Maintenance and Availability

Like all software, bots must have their bugs fixed and features upgraded in order to keep high availability as well as improve attack vectors. This section will present bot and botnet features not related to C&C that contribute for higher botnet availabilities.

2.4.1 Updates and Upgrades

In a maintenance and availability context, bot updates mean improved skills to survive hostile environments. Survival is a constant struggle between bots and its hunters. On the other side of the bot’s barricades, security products evolve every day. Upgrades and updates (UU) are the only way a bot can keep up with security products evolution (as well as the other way around).

Updating and upgrading (UU) a bot are processes that can be triggered by both the bot and the herder through its control servers. Bots can start the process every time they contact the control server by checking the availability of updates and then downloading them. This is usually what happens in pull-type bots like the ones using HTTP topology architectures. Herders can also start the UU process in push-type topologies like the ones in IRC botnets. To accomplish that, botmasters send commands to desired bots instructing them to update and, at the same time, indicating how to perform such task (download servers addresses, protocols, etc.). Updated binaries can be distributed using control servers, files shared in P2P networks, file-sharing websites, and others.

2.4.2 Deception

Longer malware lifecycles also rely on deception. By hiding their presence and activities in hosts and networks, bots improve their chances of survival. Besides hiding its presence, hiding its code and algorithms from researcher’s eyes is also an important bot deceiving behavior.

Data encryption helps bots communications to keep its anonymity. Messages exchanged between bots and herders in clear text can be used to create very simple signature based Intrusion Detection Systems (IDS). Beyond the ability to help evade signature-based IDS’s, encryption allows to hide bot commands from network sniffers.

Malware can also inject its code into system processes. Process injection is used by bots to elevate execution privileges in a host as well as hide its presence from firewalls and antivirus. Code injected into a system process is executed in the own system process security context evading in that way some firewalls policies as well as antivirus detection.

Code obfuscation and compression processes work like data encryption but on an executable level. Obfuscation and compression makes bot’s code and algorithms harder to analyze. Rootkits3 are very often packed with bots. They hide the bot’s presence from the host’s users by hooking to system functions and hiding operating services queries results where the bot’s trace could appear. Some of the first rootkits that appeared in Unix systems substituted the system “ps” tool by an altered version. The rootkit’s “ps” tool simply returned all running processes in the system except those intended to hide.

Botnets can also be used as proxies in order to accomplish deception. Herders can use bot- based proxies’ networks in order to hide activities and evade identification. [2]

3 The origin of the term rootkit comes from initial Unix operating system ages. It is a concatenation of the word

2.4.3 Malware wars

Besides antivirus, firewalls, IDS’s and other security software, bots need to be aware of another menace to its integrity: other malware. What happens when an already infected host is infected by other malware? Perhaps biomimetic can help to find an answer.

An infected host in computer science is like a host in biology: an organism that harbors a parasite. In biology, different parasites can coexist and even help each other but they can also be opponents.

In infected computers, malware can act the same way as parasites in biology. If occasionally it is possible that certain malware even installs other “friendly” malicious programs, it can also happen that antagonist malware ends up installed in the same host. Some bots are prepared to work as real antivirus, detecting and removing other foe malware. This is the case of the TDL bot for example. [25]

Concerning maintenance and botnet availability, there are two very important statistics to the herders: number of active bots and bot lifetime.

2.4.4 Number of active bots

The number of installed bots is different from the number of available bots listening to commands in a state of readiness.

The number of available bots is related to hosts connectivity issues and time-zones. Bots installed on laptops and other mobile equipment not always connected to the internet result in intermittent availability and readiness of the bot task force. On the other hand, bots installed on distinct time-zones have different availability schedules since many hosts are turned off during the night.

A very high number of active bots is the objective of every herder. For that matter, many botnet’s management consoles have features like IP geo localization and bot’s time-zone

information. These features allow herders to evaluate and correctly preview the entire botnet’s readiness state.

2.4.5 Bots lifetime

Another important data for the herder is the malware lifetime. Host recruiting is a hard task and, has seen before in this section, good malware design is important in order to achieve longer malware lifecycles and maximization of the infection effort.

Well-designed bots are like strong and prepared soldiers which have a better chance to survive in hostile environments.