[ISN] Botnet Hunters Search for 'Command and Control' Servers

From: InfoSec News (isn@private)
Date: Sun Jun 19 2005 - 23:32:36 PDT


http://www.eweek.com/article2/0,1759,1829347,00.asp

By Ryan Naraine 
June 17, 2005 

Convinced that the recent upswing in virus and Trojan attacks is
directly linked to the creation of botnets for nefarious purposes, a
group of high-profile security researchers is fighting back,
vigilante-style.

The objective of the group, which operates on closed, invite-only
mailing lists, is to pinpoint and ultimately disable the C&C
(command-and-control) infrastructure that sends instructions to
millions of zombie drone machines hijacked by malicious hackers.

"The idea is to share information and figure out where the botnets are
getting their instructions from. Once we can identify the
command-and-control server, we can act quickly to get it disabled.  
Once the head goes, that botnet is largely useless," said Roger
Thompson, director of malicious content research at Computer
Associates International Inc.

Thompson, a veteran anti-virus researcher closely involved in the
effort, said the group includes more than 100 computer experts
(unofficially) representing anti-virus vendors, ISPs, educational
institutions and dynamic DNS providers internationally.

"It's just a bunch of good guys that have an interest in shutting down
these botnets. We are dealing here with some very skilled and
sophisticated attackers who have proven they know how to get around
the existing defense systems," Thompson said in an interview with Ziff
Davis Internet News.

Using data from IP flows passing through routers and
reverse-engineering tools to peek under the hood of new Trojans,
Thompson said the researchers are able to figure out how the botnet
owner sends instructions to the compromised machines.

"Once we get our hands on the Trojan or we get one of our own machines
compromised, we can easily observe what it's doing and which server it
is talking to," he said.

"We started off trying to pinpoint the individual drones and getting
those shut off, but that approach hasn't worked. As soon as you clean
one up, it is replaced by another 20 or 100. We had to shift the focus
toward the command-and-control."

The C&C infrastructure is most often an IRC (Inter Relay Chat) server
installed illegally on a high-bandwidth educational or corporate
network. As Thompson explained, the botnet (short for "robot network")  
is a collection of broadband-enabled computers infected with worms and
Trojans that leave back doors open for communication with the C&C.

Earlier this month, anti-virus vendors spotted an alarming new virus
attack that used three different Trojans— all communicating with each
other—to disable anti-virus software and seed new botnets. Once a
machine becomes infected, it automatically scans its own network to
find other unpatched systems.

"It has reached a stage where we are sure we are dealing with very
smart, very savvy people who know their way around anti-virus scanning
engines. They have figured out that they can get in, quickly disable
the armor, then go out and download instructions," Thompson said.

As the botnet grows, it becomes a lucrative asset to its owner, and
Thompson said there is evidence that the compromised machines are
being rented out for spam runs, distributed denial-of-service attacks
linked to business blackmail and, more recently, for the distribution
of adware/spyware programs.

Randal Vaughn, professor of computer information systems at Baylor
University, is the man responsible for gathering data and compiling
statistics for the drone armies research and mitigation mailing list,
one of the more active vigilante efforts.

In an interview, Vaughn said the group has noticed quite a range of
botnets, with some C&C servers managing as many as 100,000 compromised
machines.

"Some with have just 1,000 drones but some are quite large, and
there's also a lot of cross-infections where one machine is talking to
multiple command-and-controls," he said. In those cases, Vaughn said
it becomes even tougher for an ISP or autonomous system operator to
shut down the command center.

"We've seen drones in multiple bot armies, and in some cases, they're
even sold or traded from one owner to another."

A key part of the vigilante effort, Vaughn said, is to work closely
with the network operators to quickly strangle the botnet once the C&C
is pinpointed. The operators of ASNs (autonomous system numbers) have
been largely reticent in the past, but Vaughn said the relationship
has improved because network operators now see a business value in
clamping down on botnets.

An ASN is a number assigned to a group of network addresses, managed
by a particular network operator, sharing a common routing policy.  
Most ISPs, large corporations and university networks have an ASN.

According to Vaughn's latest data, the ISPs that are most often
plagued with botnet command-and-control include Yipes Communications
Inc., Sago Networks, Inc., Staminus Communications and Korea Telecom.

Gadi Evron, the Israeli government's CERT manager who oversees the
vigilante effort, said the ASN network operators are becoming more
proactive. "This month we would especially like to commend Staminus,
who contacted us and have since made incredible efforts to deal with
the threat. Also, we'd like to mention Internap for their continuous
efforts," he said in a recent public update on the group's work.

Evron reported that the Trojan horses used most in botnets include
those recently spotted by anti-virus vendors—Korgobot, SpyBot, Optix
Pro, Rbot, AgoBot, PhatBot.

"I think our efforts are working. It's not eliminating the botnets,
but it's slowing them down," CA's Thompson said. "A lot of it has been
cleaned up, but the trouble is that the bad guys are learning as well.  
It's the classic cat-and-mouse game to find the command-and-controls
before they figure out we're on the tail and start moving them
around."

Thompson, who is convinced that adware installation affiliate dollars
are financing the growth of botnets, concedes that the war will never
be won. "We've got to do something to mitigate it. Unless we get all
the adware companies shut down and cut off the supply of money, it's
always going to be there."

Baylor University's Vaughn agreed. "Just last night, I saw a 10
percent increase in command-and-control detections, so we know they're
being replaced just as fast."

He declined to provide numbers on actual shutdowns but insisted that
the group is seeing positive results. "We're breaking through the
network operators and getting them to a level of awareness that is
encouraging. Quite a few of the command-and-control centers are no
longer showing up, so we know it's working," Vaughn added.

Because the botnet scourge is an international issue, Vaughn said the
group's efforts are sometimes stymied by a communication gap. "The
command-and-controls have a tendency to hop around a bit. They can hop
from one autonomous system to another in a matter of days, especially
the very active ones, so it's always tough to start talking about
being successful."

Even when a C&C gets taken out, the drones within that botnet are
still susceptible to infection because they are usually unpatched and
vulnerable for future infection.

"We have the other issue of cross-infections, where you kill one
command-and-control and the drone is still talking to another one.  
These are patterns we're trying to identify," Vaughn said.

Thor Larholm, senior security researcher at PivX Solutions LLC, said
Vaughn's data is a good indication of the scale of the botnet problem.  
Larholm, who also participates in the vigilante initiative, said the
detection of new infections and C&Cs are leading to "active
cooperation" between researchers and ISPs.

"A key part is to work with the ISPs to shut down Internet access to
these compromised machines. A lot of the problem-solving lies in hands
of ISPs, and sometimes they can be slow-moving."



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Sun Jun 19 2005 - 23:58:44 PDT