• View
• Edit
• History
• Print

back to the article index Page feed

Botnets

Menu

• Nature
  • Spreading mechanisms
  • Hiding/Resistance mechanisms
  • Analysis/Counter measures
  • Motives/Context
  • Evolution
  • Observations/General description
  • Other
• Sources for news
• Potential studies
• Schemas
• How I (probably) got there

Nature

Spreading mechanisms

• Cracking down on Conficker: Kaspersky, OpenDNS join forces by Ars Technica, February 2009
  • spreading via
    • USB stick
    • crack the passwords of other local systems
    • network shared folders
  • new variant B++ to infect executables and provide backdoor
• automated exploit mining (already implemented?)
  • Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research
  • OSVDB The Open Source Vulnerability Database, independent and open source database created by and for the community.
  • Automatic Patch-Based Exploit Generation for CMU
  • Hackers Develop Automated Exploits by Stefanie Hoffman, ChannelWeb, April 2008
  • National Vulnerability Database, the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP)

Hiding/Resistance mechanisms

• Les Fast-Flux Networks : comment remonter à la source des attaques ? by Adrien Guinault for Xmco, 2008
• A twist in fluxnet operations. Enter Hydraflux by William Salusky for SANS Internet Storm Center, 2008
• As the Net Churns: Fast-Flux Botnet Observations by Jose Nazario (Arbor Networks), Thorsten Holz (University of Mannheim), 2008
• Know Your Enemy: Fast-Flux Service Networks (print version) by jamie.riden for The Honeynet Project, 2007
• Botnets: Reasons It's Getting Harder to Find and Fight Them by Bill Brenner for Network World, April 2009

Analysis/Counter measures

• Detection
  • Computer Virus Epidemiology by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani
    • also check Parasites and Infectious Disease: Discovery by Serendipity and Otherwise (ISBN: 0521858828) Cambridge University Press 2007
    • Lessons for the Internet from Swine Flu: Bear with me! by Jose Nazario, Arbor Networks Security, April 2009
  • RUBotted by Trend Micro
  • Howto Track a botnet by snmpwalking by dni for destr0y, 2007
  • BotHunter, a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter
  • Botnet Detection Countering the Largest Security Threat, Advances in Information Security Vol. 36, Springer 2008
    • including A Taxonomy of Botnet Structures presented at ACSAC'07 as chapter 8
  • Botnet Population and Intelligence Gathering Techniques by David Dagon and Christopher Davis, Black Hat DC 2008, 2008
• Analysis
  • Dissecting the Kraken : An Analysis of the Kraken Botnet's Obfuscation Techniques, Joel Lathrop, Secure Science Research Division, September 2008
  • How I learned Reverse Engineering With Storm by Pierre-Marc Bureau at Recon 2008
  • Protocols and Encryption of The Storm Botnet by Joe Stewart, BlackHat USA 2008
  • An Analysis of Conficker's Logic and Rendezvous Points by SRI, 21 February 2009
• Counter-measures
  • 23C3: Automated Botnet Detection and Mitigation by Georg 'oxff' Wicherski, 23rd Chaos Communication Congress, 2006
  • query for DDoS mitigation provider (countering the classical botnet attack)
  • Phalanx: Withstanding Multimillion-Node Botnets, University of Washington, 2008
  • ITU Botnet Mitigation Toolkit (still under development as of March 2009, waiting for email reply)
• Take-over
  • Your Botnet is My Botnet: Analysis of a Botnet Takeover, UCSB Technical Report, April 2009
    • Targetting the Torpig botnet (which according to Wikipedia appeared around May 2007 and was already targeting financial information, see further for Business motives)
  • 25C3: Stormfucker: Owning the Storm Botnet, 25th Chaos Communication Congress, 2008
  • An Analysis of Botnet Vulnerabilities by Sean W. Hudson, Air Force Institute of Technology, 2007

