Sign In

Communications of the ACM

News

The War Against Botnets


botnet illustration

Credit: Hyperakt

At this moment, millions of people around the world are happily using their computers without realizing their system has been hijacked. While they are answering email or browsing Web sites, cybercriminals are surreptitiously using their computer to wreak havoc across the Internet—and beyond. The computer may be unleashing a torrent of spam, inflicting denial-of-service (DoS) attacks, or engaging in other malicious acts, such as stealing passwords, trade secrets, and personal information.

Welcome to the nefarious world of botnets. "The sophistication level is getting ratcheted up," states Merrick Furst, Distinguished Professor at Georgia Tech's College of Computing. Botnet code, which usually ranges from a few hundred to a few thousand bytes, infiltrates computer systems and provides a means of hijacking or controlling those machines to perform illegal tasks. Between 5%–10% of all Internet Protocol addresses have devices infected with some form of malware. Bots generate the vast majority of the spam that clogs computers and networks, Furst says.


Last June, TDL4—the fourth generation of a Windows PC botnet that first appeared in 2008—surfaced. It is difficult to detect and, so far, impossible to stop.


But the stakes have suddenly grown. Last June, TDL4—the fourth generation of a Windows PC botnet that first appeared in 2008—surfaced. Researchers noticed immediately that the TDL4 botnet, also referred to as TDL-4 and TDSS (a string of characters that the malware generated when it dropped component files and registry entries in earlier versions), is difficult to detect and, so far, impossible to stop. The code hijacks a personal computer, eludes anti-malware applications, and uses custom encryption to control computers. Antivirus company Kaspersky Lab has described TDL4 as the "most sophisticated threat today." It is believed to have infected five million or more computers.

Back to Top

Under Attack

Although viruses, worms, Trojan horses, and rootkits have all made their mark over the last decade, security analysts are increasingly concerned about the impact of botnets. Many use social engineering techniques—including promises of photos of naked celebrities or free movies or music—that trick individuals into clicking a link or downloading a file. Furst says botmasters also use Google AdWords and banner ads to entice surfers to follow links or visit URLs that download bot code to their computer. As quickly as organizations like Google snuff out the fake ads, new ones appear.

Roel Schouwenberg, a senior researcher at Kaspersky Lab, says that while there is no way to know the exact scope of the problem, it is likely that hundreds of millions of computers worldwide belong to botnets. Making matters worse is that the perpetrators are not just hackers looking to take over computers and generate spam. "The bots are created and spread by criminals looking to monetize machines," says Schouwenberg. "They're increasingly looking to steal identities, credit card numbers, and trade secrets."

These computers—referred to as zombie systems—lie in a dormant state until the perpetrator of the attacks—a.k.a. the "botmaster"—decides to unleash them. Then, with stealth abandon, they pursue their mission without users of infected computers knowing. "These types of programs surreptitiously spread themselves and create networks that are far more powerful than groups of independently infected systems," observes Ira Winkler, a computer consultant and former U.S. National Security Agency analyst who is author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day.

But TDL4 is raising the stakes and ushering in a new era of complexity and risk. "TDL4 is an evolution in the design of botnets," says A.L. Narasimha Reddy, J.W. Runyon Professor in the Department of Electrical and Computer Engineering at Texas A&M University. "It combines rootkit and botnet features. TDL4 seems to communicate directly with command and control servers [that crooks use to manage the bot network], but it also communicates through a peer-to-peer network."

TDL4 relies on an array of methods to evade the signature, heuristic, and proactive detection that antivirus programs typically use. It loads before the operating system starts. Communication between the command center and the bots is encrypted, and when TDL4 detects that a command and control server has been taken out, it automatically locates another server. In addition, a rootkit hides the presence of other types of malware in the code. Kaspersky Lab security analysts Sergey Golovanov and Igor Soumenkov say they have found evidence of a malicious SHIZ program embedded in the TDL4 code. It causes search engine redirects to sites that download malware and infect other systems.


"The bots are created and spread by criminals looking to monetize machines," says Roel Schouwenberg. "They're increasingly looking to steal identities, credit card numbers, and trade secrets."


In fact, Kaspersky Lab describes TDL4 as an attempt to design indestructible malware. Although the antivirus company offers an anti-rootkit utility named TDSSKiller that cleans an infected system, eliminating TDL4 is almost impossible. "The botnet uses a hybrid approach that makes it next to impossible to take down," Schouwenberg says. "It is extremely stealthy—you don't see any of its files on a system—and you don't see any [typical] traffic on an infected system. This, combined with peer-to-peer capabilities, changes the stakes."

The TDL4 plague appears to be growing worse. In October, researchers discovered the malware was being rewritten and modified to make it more resilient to antivirus detection and removal. Some components, including its kernel-mode driver and user-mode payload, had changed. Moreover, the rootkit now creates a rogue partition on a computer to ensure its components are intact.

"The damage TDL4 can do is the same as what other botnets could do in the past," says Leyla Bilge, a researcher at International Secure System Lab. "They could steal information, they could attack another system, and they could send spam." The difference, she says, is that it is becoming more difficult to protect systems against botnets and put malware out of operation using conventional detection and mitigation tools. "We are engaged in an arms race," she concludes.

