Botnet Hunters Search for Command and Control Servers

By Ryan Naraine  |  Posted 2005-06-17

Botnet Hunters Search for Command and Control Servers

Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style.

The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers.

"The idea is to share information and figure out where the botnets are getting their instructions from. Once we can identify the command-and-control server, we can act quickly to get it disabled. Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc.

Thompson, a veteran anti-virus researcher closely involved in the effort, said the group includes more than 100 computer experts (unofficially) representing anti-virus vendors, ISPs, educational institutions and dynamic DNS providers internationally.

"Its just a bunch of good guys that have an interest in shutting down these botnets. We are dealing here with some very skilled and sophisticated attackers who have proven they know how to get around the existing defense systems," Thompson said in an interview with Ziff Davis Internet News.

Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines.

"Once we get our hands on the Trojan or we get one of our own machines compromised, we can easily observe what its doing and which server it is talking to," he said.

"We started off trying to pinpoint the individual drones and getting those shut off, but that approach hasnt worked. As soon as you clean one up, it is replaced by another 20 or 100. We had to shift the focus toward the command-and-control."

The C&C infrastructure is most often an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network. As Thompson explained, the botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the C&C.

Click here to read about a triple-barreled Trojan attack that builds botnets.

Earlier this month, anti-virus vendors spotted an alarming new virus attack that used three different Trojans— all communicating with each other—to disable anti-virus software and seed new botnets. Once a machine becomes infected, it automatically scans its own network to find other unpatched systems.

"It has reached a stage where we are sure we are dealing with very smart, very savvy people who know their way around anti-virus scanning engines. They have figured out that they can get in, quickly disable the armor, then go out and download instructions," Thompson said.

As the botnet grows, it becomes a lucrative asset to its owner, and Thompson said there is evidence that the compromised machines are being rented out for spam runs, distributed denial-of-service attacks linked to business blackmail and, more recently, for the distribution of adware/spyware programs.

Randal Vaughn, professor of computer information systems at Baylor University, is the man responsible for gathering data and compiling statistics for the drone armies research and mitigation mailing list, one of the more active vigilante efforts.

Next Page: Drones in multiple bot armies.

Bot Armies

In an interview, Vaughn said the group has noticed quite a range of botnets, with some C&C servers managing as many as 100,000 compromised machines.

"Some with have just 1,000 drones but some are quite large, and theres also a lot of cross-infections where one machine is talking to multiple command-and-controls," he said. In those cases, Vaughn said it becomes even tougher for an ISP or autonomous system operator to shut down the command center.

"Weve seen drones in multiple bot armies, and in some cases, theyre even sold or traded from one owner to another."

A key part of the vigilante effort, Vaughn said, is to work closely with the network operators to quickly strangle the botnet once the C&C is pinpointed. The operators of ASNs (autonomous system numbers) have been largely reticent in the past, but Vaughn said the relationship has improved because network operators now see a business value in clamping down on botnets.

An ASN is a number assigned to a group of network addresses, managed by a particular network operator, sharing a common routing policy. Most ISPs, large corporations and university networks have an ASN.

According to Vaughns latest data, the ISPs that are most often plagued with botnet command-and-control include Yipes Communications Inc., Sago Networks, Inc., Staminus Communications and Korea Telecom.

Gadi Evron, the Israeli governments CERT manager who oversees the vigilante effort, said the ASN network operators are becoming more proactive. "This month we would especially like to commend Staminus, who contacted us and have since made incredible efforts to deal with the threat. Also, wed like to mention Internap for their continuous efforts," he said in a recent public update on the groups work.

Evron reported that the Trojan horses used most in botnets include those recently spotted by anti-virus vendors—Korgobot, SpyBot, Optix Pro, Rbot, AgoBot, PhatBot.

To read about a Microsoft worm cleanser that goes rootkit hunting, click here.

"I think our efforts are working. Its not eliminating the botnets, but its slowing them down," CAs Thompson said. "A lot of it has been cleaned up, but the trouble is that the bad guys are learning as well. Its the classic cat-and-mouse game to find the command-and-controls before they figure out were on the tail and start moving them around."

Thompson, who is convinced that adware installation affiliate dollars are financing the growth of botnets, concedes that the war will never be won. "Weve got to do something to mitigate it. Unless we get all the adware companies shut down and cut off the supply of money, its always going to be there."

Baylor Universitys Vaughn agreed. "Just last night, I saw a 10 percent increase in command-and-control detections, so we know theyre being replaced just as fast."

He declined to provide numbers on actual shutdowns but insisted that the group is seeing positive results. "Were breaking through the network operators and getting them to a level of awareness that is encouraging. Quite a few of the command-and-control centers are no longer showing up, so we know its working," Vaughn added.

Because the botnet scourge is an international issue, Vaughn said the groups efforts are sometimes stymied by a communication gap. "The command-and-controls have a tendency to hop around a bit. They can hop from one autonomous system to another in a matter of days, especially the very active ones, so its always tough to start talking about being successful."

Even when a C&C gets taken out, the drones within that botnet are still susceptible to infection because they are usually unpatched and vulnerable for future infection.

"We have the other issue of cross-infections, where you kill one command-and-control and the drone is still talking to another one. These are patterns were trying to identify," Vaughn said.

Thor Larholm, senior security researcher at PivX Solutions LLC, said Vaughns data is a good indication of the scale of the botnet problem. Larholm, who also participates in the vigilante initiative, said the detection of new infections and C&Cs are leading to "active cooperation" between researchers and ISPs.

"A key part is to work with the ISPs to shut down Internet access to these compromised machines. A lot of the problem-solving lies in hands of ISPs, and sometimes they can be slow-moving."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Rocket Fuel