Motives/Context

• The Scrap Value of a Hacked PC by Brian Krebs, Security Fix, May 2009
  • very complete overview including a mind-map to sum-up visually all the potential usages
• Direct business
  • Data harvesting, mainly financial data (credit card numbers, passwords, ...)
    • 25C3: Banking Malware 101 by Thorsten Holz, 25th Chaos Communication Congress, 2008
    • regarding financial data see also Your Botnet is My Botnet: Analysis of a Botnet Takeover on this same page
  • threats on service availability (extortion by stopping DDoS for money)
  • spam
    • Using Throttling and Traffic Shaping to Combat Botnet Spam (slides) by Ken Simpson, USENIX LISA '07, 2007
• Indirect business (Reselling, Renting)
  • Deux pirates vendent leur botnet 25.000 euros, Zataz, August 2008
  • The botnet business, by Vitaly Kamluk, Kapsersky Lab, May 13 2008
  • Mobile botnets and supporting business ~2007
  • Botnets as a Vehicle for Online Crime by Nicholas Ianelli and Aaron Hackworth, IJoFCS ~2005
• Warfare
  • Cyber Weaponization: Analysis of Internet Arms Development, Jason Gordon, infectionvectors.com, 2008
  • 25C3: Just Estonia and Georgia? by Gadi Evron, 25th Chaos Communication Congress, December 2008 and his older T242 - Estonia and Information Warfare, Defcon 15, 2007
  • Carpet bombing in cyberspace - Why America needs a military botnet, in Armed Forces Journal, May 2008
    • US Air Force Colonel Proposes Skynet, by Sean for F-Secure, May 2008
    • UNTAME (Ubiquitous Network Transient Autonomous Mission Entities) from the Oak Ridge National Laboratory (Contact: Ron Walli, no public webpage), February 2009
    • SILENT STORM – Distributed Active Response System for Cyber Defense fact sheet of 2008 from the same laboratory "SILENT STORM nodes are based upon leveraging the Ubiquitous Network Transient Autonomous Mission Entity (UNTAME) system developed at ORNL over the past 10 years."
      • Washington, DC - October 21-22, 2008 presentation covering usage and architecture
  • Kremlin-backed group behind Estonia cyber blitz by Charles Clover, FinancialTimes, March 2009
  • Information Warfare Monitor by The Secdev Group and the Citizen Lab
  • Analyst: cyberwarfare arms race with China imminent by Ryan Paul, Ars Technica, May 2009
    • based on a report by Technolytics which published work on Cyber Military Resources/Weapons Threat Matrix/Warfare Doctrine/...
• Political activism
  • Politically motivated Distributed Denial of Service attacks, Jose Nazario, Arbor Networks Security, 2008
  • DDoS applications becoming democratized, tools of protest by Adam O'Donnell for ZDnet, March 2009
  • End-Users Put Their Machines at the Disposal of Russian Hackers by Denisa Ilascu, August 2008
  • helpisraelwin.tk proposing to
    • "download and install the file from [their] site. The file is harmless to your computer and could be immediately removed. There is no need for identification of any kind - anonymity guaranteed!"

Evolution

• World's most powerful supercomputer goes online (fwd) by Jay Sulzberger, Full Disclosure 2007
• Timeline of computer viruses and worms from Wikipedia
  • annotate for each the novelty introduced
• First Came Geo-awareness, Then Came Geo-Aware Malware by Sarah Perez, RWW, March 2009
• new platforms
  • Mobile botnets: an economic and technological assessment, Maarten Vanhorenbeeck, 2007
• Malware Phylogenies, Software Research Laboratory (SRL) at the University of Louisiana at Lafayette
• Malware Phylogeny, DataRescue's IDA disassembler applied to computer virus phylogeny, Biowiki

