Intro to Today's Top Botnet Attacks
Nachreiner, CISSP, Network Security Analyst,
[Editor's Note: This
article supplements the list of attacks shown in Part 2
of the video series, Malware Analysis: Botnets.
"Malware Analysis: Botnets, Part 2" shows a small subset
of botnet attacks in action. This article fills out that
subset with more attacks commonly found in a bot
herder's arsenal. LiveSecurity subscribers can find the
videos, free of charge, on our Video
Tutorials page. --Scott]
You'll often hear botnets described as a "hacker's
Swiss army knife." Just as a Swiss army knife can come
with a crazy variety of blades, scissors, and
screwdrivers, bots come with numerous exploits and
commands that allow bot herders to launch many different
types of attacks.
Since coding up a bot client takes time and skill,
most attackers buy bot code in the online underground.
Popular malicious bots include Phatbot, Agobot, and the
one shown in our video, Rxbot. These bot clients use
modular code, so if a bot herder doesn't love the array
of commands his bot offers, he simply adds new ones. For
examples, read on.
What pairs better than zombies and spam?
Bot herders commonly leverage their bots as huge spam
relays. How huge? According to a recent study by
Commtouch, 87% of all email sent over the Internet
during 2006 was spam. This e-junk generated up to 1700
terabytes (1,700,000,000 megabytes) of Internet traffic
every day. Botnets generated 85% of that spam, a tidal
wave of unwanted mail.
Most bot code comes with at least a few commands to
make spamming easier. Some bots are even optimized
specifically for spamming. A bot herder using Phatbot
can issue the command harvest.emails to collect
every email address on a victim's computer. If a Phatbot
herder's botnet consists of thousands of victim
machines, he could quickly and easily create gi-normous
email lists to later spam.
Agobot is customized for spamming. It even includes
its own SMTP engine so that it can spam directly. Its
email spamming commands allow an Agobot herder to tell
each of his victim's computers to:
- Download a list of email addresses to spam
- Download a template email message to send out
- Start sending out messages using many different
email threads simultaneously
- Start and stop spamming when instructed to.
The bot in our video, Rxbot, is not considered a
spamming bot. However, even it contains an elementary
command that allows a bot herder to send an email from
all his zombie victims.
I'm hiding behind my SOCKS
Many bots include a SOCKS server. SOCKS
(an abbreviation for sockets) is a networking protocol
designed to pass TCP
traffic through a proxy
server. In other words, if a client wanted to visit
www.google.com using SOCKS, the client would send its
request to a SOCKS server instead of to Google directly.
The SOCKS server forwards that request to Google and
returns the response to the client. However, to Google
it looks as though the request came from the SOCKS
server, not the actual client.
Bot herders love to use the SOCKS proxy to spam. A
bot master simply enables the SOCKS proxy on one of his
bots, then redirects his SOCKS-compatible, mass emailing
program to the IP address of that bot. This causes the
email program to send email using that bot as a relay.
If an anti-spam program blacklists the bot's IP address,
the herder activates the SOCKS proxy on another bot, and
his spam seems to originate from a new, clean IP
Furthermore, the bot herder can use a SOCKS proxy to
anonymize just about any network traffic. And in Rxbot,
for instance, activating the SOCKS proxy is simple: one
six-letter command initiates all those anonymizing
Some bots have a Man-in-the-Middle
Bots also help herders launch Man-in-the-Middle
(MitM) attacks. Most bots come with commands that
allow their creators to redirect network traffic any way
they like. For instance, a bot herder could tell a bot
to redirect all its web traffic to his computer. Then,
every time the unwitting victim (whose machine is
hosting that bot) browses the Web, the attacker sees the
traffic before forwarding it to its intended
destination. This is one way bot masters capture
sensitive information or steal login credentials.
Rxbot comes with the .redirect command.
Herders can use this command to forward the network
traffic destined for any TCP port, to any IP address
they choose. Phatbot comes with additional redirect
commands that allow it to forward GRE
traffic, the special protocol used in establishing PPTP
VPN connections. These examples merely hint at what a
bot herder can accomplish with redirects.
Click Fraud and Poll Manipulation
Nowadays, the lure of illegal easy money motivates
most bot herders. Our video shows how crooks can force
their bots to click on revenue-generating Google ad
words. As another example, Rxbot has a
simple-yet-effective .visit command. If you send
your bots this command, followed by a URL, they silently
visit that URL. Here, silently is a technical
term meaning the bot victim will not see her computer
visit the URL. The visit happens in the background,
without any web browser involvement. So, imagine you
have 100,000 bots. With one command you could easily
force all those bots to visit an online poll, vote, or
game. If you wanted ToneDeaf UglyDork to win American
Idol, you could command all your bots to visit the
American Idol voting page and submit a vote.
Since every vote would come from a different IP address,
the results would look legitimate. And if the flaws in
American e-voting aren't fixed before 2008, bots just
might elect ToneDeaf UglyDork as President, too.
Spam + IM = SPIM
Many IRC bots today have Instant
Messenger (IM) and Peer-to-Peer
(P2P) components in their attack arsenal. For
instance, some bots allow you to send spam to IM
channels (nicknamed SPIM ). Attackers commonly
send malicious files or URLs to IM users, hoping to
infect them with malware. Some bots incorporate commands
that allow the bot herder to send these types of IM
messages to his bots' IM buddies. If those buddies then
visit the URL or execute an attached file, they get
infected with the herder's bot and become minions in his
Some bots offer similar commands that help them
spread via P2P applications. For instance, Agobot
spreads by placing copies of itself in the share
directories used by many popular P2P programs such as
Kazaa and Limewire. The bot gives its file an enticing
name, such as the title of a movie still in theaters.
When someone downloads and runs this malicious trojan,
their computer becomes another zombie.
Is it just me, or does it smell like bots in here?
In the video, we mentioned that many bots come with
packet sniffers. Packet sniffers allow a bot
master to see all of the network traffic that passes by
his bots, and sometimes all the traffic that passes
within the bot victim's network as well. Attackers can
learn a lot by sniffing a network. For instance, a bot
herder might capture cleartext logins or see web
cookies. They could even passively enumerate your
Agobot comes with some very advanced packet sniffing
capabilities. Rather than sniffing and reporting every
single packet, which creates volumes of junk for the
herder to parse, Agobot allows a herder to sniff for
specific strings or types of traffic. For example, you
can command Agobot to capture all the web cookies it
sees passing over a network. You can also specifically
tell it to only sniff FTP, or IRC logins. In short, if
something passes over a network in clear text, Agobot's
sniffing can pinpoint it.
Stay as sharp as the crooks
In our video and this article, we've listed the most
common "Swiss Army blades" used in bots today. Since
botnets are evolving fast, bots could have all-new
blades tomorrow. For now, you can protect yourself best
by understanding the threat -- and following the defense
measures we outline in "Malware Analysis: Botnets, Part
3." Look for it on our Video
Tutorials page beginning 17 October, 2007. #
Getting articles you don't want?
Control what we send you:
Preferences Page. This article
was sent under the Area of Interest, "Common Hacker
For more articles and alerts,
visit the LiveSecurity