What Is a BotNet and How Does It Happen

BotNet, that I wrote about in pre-previous article, is a term that many of my friends are not familiar with. What would be a BotNet and what dangers does it impose on you, end user; where does it originate and how does it propagate?

Lets start from the beginning. BotNets are networks consisting of bot-computers, robotized machines that can be given any set of instructions or code to evaluate and execute. Such robot-computers are actually end-user computers, just like yours, that have been compromised and contaminated with mutant virus. Viruses, unlike a decade ago, do not have firm boundaries and classifications; rather, viruses of today and tomorrow are mutants that combine and incorporate many malicious behaviours.

OBSCURITY
Viruses and Bots hide from anti-virus programs, Mariposa Bot Virus was discoverable / suspected by only two out of forty one anti-virus solutions at the time it originated.
Such viruses re-write their own code on the fly in order not to be suspicious and to avoid discovery by anti-virus or any other system watching procedures.
Their code is also encrypted and sets “hooks” or listeners into the operating system, so it discovers Debug procedures and shuts itself down (Mariposa Bot had at least FOUR different procedures that were listening for system debugging tools, and had task of shutting down bot and/or shutting down debuger).

INFECTION SPREADING
Those viruses hi-jack all important processes and libraries on your windows box, so your system’s .dll’s and .exe’s become their vaults, where they hide temporarily
bot viruses encrypt communications between virus-client and virus-servers, using un-common ports and custom communication protocols, often using higher UDP ports for communication.
They also hi-jack your “higher level” applications; such as browser – serving you with adds you never subscribed for, or by hi-jacking your Google session – Mariposa Bot is suspected to have implemented Google HiJacker that would enable Bot Owner to serve you with Google Ads that are coming from his account, thus generating profit for him and stealing valid profit from websites that you would visit.
It is well known that Bots and Worms also propagate via malicious websites or via MSN messenger, but they propagate themselves via all the other means known by now – Mariposa Bot had built-in protocol switch to turn on MSN and / or USB contamination procedures; other viruses also propagate via local LAN’s (and Microsoft’s NetBIOS protocol) or other ports and applications, such as ICQ, Adobe PDF, and many more.

CUSTOMIZATION AND COMMUNICATION
Such viruses are usually very customizable and try to communicate to several Internet domains, most of them have not-so-suspicious names – their domains look like valid websites, your computer activity can often be mistaken, even if noticed. Also, they use custom communication protocols – Iserdo has written ICP – Iserdo Communication Protocol for which he claims (and he is right) that it is optimized for communication via UDP – in other words, his Bots communicate via regular communication channels supported by your computer and teh Internetz, but via custom created language invented for specific needs.

REAL DAMAGES
Damages by such Bot Networks are tremendous; they do not involve just money needed to re-secure compromised systems, but beyond that there are costs of compromised information, whether for industrial spying, block of access, security breaches, and more. There is no such password that cannot be attacked by brute force if BotNet owner has 12 billion processors at their disposal, they can easily crack passwords that are 15 characters long and include all character sets imaginable. There is no ISP or web-server that can sustain hours and hours of Denial of Service (DoS) attacks. Such attacks are very simple to conduct, it is known that Mariposa BotNet has conducted DoS attacks with 5.5 thousand computers that simultaneously sent server requests without proper return address; servers get congested with replies that they cannot send because of the rotten return address; 5.5 thousand computers is small set compared to 12 billion computers in 160+ countries at BotNet owner disposal, this means taht there is NO WAY to identify network of origin and shutdown it temporarily – which is common way of fighting DoS attacks. Imagine how much money gambling websites would pay in order to stay online? Threatening to shutdown such websites with high traffic (usually porn and gambling) is a common way of blackmails conducted by BotNet owners.
Compiling private and confidential information of Bot Computer Real Life Owners – such as Social Security Numbers, bank account numbers, pin numbers, and everything else is also real danger – Mariposa owner has compiled information on more than 800.000 people including all information needed and necessary to steal one’s money, or identity.

HOW TO PROTECT YOURSELF
There are much more dangers lurking from dark corners of Illegal Private Cloud Networks, or BotNets, this list above is just the top of the iceberg. How does one protect themselves, when this sounds so dangerous? Well, there is no better way of protecting oneself than educating oneself; learning how does your computer usually behave and observing subtle or not so subtle signals that it is behaving differently, might warn you of malicious behavior. Do not open unknown or suspicious attachments, do not download and install cracked applications, do not browse illegal or suspicious content on the web, do not use USB sticks with “autostart” feature and always scan them before viewing/using their content. Be alerted, be paranoid, and guard your information, once you are compromised it is really really really hard to get your life back.

Tags: BotNet, INTERNETZ, Iserdo, Mariposa, security, virus