Security Vault - Understanding Bots and Advanced, Persistent Threats

How are bots and other advanced, persistent threats (APT) controlled?

The "Command and Control" (C&C) infrastructure has migrated to using HTTP communications and also uses UDP as well as P2P protocols. Command and control servers handle hundreds of thousands of connections for bots to log into and receive commands from bot herders. A bot computer is programmed to automatically connect to C&C server(s) located around the Internet. This results in the formation of a enormous computer network referred to as a 'botnet' (short for bot network). It typically consists of tens of thousands of PCs, but can be as large as several million infected computers.

Once bots log in and receive instructions from the bot herder, who also logs into the C&C server, the bots go off and perform the commands issued. The commands could be something like downloading and installing SMTP software, configuring it, and then begin sending numerous spam emails priced at 1/1000 of a cent per email. More malicious commands might cause the bot to attack a particular website/server by overwhelming it with HTTP, TCP, or ICMP echo (ping) requests. These requests from thousands or millions of host result in a distributed denial of service (DDoS) attack where the server can no longer respond to legitimate users.

Organizations who own the infected computers are now unwitting partipants in online crime. They are now accomplices to the bot herder's crimes and are not only 'victims' but also 'perpetrators.'

Characteristics of Bots and APTs

Botnets are designed with a common goal of making money. Thus, they share some common characteristics.

• Stealthy, hidden—Bot malware does not exhibit signs of infection, like a virus or worm. Users and businesses therefore do not realize their network security has been breached and continue to use the PCs without noticing the computer is participating in online crime.
• Polymorphism, Variants—Bot herders use botnet 'kits' to create endless variations of bot malware to evade antivirus, IPS, and other signature-based security technologies. Open source botnet code even includes polymorphism code to continuously alter the bot malware as it goes from host to host.
• Automated, self-updating—Bots update themselves when the bot herder issues update commands. The updates include new malware and even new PC patches to prevent the computer from being infected by rival bot herders. By adding new functionality, the bot can be used in more forms of cybercrime and made more difficult to uncover.

p2p Botnets

Today, the primary mechanism for command and control of most botnets is based on IRC. This is mostly due to the easily obtained botnet code that was developed around IRC technology. However, the centralized nature of IRC botnets makes them fairly easy to detect, trace, and shutdown.

So, to counter bot hunters who seek to shutdown IRC botnets, bot herders have co-opted peer-to-peer (P2P) technology to control botnets. By using the underlying technology from p2p networks, bot herders are now able to control large botnets that have no centralized C&C server. This makes disrupting p2p botnets much more difficult. Early p2p botnets used protocols like eDonkey and connected into the Overnet p2p network.

Fast Flux DNS Botnets

Another technique to preserve IRC botnets and evade bot hunters is by using "fast flux DNS". The domain name system (DNS) enables names like yahoo.com to be translated into numeric IP addresses. The fast flux concept is a DNS technique where the domain name's TTL (time to live) is set to be very short. The IP addresses that the domain translates into are constantly changing. So, the constantly changing list of destination IP addresses for a single domain name is called 'fast flux DNS'. The list of IP addresses can be hundreds or thousands of entries long per domain name.

Bot malware is programmed to call home to particular domain names, but those domain names could refer to any of hundreds or thousands of servers. This more effectively obscures C&C servers and malware repositories from simple traceback and shutdown and from local security measures like IP-based ACLs.