)

Connect&Forget Botnet

The Connect&Forget method consists in the fact that individual bots connect to the control panel, leaving information about themselves needed to establish a connection.

File/URL-based Botnet

A file/url based botnet may work in such a way that a command file is left under a specific internet domain for bots to download. After the commands from the file are processed, the specified action is performed.

Methods of Collecting New Bots

What is causing the zombie computer army to grow?

The threat actor can run various campaigns to acquire new bots.

The bots can send spam containing malicious links or files which infect other computers. The term spam is used to describe unwanted and harmful messages sent via e-mail or instant messaging.

Exploit tools are also used, i.e. programs that use bugs in other software, for example, allowing for the unauthorized execution of malicious code.

What is The Botnet Used for?

A botnet network can be used for example to:
  • Sending unwanted messages (spam)
  • Distributed Denial of Service (DDoS) attacks
  • Using the computing power of infected computers to mine cryptocurrency
  • Installation of adware and spyware
  • Installation of ransomware
  • Data and intellectual property theft
  • ...and others.

Recommendations

Computer users can protect themselves from joining the botnet, e.g. by:
  • Using legal and updated software
  • Caution when opening links and attachments
  • Using multi-factor login (e.g. SMS code in addition to regular password)
  • Using up-to-date antivirus and firewall software
  • Maintaining general hygiene when using the computer

Security researchers can take more advanced actions such as botnet monitoring and bot code analysis. The methods of monitoring botnet networks include: launching a honeypot in order to catch a bot and analyze its code, monitoring network traffic or a rather unusual way of adding your program to a botnet.

Bibliography

Agencja Unii Europejskiej ds. Cyberbezpieczeństwa (ENISA), 2020 — Botnet. Krajobraz zagrożeń wg Agencji Unii Europejskiej ds. Cyberbezpieczeństwa (ENISA), ISBN: 9789292043544
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross, 2007 — Botnets: The Killer Web App, ISBN: 9781597491358
Radware's DDoS Handbook, 2015 — The Ultimate Guide to Everything You Need to Know about DDoS Attacks
Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard, 2011 — Malware Analyst’s Cookbook and DVD. Tools and Techniques for Fighting Malicious Code, ISBN: 9780470613030
https://web.archive.org/web/20120430215206/http://www.thetechherald.com/articles/Researchers-Bredolab-still-lurking-though-severely-injured-(Update-3)/11757/ [access: 2021-05-29]
https://news.microsoft.com/apac/2020/10/13/microsoft-takes-action-to-disrupt-botnet-and-combat-ransomware/ [access: 2021-05-29]
https://www.usenix.org/legacy/event/sruti05/tech/full_papers/cooke/cooke_html/ [access: 2021-05-29]