Observations/General description

• Botnets in 2010 by Thorsten Holz, SIGINT10
• Chapter 7 : Bot networks of Crimeware: Understanding New Attacks and Defenses by Addison-Wesley, 2008
• Security Now! Podcast #193 : Conficker, GRC, April 2009
• An Analysis of Conficker C, SRI International (Last Update: 4 April 2009)
• Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks by nenolod, DroneBL Blog, March 2009
  • example of hardware default Password List (updated only in 2008)
• Technical details of Srizbi's domain generation algorithm for FireEye Malware Intelligence Lab, November 2008
• Video Tutorials on Malware Analysis (botnets and rootkits) by WatchGuard
• Botnets according to Shadowserver Foundation, last modified on November 2007
• bots and botnet an overview by SANS, 2003
• Archived version of GRC report on bonet ~2001
• Build your own botnet with open source software, Enomaly, March 2008
• VX Chaos Bot and Botnets file server section, (2004-2008)
• How to Make a Botnet from Partyvan W/i/ki, started in October 2008, last update when checked in April 2009
• Visualizations
  • Visualization and annotations with What a Botnet Looks Like by David Vore and Scott Berinato, May 2008
  • Visualizing Waledac by jeremy, sudosecure.net, February 2009
• Botnets, Part 1: Why They Strike and How to Defend Against Them > The Botnet Threat by Carolyn Meinel, InformIT, December 2008
  • Botnets, Part 2: Emerging Threats, Tactics, and Defenses > Botnet Detection in the Core by Carolyn Meinel, InformIT, December 2008
• Botnets: The Killer Web App, Syngress, 2007
  • pretty good coverage but (logically) quickly outdated
• The Enemy Within by Mark Bowden, The Atlantic June 2010

Other

• cf ~/logs
• emails
  • http://www.honeynet.org/papers/bots/
    • http://www.honeynet.org/book/export/html/50
• subscribed blogs
  • delicious tag
• OpenFlow or the potential to directly hack from the hardware standpoint
  • subscribed to a dedicated RSS feed for the appearance of the keyword botnet on the website
• E. W. Fulp Publications on security including Trust Management in Swarm-Based Autonomic Computing System
• Inside Cyber Warfare - Mapping the Cyber Underworld by Jeffrey Carr, O'Reilly December 2009
• L’Internet est-il geopolitique ? (part 1 of 2, part 2 of 2), Le Dessous des Cartes, Arte April 2010
  • mainly part 2 on "Criminalité, terrorisme, guerre, censure... Internet semble devenir le lieu de tous les dangers. Les conflits actuels y sont amplifiés et ceux de demain y trouveront peut-être leur origine."
• Kingpin by Kevin Poulsen, February 2011

Sources for news

• Botnet Research by FireEye Malware Intelligence Lab, started in April 2008
• "Botnets" tagged articles from Arbor Networks Security, started in April 2006
• links tagged "botnet" on Delicious
• Publications from the Cooperative Cyber Defence Centre of Excellence (CCD COE) Tallinn, Estonia
  • created after the May 2007 incidents in Estonia (cf Warfare in the Motives/Context section)
• Cyber-warfare Archives from Defense Tech (by Military.com)
• FireEye Malware Intelligence Lab Threat research, analysis, and mitigation
• The Day Before Zero Damballa’s Ongoing Conversation About Targeted Attacks
• Andre M. DiMino on Twitter follows botnets and malware threats at Shadowserver

