The Anti-virus Times

Tuesday, June 28, 2016

Botnets are networks created by cybercriminals with the help of standalone and remotely controlled malicious programs. Programs that receive commands from remote command and control (C&C) servers are called “bots”, an abbreviation for “robots”. Granted, far from all botnets have C&C servers—there exist several types of networks in which bots are able to transmit information directly.

Fraudsters who create botnets have a variety of goals, all of which in one way or another are illegal. Typically, cybercriminals organise so-called DDoS attacks, i.e., Distributed Denial of Service attacks: tens of thousands of computers simultaneously send requests to a website, making it unavailable to users because it cannot cope with the deluge of information.

Cybercriminals also use botnets to send spam, steal confidential information from users, and download other malicious applications on computers that have been compromised.

Many bots are used as a cross-functional tool to commit crimes on the Internet—these bots are able to simultaneously perform several functions.

Often botnet owners and organisers offer their services on underground hacker forums, thus profiting from the exploitation of botnets.

It is commonly thought that the first mass botnet was a network created in 2004 by cybercriminals using a mail worm called Beagle. This malicious program infected approximately 230,000 Windows-running computers all over the world. Beagle sent copies of itself via e-mail, and thanks to its built-in rootkit module, it could hide itself in infected systems and terminate the processes of some anti-viruses, making it very difficult for anti-viruses to detect and remove it.

The Rustock botnet, which was detected in 2006 and was designed to send out spam messages, is rightfully considered one of the largest botnets ever. It encompassed compromised computers that could send up to 25,000 advertising emails per hour. And 2008 saw the peak of the distribution of another worm called Conficker. It infected more than 10 million computers in 200 countries worldwide.

Initially botnets had a simple structure—infected computers got their instructions from the C&C server whose address was hard coded into the body of the malware program. Such networks were rather unstable: if a botnet’s control center became non-operational, the botnet virtually ceased to exist. For this reason fraudsters began using the DGA mechanism (Domain Generation Algorithm). These bots do not contain C&C addresses, but generate them on-the-fly according to a specific scheme. If one of the C&C servers becomes non-operational, the Trojans find another server address on compromised computers and try to connect to it. This is what Sinkhole—botnet interception technology used by anti-virus companies—is based on. If these companies can manage to figure out what algorithm is being used to generate control server domain names, they can register one or more similar domains. After that, it does not take much effort to neutralise the existing control server to gain absolute control over the whole botnet.

To withstand this phenomenon, cybercriminals create P2P (Peer-to-Peer) botnets that do not have C&C servers. In networks like these, bots communicate with each other on equal terms and transmit chain commands from one infected computer to another. Because such systems are decentralized, it’s very hard to neutalise or paralyse them. To improve the longevity of today’s botnets, cybercriminals are making heavy use of digital signatures, traffic decryption, tunneling when transmitting data, and other tricks designed to make life difficult for anti-virus researchers.

Users of Windows-running computers aren’t the only ones threatened by botnets. In 2012 Doctor Web analysts discovered the largest-ever botnet consisting of Apple computers, which in that instance had been compromised by BackDoor.Flashback.39. Botnets also exist for Android mobile devices.