Back to Top

Defense Mechanisms

Battling botnets is an increasingly difficult proposition. As a result, researchers are attacking the problem from a number of different angles. At Texas A&M University, Reddy and a team of researchers have developed a technique that detects botnets—including more common varieties like Conficker, Kraken, and Torpig—that rely on so-called domain-fluxing or polymorphic Domain Name System (DNS) methods to evade detection. Domain-fluxing bots typically generate random domain names, but only one of them is real. For instance, Conficker-C generates up to 50,000 random domain names per hour. This makes it extraordinarily difficult to find, identify, and eradicate the bot.

Researchers typically reverse-engineer bot malware to understand the domain generation process and reach the command and control server. However, it is a slow and tedious task. Instead, Reddy's approach examines the pattern and distribution of alphabetic characters in a domain name to determine whether it is malicious or legitimate. The researchers analyze DNS traffic to spot domain names the bot generates through an algorithm. "It can detect previously unknown botnets by analyzing a small fraction of the network traffic," Reddy says. In fact, Carnegie Mellon University's CERT research lab plans to distribute a tool based on this approach.

Bilge and other researchers at International Secure System Lab are taking a different approach. They have developed a tool called Exposure that identifies malicious domains by analyzing traffic patterns and abnormalities within the DNS. Telltale signs include domains that suddenly appear and then disappear immediately following an attack and domains comprised of many numbers but few meaningful words. Exposure sorts through data from known malicious domains and, once trained, uses the patterns to recognize botnet sites. In a test with a French Internet service provider (ISP), it ferreted out more than 3,000 malicious domains.

Meanwhile, Zhi-Li Zhang, Quest Chair Professor in the Department of Computer Science and Engineering at the University of Minnesota, is focusing on alternating and changing domain names in a different way. In order to spot botnets, Zhang's research team examines failed DNS queries. When a large number of failures occur it is frequently a sign that a botnet exists. The challenge, he admits, is identifying which failures are caused by bots rather than other factors. Nevertheless, "the more we can disrupt the command and control channel, the more difficult it is for the bot to succeed," Zhang says.

Over the last few years, law enforcement agencies and a handful of companies, most notably Microsoft, have successfully taken down bots. In September, for example, Microsoft turned to the U.S. federal court system to shut down command and control servers running the Kelihos botnet. The company obtained a court order to pull the plug on 21 domains associated with the botnet, which is suspected of controlling 50,000 or more zombie machines. Microsoft was also instrumental in a takedown of the Rustock botnet earlier in 2011 and the Waledac botnet in 2010.

However, the botnet scourge is not going away anytime soon. Bilge believes future botnets will be even more sophisticated and problematic. Indeed, "the infection medium is likely to switch from computers to mobile phones. Malware authors are always attracted to the systems that are most widely used," she notes. Another potential problem is cloud computing environments, which, lacking adequate protection, have put powerful resources at the fingertips of cyber-crooks, enabling them to spread malware even more quickly.


In order to spot botnets, Zhi-Li Zhang's research team examines failed DNS queries. When a large number of failures occur, it is frequently a sign that a botnet exists.


Zhang says better DNS security is required, including name authentication. "It would make things easier if we could detect unsavory Web sites, or other domain names associated with command and control servers." In addition, "we have to figure out better ways to monitor and filter suspicious traffic," he says. "The difficult thing is that the Internet is diverse and traffic travels all over the world. Getting people to protect machines and ISPs to monitor sites is extraordinarily difficult." Unfortunately, in many cases, there is little or no economic incentive to protect these devices and sites.

In the end, a coordinated approach—using technology tools such as honeypots, traffic analysis, and binary analysis combined with increased law enforcement and user awareness—offers the best chance for success. Yet as long as humans can be duped into clicking a malicious link or opening an infected file, the problem will persist. Perhaps the most important question is how big will the problem become before governments, ISPs, and the computer science community takes the problem seriously.

Back to Top

Further Reading

Bhatia, J.S., Sehgal, R.K., and Kumar, S.
Honeynet based botnet detection using command signatures, Advances in Wireless, Mobile Networks and Applications, Al-Majeed, S.S., Hu, C.-L., and Nagamalai, D. (Eds.), Springer-Verlag, Berlin and Heidelberg, Germany, 2011.

Yadav, S., Reddy, A.K.K., Reddy, A.L.N., and Ranja, S.
Detecting algorithmically generated malicious domain names, 2010 Internet Measurement Conference, Melbourne, Australia, Nov. 1–3, 2010.

Yin, C.Y., Ghorbani, A.A., and Sun, R.X.
Research on new botnet detection strategy based on information materials, Advanced Materials Research 282–283, July 2011.

Zhang, J., Luo, X., Perdisci, R., Gu, G., Lee, W., and Feamster, N.
Boosting the scalability of botnet detection using adaptive traffic sampling, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, March 22–24, 2011.

Back to Top

Author

Samuel Greengard is an author and journalist based in West Linn, OR.

Back to Top

Figures

UF1Figure. Distribution of TDL4-infected computers by country.

Back to top


©2012 ACM  0001-0782/12/02  $10.00

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2012 ACM, Inc.


 

No entries found