Potential studies

• economy framework, value/utility of hosts
  • h0 : based on quantity anyway so +1 bad is still +1
  • but still server>cable>adsl>dialup (based on uptime+upload bandwidth)
    • specialization mechanisms?
• knowledge transfer between botnet/p2p with an evolutionary epistemologic framework (see our drive page)
  • its potential automation
    • see "automated/boosted evolutions" later on
  • evidences
    • emergence of functionnalities/behavior on the running software and correlation with the appearance time in the other community
    • studying social places (forum, chats, etc...) but that could be idealized so it shouldn't be limited to that
  • can one side use the anticipated arm-race to gain a decisive edge?
    • the risk of being in the public side and publishing the work ;)
  • To transfer or not to transfer, NIPS 2005 Workshop on Transfer Learning
• "phylogenetic-like" study of the botnets (eventually inspired by ALife studies)
  • what were the features kept over time
  • the share source codes
• automated/boosted evolutions
  • generic source code mining
    • The Sourcerer Project from UC Irvine
    • Automated Software Engineering Research Group from North Carolina State University
      • Improving Software Productivity and Quality via Mining Program Source Code
      • UnitPlus
  • SELF program from DARPA (see announce from The Register, June 2009)
    • presentation for the IPTO of SELF: Self-Explanation Learning Framework by Michael T. Cox, January 2009
  • that could eventually makes use of Self-Programming: Operationalizing Autonomy by Eric Nivel and Kristinn R. Thórisson presented during AGI'09
• biomimicry
  • Journal of Advances in Virus Research, Elsevier
• Exploiting virtualization
  • Malware type III by Joanna Rutkowska
    • later become Blue Pill Project from her new Invisible Things Lab
  • Vitriol rootkit presented during Hardware Virtualization Rootkits by his Dino A. Dai Zovi author during Black Hat 2006
  • SubVirt presented in IEEE Security and Privacy 2006
  • Taming Virtualization
• implementation of pattern of nodes as communication rather than message getting passed along or found in a central location (message = timing rather than content)
  • benefits : much harder to reverse engineer as multiple protocols can be used and content of the packet do not matter anymore (it is not steganography)
  • inspiration : video on reverse engineering in Recon'08 + brain neural network and absence (or at least not during the whole time) of symbols
  • see the related : [0905.0363] Hiding Information in Retransmissions, May 2009
    • RSTEG (Retransmission Steganography) to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram instead of user data in the payload field.
      • comment on Steganography Using TCP Retransmission by Craig that is closer to my initial idea, Schneier on Security, May 2009
• inclusion of automated services based on human labor hired on the fly for small tasks (AmazonTurk, Decaptcher, ...) within a botnet
  • example : extracting financial data from a local node without having to centralize and involve the bot herder directly in "delicate" tasks
  • related resource : our article on Online outsourcing
  • inspiration : previous studies on AAI (Artificial Artificial Intelligence), AmazonTurk and finally the ractor network in The Diamond Age
• leveraging existing P2P networks
  • to fetch vast amount of new nodes very fast
  • A New Worm Propagation Threat in BitTorrent Modeling and Analysis by Sinan Hatahet, Abdelmadjid Bouabdallah, Yacine Challal, Proceedings of the II International Multiconference on Computer Science and Information Technology 2008
  • BitTorrent Worm Sensor Network : P2P Worms Detection and Containment by by Sinan Hatahet, Abdelmadjid Bouabdallah, Yacine Challal, International Conference on Parallel, Distributed, and network based Processing 2009
• social network mining
  • Honeybot, Your Man in the Middle for Automated Social Engineering by Tobias Lauinger, Veikko Pankakoski, Davide Balzarotti, Engin Kirda EURECOM Sophia-Antipolis, France
  • Researchers develop “HoneyBot”, Social Engineer IRC Users automatically, IRC-Junkie.org June 2010
    • http://seclab.tuwien.ac.at/papers/autosoc-leet2010.pdf
    • Home of the Worlds Best Chat Bot 2009 Loebner Prize

Schemas

(:pmgraphviz -- digraph { "drive" -> "writing"; "drive" -> "injection" [label="use of existing code"]; "writing" -> "injection"; "injection" -> "propagation"; "propagation" -> "propagation" [label=" +=1 machine"]; "propagation" -> "stagnation"; "stagnation" -> "stagnation" [label=" stealth wait for request"]; "stagnation" -> "propagation"; "stagnation" -> "synchronization" [style=dashed]; "stagnation" -> "action"; "synchronization" -> "action" [style=dashed]; "stagnation" -> "upgrade" [style=dashed]; "writing" -> "upgrade" [style=dashed]; "upgrade" -> "stagnation" [style=dashed]; "synchronization" -> "stagnation" [style=dashed]; "action" -> "stagnation"; } :)

See more detailed schemas to go further.

How I (probably) got there

1. security (virii/worms)
2. p2p
3. distributed computing (seti@home)
4. freenet
5. the "curious yellow" philosophical idea
   1. "implementation of in-the-cloud technology which is the final result of years of experience using this community database technology [...] has helped many people by intercepting and blocking new infections days, weeks, before they could have been manually analyzed and a signature would have been added manually by an analyst." from Real-World Example of In-the-Cloud Technology by Marco Giuliani, Prevx, Januart 2009
   2. The White Botnet by nikunj, Odyssey, April 2009 (few mails exchanged and even a post from the reply ;)
6. evolution of security?
   1. having a botnet tried to gather information on my newly bought server! /w00tw00t.at.ISC.SANS.DFind:)