T 5.156 Bot networks

A bot is a program which is installed by an attacker on a user's computer without his/her knowledge, via corresponding malware for example, and which can remotely execute instructions from the attacker. By combining many bots, a bot network is formed.

Bot networks are used for a number of illegal activities. Fields of application of bot networks include sending masses of spam e-mails or e-mails with malicious attachments and links (e.g. for phishing) but also logging keyboard strokes (keylogging) and thus misappropriation or theft of personal information (such as passwords, PINs, etc.) or confidential business information (corporate espionage). Moreover, bots enable the misuse of infected computers by storing illegal software on them or even using the infected computers to make such software available, for example, by means of file sharing. A form of attack which is particularly serious for networks and services are so-called DDoS attacks (DDoS, Distributed Denial of Service). DDoS attacks are carried out for political, ideological, but mainly for financial reasons.

A simplified typical bot network structure is as follows:

• The bot master (also bot herder) develops a bot client. He/she infects the PC of an end user via the internet by exploiting an existing security gap.
• The bot client establishes a connection with the command and control server (C&C server).
• The bot master updates the bot client with new attacks and instructions.
• The bot scans a random IP address range for vulnerabilities and infects other computers.
• The infected computers establish a connection to the command and control server themselves and receive commands.

Mechanism for infection and distribution

In the past, infection of a PC with bots was mainly carried out by exploiting known security gaps in system services and applications. For example, the worms SDBot and Agobot were equipped with scan routines in order to detect security gaps in unprotected systems. SDBot is distributed by exploiting the following security gaps, among others: NetBIOS (port 139), NTPass (port 445), DCOM (ports 135 and 1025), and WebDav (port 80). Agobot has an exploit framework for exploiting vulnerabilities of remote services (e.g. ports 135 and 445). In addition, Agobot searches for backdoors left behind by other malicious programs, e.g. by Bagle on port 2745.

An effective infection method from the point of view of the attacker is the use of social engineering in order to entice users to perform a spontaneous thoughtless action such as clicking on manipulated links in e-mails or instant messaging messages or executing e-mail attachments. Many bugs are also distributed by means of file sharing (peer-to-peer networks). Recently, it is increasingly common for legitimate and highly frequented websites to be manipulated and misused as a distribution point for malware by inserting script code in the website in order to automatically install malware on the user's computer (drive by download or drive by infection).

Another important aspect when considering bot networks is their communication and control structure. In most cases, they are controlled via one or several command and control servers. Centrally controlled bot networks are easy to develop and administer. However, blocking of the few command and control servers results in the inability to use the bot network. To protect the bot networks from being discovered and deactivated, other communication models such as peer-to-peer protocols (due to their decentralised architecture) and HTTP as well as masking techniques such as compression, encryption, and fast fluxing are increasingly being used.

Examples:

• The Zeus bot network consisted of more than 100,000 hijacked computers, mainly in Spain and Poland, and was built using the low-cost bot network tool kit Zeus. The Zeus bot network primarily collected financial data such as account and credit card details and other confidential information. It was controlled centrally by a server. In April 2009, this server sent a "Kill Operating System" command which caused important entries in the Windows registry file of all computers connected to the bot network to be deleted and the virtual memory of Windows to be overwritten with zeros. As a consequence, the operating system could no longer be started and so the computers had to be reinstalled completely.
• Torpig is a Trojan horse which infects Windows operating systems and combines the corresponding computers into a bot network. In 2006, Torpig was sent as an executable file via e-mail; nowadays it is also distributed as script code on websites. The individual infected computers used random elements and search results from Twitter posts to generate their own domain names which were then used for reloading malicious code and updates. The task of the bot network was to spy out data for bank accounts, credit cards, and FTP accounts. The collected information was transmitted to a central server.
  
  In early 2009, scientists were able to record and examine the data traffic of the bot network for around 10 days. According to this, Torpig spied out data of more than 300,000 different accounts, including bank account details and credit card details of various financial institutions.