Botnet Overview

In the past several years, different kinds of botnet have been designed and captured. Table 3.1lists several examples of well known botnets according to their first appearance in the wild.

Table 3.1 An example of well-known botnet history (slightly updated from [97])

Date Name C&C protocol Structure

2002/04 SDbot IRC Centralized

2002/10 Agobot IRC Centralized

2003/04 Spybot IRC Centralized

2004 Rbot IRC Centralized

2004/03 Phatbot WASTE P2P

2004/05 Bobax HTTP Centralized

2006/04 Nugache Random P2P

2008/03 Kraken Self-defined Centralized

2009/05 Torpig HTTP Centralized

According to [33], the damages of botnets can be classified as follows:

• Distributed Denial-of-Service (DDoS) Attacks: The botnet can be used to launch DDoS attacks against any Internet system such as a web server. The purpose of the DDoS attack is to use up all system resources (e.g. bandwidth) so that the system can no longer provide available services to normal users. According to our source code analysis of well-known botnets, the attacks can be in the format of Ping flood, UDP flood, spoofed UDP flood, spoofed SYN flood, HTTP flood, etc.. It is believed that all DDoS attacks are launched through botnets [97], and they are very hard to prevent and defend against, because of the size, the accumulated bandwidth, and the distributed nature of the botnet.

• Spamming: Each day, the spam accounts for several billion spam messages [97] in Internet traffic and is used to frustrate, confuse and annoy Internet users. According to [98], more than 95% emails on the Internet are spam. Consequently, given the size and distributed nature of botnets, most of these spam messages are believed to be sent from botnets. In

addition, some bots also implement a special function to harvest email addresses, and it is often the case that the spam you are receiving was sent from, e.g. grandma’s old Windows computer sitting at home [33], your workmates or friends.

• Sniffing Traffic: The bot on the compromised machine can use packet sniffer to watch for interesting clear-text data and gather sensitive information like usernames and passwords.

In addition, other interesting information can also be gathered. For example, if the compromised machine belongs to two or more different botnets (infected more than once), it is possible to gather the key information of the other botnet, and steal it.

• Keylogging: When encrypted communications (e.g. HTTPS or POP3S) are used in compromised machines, sniffing alone is of little use as no key is available to decrypt the packets. Keylogging is then used to retrieve sensitive information like credit card number, passwords in this situation. For example, an implemented filtering mechanism (e.g. ”I am only interested in key sequences near the keyword ’paypal.com’”) further helps in stealing secret data [33].

• Spreading new malware: Usually, to avoid the slow start phase, new malwares can be spread on top of the existing botnet. Lacking of slow start phase makes the new malware spread much easier and cause more harm. For example, the Witty worm, which attacked the ICQ protocol parsing implementation in Internet Security Systems (ISS) products is suspected to have been initially launched by a botnet due to the fact that the attacking hosts were not running any ISS services [33].

• Clickfraud (Installing Advertisement Addons, Browser Helper Objects and Google Ad-Sense abuse): With large size and distributed nature, botnets can also help the botmaster to make profit easily by clicking the online ads. These clicks can be launched by receiving the corresponding command from the botmaster. Moreover, this process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the ”clicks”

are executed each time the victim uses the browser [33].

• Attacking IRC Chat Networks: As most centralized botnets are based on IRC for C&C, they can be used to attack the IRC network. It is similar to DDoS attack, with the purpose to shut down the victim IRC network by massive service requests.

• Manipulating online polls/games: The bots can disguise to be different identities to win the game or poll. Given each bot having a distinct IP address, every vote will have the same credibility as a vote cast by a real person [33]. Online games can be manipulated in a similar way.

• Phishing (Mass identity theft): By sending spam emails that pretend to be legitimate (such as fake PayPal or banks), criminals usually trick normal users to visit the fake phishing sites (hosted by bots) so as to gather sensitive user information like user-names/passwords and credit card numbers on the real websites. This is the combination of different functionalities described above.

Traditionally, DDoS and Spamming are usually highly concerned. However, more and more applications from Clickfraud to Phishing are being used for profit purposes. For example, ac-cording to ClickForensics (http://www.clickforensics.com), traffic from botnets was responsible for 31.4% of all click fraud traffic in Q4 2008. That’s up from the 27.7% rate reported for Q3 2008 and the 22.0% rate reported for Q2 2008.

In addition, we have also included our study on SDbot and Agobot source codes in Fig.

B.1 B.2 C.1 in Appendix 2 and 3. In brief, besides the damages mentioned above, from our analysis on the source codes of Agobot and Sdbot, we found the botmaster in Sdbot (with NB spreader) is interested in the Cdkeys like Half-Life CDKey, CSKEY, Neverwinter Nights CDKey. In general, there is usually more than one botmaster controlling the botnet, our analysis shows one version of Sdbot allows up to four botmasters to control the IRC channel simultaneously. This feature increases the botnet usage and makes it much harder for traceback. Other notable observations from the source code analysis include that in Agobot, up to four propagation methods are used, including scan.netbios, scan.locator, scan.dcom, and scan.dcom2; it will find and kill any antivirus processes in its list every 10 seconds if it fails to

join the IRC channel.