Evolving Security: Botnet Integration

Wesley Cawman, Won Yi

Evolving Security: Botnet Integration

IT 4444: IT Capstone

April 27, 2011

Table of Contents

Abstractp.1

Introp.1

Body

Expansion of Internet Usersp.1

Botnetsp.2

Future Trendsp.4

Proposed Usesp.4

Conclusion / Future Workp.5

Referencesp.5

Evolving Security: Botnet Integration

Wesley Cawman, Won Yi

Computing & Technology Department, Cameron University, Lawton, Oklahoma, USA

Abstract—If we want our systems to remain secure today, we have to secure them the same way our attackers are penetrating them. In order to do this, security has to evolve beyond what it is today. Security has to step past the defensive realm and step into the offensivedomain using bots and botnets to secure our systems beyond anything we have ever done before.

Keywords: Security, Bots, Botnets

Introduction

The main player in securing computer systems has been humans aided by programs in the past. This partnership has not been one where humans can just set programs and forget them. The human factor in this partnership has always been the delegator as well as the main work force, while the programs aiding us just perform commands we give them. Why does the act of securing our systems rely so much on the human factor, while those actively penetrating our systems rarely rely on the human factor to get their job done? The process of securing our systems against intruders can no longer be done how it has always been done; this is no longer good enough.This paper does seek to persuade security professionals to secure their systems offensively with the aid of bots and botnets, but this paper also aims to persuade those actively defending our country through cyber warfare activities to add bots and botnets to their arsenal. Some of the latest sources on the inside suggest that those in charge of dictating what cyber warfare is exactly are having a hard time defining the term or their role in it.Cyber warfare stemmed from what was once called information warfare where one used electronic communications and the internet to disrupt a country’s telecommunications, power supply, transport systems, and so on[21, 22, 23, 24].Cyber warfare today can be defined as the usage of computers and other devices to attack an enemy’s information systems as opposed to an enemy’s armies or factories [5, 7, 8, 25]. These definitions are mostly vague, but do suggest that these activities are conducted for the most part by humans, against a nonhuman opponent.This would not be such a bad thing if we understood our role in cyber warfare, or if we were fighting human against human in cyber space, but neither of these are true. We are currently fighting a battle in which we do not understand what we are supposed to do, and because of that we are fighting man against program and losing the battle. General Keith Alexander of Cyber Command and others have noted that the United States significantly lacks the man power to fend off any real cyber-attacks against our homeland or allies [11]. With that said, even with more and more young men and women signing up in the Armed Forces to aid in this battle, no amount of man power will ever be significant enough if they keep fighting man against program. A program does not need to eat or sleep, and for this reason, we need to begin fighting program against program, or in other words bot against bot.

The first section in the body of this document will look at a few statistics on the alarming growth in the expansion of Internet users today. Then we will look at a few statistics about botnets and discuss their explosive growth in the last part of 2010. The majority of this document will look at the different functions of bots and botnets, defining different types of bots, and looking at which attributes made the more well-known bots successful. The main body of this paper will end with a proposal for different botnet prototypes to implement on both the offensive security front, as well as the cyber warfare front. This paper will conclude and end with a section suggesting future studies in “thinking outside of the box,” “other things botnets can do,” and “research for botnets on mobile devices.”

1. Expansion of Internet Users

79.66% of the total population of the United States accesses the Internet on a regular basis, which is around 247,890,434 out of 311,185,581 people [1, 2]. Looking at world statistics, 30.72% of the total population accesses the Internet on a regular basis which is around 2,128,038,074 out of 6,928,189,253 people [2, 3]. Even though the U.S. has an Internet user percentage close to 80% in 2011, those users only make up about 12% of the total Internet users around the world [1, 2, 3, 17, 18, 19]. It is important to point out that those regions with higher Internet user percentages tend to sponsora larger percentage of attacks, threats and vulnerabilities as compared to other regions with fewer Internet users per capita.As these regions become more common the total number ofvulnerabilities cataloged will increase significantly [4, 10, 14].

YEAR / U.S. Pop. / U.S. Users / U.S. % Pop. / World Pop. / World Users / World % Pop. / U.S. Users of World Users
2000 / 281,421,960 / 124,000,000 / 44.06% / 6,089,648,784 / 393,420,161 / 6.46% / 31.52%
2001 / 285,317,559 / 142,823,008 / 50.06% / 6,166,108,367 / 494,365,743 / 8.02% / 28.90%
2002 / 288,368,698 / 167,196,688 / 58.19% / 6,242,347,736 / 673,723,065 / 10.79% / 24.82%
2003 / 290,809,777 / 172,250,000 / 59.23% / 6,317,998,040 / 783,061,780 / 12.39% / 22.00%
2004 / 293,271,500 / 201,661,159 / 68.76% / 6,393,741,245 / 909,603,748 / 14.23% / 22.17%
2005 / 296,507,061 / 203,824,428 / 68.74% / 6,469,688,764 / 1,036,367,766 / 16.02% / 19.67%
2006 / 299,398,484 / 207,970,356 / 69.46% / 6,546,299,902 / 1,159,344,058 / 17.71% / 17.94%
2007 / 301,967,681 / 212,080,135 / 70.23% / 6,623,914,961 / 1,374,566,869 / 20.75% / 15.43%
2008 / 303,824,646 / 220,141,969 / 72.46% / 6,700,983,106 / 1,602,486,278 / 23.91% / 13.74%
2009 / 307,232,863 / 227,719,000 / 74.12% / 6,776,763,237 / 1,832,779,793 / 27.04% / 12.42%
2010 / 310,232,863 / 239,810,003 / 77.30% / 6,852,472,823 / 1,966,514,816 / 28.70% / 12.19%
2011 / 311,185,581 / 247,890,434 / 79.66% / 6,928,189,253 / 2,128,038,074 / 30.72% / 11.65%

