Look Ma, I created a botnet!

The abstract concepts of "botnet" and "Trojan" just became a lot more concrete for me.

In less than an hour on Thursday, I was able to use programs readily available on the Internet underground for as little as $300 to infect several Windows clients and take complete control of them in a test environment.

In contrast to the real world, the McAfee Malware Experience event, which was akin to a Malware 101 class (or, in my case, Malware for Dummies), served up printed step-by-step instructions for us nonhacker journalists. But McAfee researchers said the programs used--real samples of malicious code from the wild--were not particularly sophisticated and any script kiddie could manage them easily.

First, I used a tool to infect a PC with a Sub Seven Trojan. With a few clicks it was on the client and I had remote access to everything on that machine via a so-called "back door." A management console provided an easy-to-use interface, including drop down menus with names like "Fun Manager."

Feeling mischievous I used the "flip screen" feature so that everything on the victim's PC was upside down and I changed the colors for the desktop and background to Hello Kitty hues of pink and orange. If I wanted to be nastier I could have directed the victim's browser to a URL of my choosing, turned on the client's Web cam, taken control of a chat session, printed out obscenities on the networked printer, or hidden the desktop or mouse from sight.

McAfee didn't let us save screen shots so I found this one on the Internet. It shows the interface of the Sub Seven Trojan and the "fun" things that can be done to a victim's computer with it.

(Credit: All-Interenet-Security.com)

I tested out the keystroke logger and found it to be particularly empowering and scary. It was thrilling to have so much control at my fingertips. It felt a bit like the electronic equivalent to pranks we did as kids, such as shorting the sheets and drawing on someone while the victim was sleeping. But these digital shenanigans have much more dire consequences.

Next up was creating a botnet, which would give me control over multiple zombies to do things like shut Web sites down with a denial of service attack and blanket e-mail inboxes with spam. I infected the two clients with the bot software and then created a command-and-control center on an IRC room. I then ordered up the system information from the bots, scanned their ports, and downloaded a malicious file onto the computers, as well as a keystroke logger. As they say in hacker lingo, I "pwned" the machines.

Finally, I used a program called "Shark" (also known as "Backdoor-DKG") to create a Trojan and install it on the victim clients by sending it through a Microsoft Outlook e-mail. Using a spreadsheet interface, I was able to set the functions of the Trojan, activate a keystroke logger and could have disabled antivirus software or set it to shut the system down based on certain conditions.

Following the tutorial, McAfee provided some bleak statistics to put my actions into perspective. For instance, the company's Avert Labs sees more than 400,000 new zombies a day, 4,000 new pieces of malware a day and 1.5 million malicious sites a month. There were 1.5 million pieces of unique malware last year and McAfee predicts that number will rise to 2.4 million this year.

The numbers aren't all that surprising to me now that I've seen firsthand how easy the malware is to create and use. All in all, I'd say it was a very sobering experience.

[ruismorfy]

A botnet can be bought now in underground marketplaces, they can be FUD(fully undetected) which is very dangerous. A simple kid or person, who craves for quick cash, with no such skills can operate a botnet easily.

[Lerianis3]

Well, if people would upgrade to Widnows Vista..... BOOM! No botnets possible because of the sandboxing functions! That's why I am going to upgrade all my computers to Windows 7 as soon as it comes out.... it has even better (in most cases) security protection out of the box than Windows Vista.

[Zer0Wolf]

AFAIK it's pwned, not p0wned. On another note, it must have been a humbling experience to see all of it in one sitting.

[lyonzy90]

Another very good reason to keep your internet security well and truly up to date.

[ethana2]

Look Ma, I installed Ubuntu!

[kubes123]

Awesome.....So did I....No crashes..no anti viruses..(just install awesome firewall called 'Firestarter')
Very smooth...
Unfortunately i have to return to Widnows if i want to play my favourite games and fear those malicious things out there..

[gertruded]

Microsoft could fix this problem if they wanted too. The word Windows is not mentioned. These are Windows viruses and malware folks. These are sites infected for spreading Windows malware.

[monkeyfun14]

Actually OSX has a huge botnet as well.

But your a fanboy I forgot you don't acknowledge problems with your own OS or can ever post a constructive comment.

[Perry_Clease]

"by monkeyfun14 June 11, 2009 8:46 PM PDT
Actually OSX has a huge botnet as well."

Prove it kid!

[redwall_hp]

@monkeyfun14 But you forget that the OSX botnet is a trojan. You have to pirate software, run the fake installer, and give it your admin password. (And I would imagine the trojan is smaller in file size than a full copy of iWork...) That's hardly a security exploit, as you've just given the application permission to run wild on your system. I'd say that's a lot better than having a drive-by install via an XSS exploit or the like.

You're the one who sounds like a "fanboy" to me, trashing a comment that did have a point with a cookie-cutter comment...