1. Botnets

The word bot originated from the word robot

which referred to an automated software program that performed specific tasks on a network, with some degree of autonomy [9, 26]. Out of this basic design bots can be crafted to preform positively beneficial and vital functions, or negatively destructive functions. A positive example of bots can be the spiderbots [12] that Google uses most notably, and other search engines, to index webpagesfor searching and to also keep the most up to date listings of those pages.The SETI@HOME program [13] is a positive example of botnet usage where participants voluntarily install bots on their computers to take advantage of free resources when they become available, in an effort to analyze radio telescope data for evidence of intelligent extraterrestrial life.However, more recently bots and botnets have been used for mostly malicious purposes. Bots are installed unwillingly and completely unknown to the average user and assembled into entire networks of compromised computers–botnets—that are then remotely and secretly controlled by one or more individuals, called bot-herders [9, 26]. It was estimated in 2008 that around one in four personal computers in the United States was infected by a botnet, which in turn could be used as a zombie computer to distribute further attacks, execute code to send spam,host and distribute malware or other illegal files, or used to steal the identities its users [9, 15, 26]. Today the estimates are closer to one in three computers around the globe are infected with at least one botnet, and in 2010 alone there was a 654% growth in the total number of unique botnet victims towards the end of the year, as compared to the beginning of 2010 [6]. Consequently the popularity of always-on Internet services such as residential broadbandhas only assisted in the spread of bots, creating larger botnets by the second. This also ensures bot-herders that a large percentage of the computers in their botnet will remain accessible at any given time.

Botnets have become the perfect base of operations for computer criminals [9]. These bot programs are designed to operate under the radar, without any detectable evidence of their existence.The few paranoid security experts’ out there that notice when anything changes on their system, and always strive to have the most up-to-date and secure system, might not even have a chance against becoming another botnet victim. Depending on the nature of the bot, the attacker may have almost as much control over the victim’s computer as the victim has, or perhaps more [9].Not only can bot-herders have administrative privileges to their victim’s computer, but with that they can remain in the background for years while keeping their bots up-to-date and operational against the latest security patches.

The botnets we experience today can trace their origins back to the creation of the first Internet Relay Chat (IRC) networks [9, 26]. IRC was designed as a real-time Internet chat protocol, designed for many-to-many, group, communication. The design of IRC was centered on channels in which users from around the world could access and communicate with others in a text-based discussion forum.Servers would host numerous channels in these IRC networks, and these servers would be located throughout the world in various locations for users to connect to and communicate.The channels would be administered by channel operators and these operators held the abilities to block or eject disorderly users from discussion forums. To expand beyond the basic functions of IRC, some channel operators developed automated scripts, or IRC bots, to assist in logging channel statistics, running games, and coordinating file transfers. As IRC networks became more popular, the number of users attending discussion forums increased, as well as the number of conflicts between users. The growing conflict between users often led users into battling for operator status of popular channels. IRC networks were designed in a way that once every single designated channel operator disconnected froma channel, another user on the channel would automatically be assigned as the operator and have full control of the channel. In an effort to gain control of popular channels malicious users began creating scripts that would come to perform the first denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on IRC servers. Malicious attackers would target specific servers used by channel operators and use their DoS or DDoS scripts toforce an operator offline. Once an operator was forced offlinethe malicious attacker or someone else could then gain the operator status.In time, the same bots that once executed DoS or DDoS scripts against operators began to execute these same scripts against targeted individual users [9].

Once malicious attackers began targeting specific users the IRC bots developed one step further into a class of bots that are considered Command and Control (C&C) bots today. These C&C bots are first implanted on a user’s system by means of malware [9, 26].Once active on the users system, the C&C bot secretly connects to a remote IRC server using its integrated client program and waits for instructions. The malicious attacker serving as channel operator can then command the bots to collect information from their victims’ computers. This information can include operating system information and latest patching versions, the computers name, the users sign-in names, email addresses, nicknames, and dial-up user names and passwords [9]. With time this C&C technology was enhanced by users and lead to the development of more sophisticated bots with additional attack methods. The original IRC-based C&C functions are still seen in a majority of the current generation of IRC-based bots in operation today, and are still quite effective. Another reason botnets have become so attractive to cybercriminals is because they provide an effective mechanism for covering all traces of the bot herder. Trying to trace the origin of an attack will just lead you right back to the compromised computer of an innocent user for the most part;this problem makes it hard for investigators to proceed any further.Organizations like Damballa Inc., however, pioneer in the fight against cybercrime. Damballa currently develops and deploys newC&C detection technologiesthat increase their ability to detect additional categories of stealthy botnet deployments [6]. As referenced above, the second half of 2010 saw a rapid expansion in the overall total number of unique botnet victims. This arose out of the rapid evolution of many popular botnet Do It Yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs. And cyber criminals providing specialized malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators) [6].

Botnets around the world today are said to be divided between two families. The first family of bots are those that are closely controlled by individual groups of attackers. And the second family of bots are produced by malware kits. These malware kits can range from being freely available open source kits to others being developed by individual groups and sold like legitimate commercial software products that even come with support agreements [9]. The existence of botnet kits makes it difficult for security researchers to estimate the exact number and size of botnets currently in operation. Because of these botnet kits, one variant of botnets may not be controlled by one individual, or group, but instead by an unidentified number of separate botnets controlled by different people altogether, some of which might only encompass just a handful of computers. Because of this it is hard for security professionals to pinpoint the exact core of the problem and attempt to remove the operator from these IRC-based botnets [9, 26].

1. Future Trends

Tim Wilson from Information Week predicts the following trends for botnets to take in the near future. Concurring with the information developed from Damballa, overall botnet activity picked up in the latter part of 2010 and because of the recent surge in DIY botnet kits, botnets are only predicted to increase in their size and severity. Large botnets will become more aggressive in their attempts to capture more computers to command at their will, and because of this, Wilson predicts Botnets will get to the point where they’ll attempts to steal computers from competing botnets. In obtaining as many computers as possible, these larger botnets will continue to patch their controlled computers to defend them from being taken over by other botnet competitors. Because of the huge popularity with social networking sites, those sites will become the command points for botnets in the future. Programs similar to SETI@HOME will be developed where users can opt-in personal computing resources to take part in politically-based botnet activity. And even the smaller botnets will become more effective, as they will be harder to detect as users continue to improve upon current open source botnets [20].

1. Proposed Uses

In a paper presented at the most recent USENIX

Symposium, by several researchers at the University of Washington, a new proposed use for friendly botnets arose. Some could compare this idea to how the military operates detached from the Internet, while still filtering sought after intelligence moving across the Internet. The idea proposed at this Symposium was one that would use friendly computers in a botnet structure to protect servers and websites from outside threats. This phalanx as it is called would place a swarm of friendly computing systems in front of Web sites and servers [16]. All communications intended for these sites and servers would pass through this cluster of systems, and the data would only be passed onto the server at the server’s request.

With the phalanx in place, the idea is that the phalanx would stop most of the traffic from an attempted DoS or DDoS, and only a very small amount of traffic would reach the main server, leaving it capable of maintaining its operational status. The paper goes on to suggest that the computational power needed to fend off an attack would not have to originate from systems that the friendly server had to force into its own botnet, but instead from the vast amounts of computing resources at the disposal of the giant content delivery networks. Another avenue for obtaining the computational resources would be from volunteers much like those of the SETI@HOME program, or even use networks like BitTorrent to build good phalanx botnets to stop evil botnets.

When it comes to DDoS attacks, the best way to fend off the attack is to fight back with greater computational power. Several cybercriminal organizations today make vast sums of money from online gambling sites by holding them hostage under a DDoS botnet attack. There have been a few that have come to the aid of these victims and fought back victoriously, but without an integrated system of good botnet computing power, the evil botnet cybercriminals will just come back again for ransom at another time when you cannot obtain the leased computational power required to fend them off.

It would appear that the phalanx idea is exactly what the Armed Forces has been using for years to protect themselves from outside threats, but for how long will even the untouchable remain free from this rapid expansion of new botnets being developed? Good botnets can and should be used whenever possible to combat against evil botnets, but that is just the start. Before our push to IPv6 there should be a complete reworking of certain protocols and features to prevent future IRC like botnets and others from ever arising under this new protocol.

Conclusion / Future Work

Security in the future cannot be fought as it has been today, man against programs, but instead security should be fought with the very programs that are used to compromise our systems. Familiarity with the programs and tools at the disposal of our enemies will only aid us in our future attempts to defend ourselves against them.But in the field of security, our stance should not always be one of defense, it should also be one of offence at times, when it is required.The task to take back the cyberspace which is rightfully everyone’s, may be a task too great for our Armed Forces, fought under current conditions. We must learn to multiply our forces with what little we have, and work together in this fight against evil. The day may come that we no longer have to worry about security because our enemies are so cut throat with each other that they’ll implement every known strategy at their disposal to keep their bots in their botnets protected from competitors, but if that day actually comes, we should all be ashamed as professionals in the field of security. In our rapidly expanding cyberspace, if security is not demanded from everyone, then it is guaranteed to no one.