[pcdude2143]

Who said he was talking about OS X? And his response was nothing compared to yours.

All operating systems have flaws. And one has much more than all the others.

You don't seem to really know much about OS X or any form of Unix/Linux. Even if you are an admininistrative user, you run as a limited user (which cannot change ANY system folders) until you try to perform an administrative task (such as changing a system folder). Then it asks you for your password. Enter your password, and viola, that program, and ONLY that program has elevated privileges.

In Windows as administrator, try to delete files in the Windows folder, and it will happily delete almost everything.

[Vegaman_Dan]

Does it matter how the malware gets on the system if the system doesn't have security to prevent it?

You guys are too fixated on how it gets on the machine and forget that a machine that is fully patched and up to date isn't vulnerable to these situations.

As for the OS X botnet- it's a big one, but even as the article a couple of months ago stated here on CNET, the true size would not be known since the majority of people infected woudln't know it as they don't have any sort of security monitoring or precautions in the first place- the perfect sleeper botnet.

To all of this- I just say 'meh'

[ikramerica--2008]

Yes, it matters. You can't prevent a Trojan that requires active authorization if the person authorizes it. Because if you tried to, you'd also likely shut down hundreds or thousands of valid installer applications in the process. Every new installer would have to be submitted to some central authority and "cleared" or some such nonsense. Assuming that that authority knew what the heck it was doing, and knew how to detect a trojan.

Then, if a trojan was "approved" by mistake, it would be even worse than one that wasn't, because people would assume it's okay and not think twice...

[monkeyfun14]

@ikr

Vista has been pretty much immune to viruses as pretty much anything that runs on it requires authorization or another form of user interaction.

But I mean going around spreading misconceptions that Mac is invulnerable is a security risk in its self it causes users to go download happy because they think nothing can affect them it doesn't matter if the thing got on the in fact with the requires user interaction claims for viruses would mean a true virus doesn't exist. Since the user was required to goto the site and as far as I know Google removes listings to sites who attempt to autorun malware upon accessing it.

[lifecurbed]

so many of you are uninformed

OSX = huge huge java vulnerabilities that are going unchecked by apple right now with security issues going deep allowing for filesystem and shell level access.
on linux and unix if you are logged in as root, you have all privileges all the time.
windows will not delete almost everything as administrator. a majority of files necessary to keeping the OS running will be open, therefore "in use."
the article above mentions that the editor is creating trojans for windows, not new malware that is targeting specific security flaws. if the editor was doing that - she should probably be working for someone other than cnet.

RTFA, research your assumptions so that you have facts and can stop assuming so much and instead KNOW.

and for once try not to turn a simple security article into a flamewar - i have never seen, nor read of an OS without a security flaw.

[solitare_pax]

Agreed - anything can be hacked into if there is an idiot is behind the keyboard, ignoring adequate safety precautions.

Not just Windows - look back at how the Allies broke German codes because the operators of their super-duper Enigma machines were too lazy to follow proper operating instructions.

I expect we will now have an enlightened flame war on the superiority of the Enigma machine now...

[ExWinUser]

@ lifecurbed, you are the uninformed one clearly! The admin user can easily delete enough files to render the windows OS inoperable. The admin user just has to stop certain windows services and then can delete even more system files. I'm sure you know that, but I don't know why you windows users continue to post crazy comments.

[pcdude2143]

My previous post was @monkeyfun. Probably should have said that in the post.

[sTd01]

Back in my day we shared botnet's... It was like friends with benifits nerd style. Isn't sub7 over 10years old now? It's not a legacy trojan it's antiqueware. Things got better. No offence but i have a funny urge to sell you a shareware version of Quake for $500 and question the mental capacity of the person who employed you in such a position.

[Tobyyyyy]

I agree. And this writer seems to be writing articles mostly on tech/internet issues.
Definitely out of touch with internet culture on the deeper levels.
ummmmm??
Geez, hire me.

[SebDavies]

Yeah but not everyones know about this stuff, wether it be old or new.

[aMUSICsite]

Not a good advert for McAfee...

We keep you safe from 10 year old botnets...

[sTd01]

sub7 hello 1999!

[willbw]

Seb "Yeah but not everyones know about this stuff, wether it be old or new. "


Yea this is like 10 years out of date it def does matter is its old or new because this is a useless artcle if this effects you, then you shouldnt have a computer.

[elem3]

Sub7 is relatively harmless these days, but I have to disagree with the way McAfee went about this. Teaching about cyber crime and actually showing someone how to do it are two different things. The only thing that this accomplishes is creating more script kiddies by publicizing the exercise. Good job McAfee! This is exactly the opposite of where you should be focusing your resources.

[mkuk71]

Ummmm... actually, isn't this EXACTLY where they need to be focusing their resources at the moment?

If OS's all get better at protecting users against attacks, what need is there for overpriced, bloated security software? By showing Script Kiddies how it's done, they're guaranteeing themselves a few more years business surely ;o)

LOL

[macewan_]

Lame publicity stun my McAfee. These days there is no excuse for Windows use. OS X and Ubuntu will do just fine.

[fmcentire]

Until I want to game or do anything that requires compatibility with Windows. Or I could use OS X or Ubuntu and hope they give me a watered down compatible version. No thanks.

[fungie5]

@fmcentire -

I use Ubuntu as my primary OS on my five PCs, but I have Windows (XP, Vista & 7) installed in dual boot configuration on three of them to run specific windows-only software. Most of my daily PC use is focused on using the Internet, which, thanks to Ubuntu, I can now do without worrying about viruses, spyware, botnets etc. I also no longer need to schedule regular security scans for Windows (it's now just every 6 weeks), because my copies of Windows don't see much of the Internet these days - they just run locally installed apps and games. I don't know why everyone's so caught up with this 'either/or' argument. Just use both - Install Linux inside Windows or dual-boot. Linux is the ultimate antivirus and anti-spyware and anti-botnet because those who use it get to be the spectators to all those issues.

[pcdude2143]

@fmcentire I play Age of Empires III (a MICROSOFT game) on Ubuntu and it runs 100% with full hardware graphics support WITHOUT Windows (no hardware emulation like VMWare). Sure, it's not the latest and greatest (2006), but it's still better than your preconceived notion of no compatibility whatsoever.

[shellcodes_coder]

Am sure hackers will find it much easy to create botnets for crap os x since security holes in crap os x are damn easy to exploit

[monkeycdotnet]

Typical McAfee FUD - none of these machines was running an AV client and I bet none of them was a Vista machine either and they provided step by step instructions on how to use software that is years old... Wow I am so impressed. Yawn.

Meanwhile those of us in the enterprise space remember when Melissa went straight through out expensive McAfee AV systems and tore us a new one.

McAfee and Symantec are the worlds experts at spreading FUD (thats Fear Uncertainty and Doubt) about this stuff and its all aimed at marketing and has nothing to do with real world experiences - And the Avert Labs is proof because no where are they providing their raw statistics to back up their claims and "Labs" is a misnomer as they're nothing more than an in house marketing term.

A few times a year either Symantec or McAfee or one of the upstarts will rush out a press release about the end of the world is nigh virus of the week and they will get some TV air time and all of us working in IT turn off our phones to avoid the calls from people who watch newscasts.

Want to avoid a bot net? Simple. Run an AV (Avast is free), use a firewall (in XP since SP2), only open files from trusted sources, never open an EXE in an email EVER and stay away from Internet Explorer or if you must use it avoid crack, porn and other dodgy sites. In 20 years of IT experience Ive never had a virus on any of my machines, its not through luck thats for sure. Mind you these days I do run a mac but I also make a living architecting windows solutions and none of my clients has ever had anything more than a single machine infection either (from that stupid christmas game..)

Common sense trumps all. Even journalists attending free marketing events - I hope the tshirt was a nice one this time around, the one from the last experience was cool :)

Especially stay away from McAfee's site - they will scare the pants off you !

[fmcentire]

Agreed.

[jake3373]

McAfee says there is an "elevated" virus level. I have never gotten a virus in my life (even back in my days of running limewire on windows ME). The elevated level was just because MS had recently patched security updates.

[rcardona2k]

I think Elinor Mills should get out more. And I don't mean running AirSnort at her favorite hotspot coffee place. =)

[gertruded]

Microsoft could fix this problem if they wanted too. The word Windows is not mentioned. These are Windows viruses and malware folks. These are sites infected for spreading Windows malware.

If it is even half true that fully patched Windows machines do not get viruses, then all Microsoft has to do is allow all Windows machines to get all the patches. Could it be that the whole world's internet botnet problem is due to WGA? That would mean that MS is purposely allowing the botnets to maximize their profits.

[DrtyDogg]

WGA doesn't stop non-genuine copies of windows from getting security updates, just OS updates(ie8, wmp etc.)

[gertruded]

@drtydogg, WGA does prevent security updates. If you have a problem with WGA you do not contact Microsoft. for updates. Millions of computers around the world are running without updates because of Microsoft's WGA policy. That is just the fact.

XP is not even being sold anymore, why not release the updates?

[Lerianis3]

Again, WGA DOES NOT PREVENT SECURITY UPDATES! Shut the hell up, gertruded, because you are simply LYING about that.

As DrtyDogg said: it only prevents things like IE8, WMP updates, etc. being downloaded on your system. Not security updates, not critical security updates, just optional updates.

[Luke86]

I think the article was good, it shows how easy it is to create a botnet and to be frank it is as easy as the article show. Even tho Sub7 is 10 years old, if anything the tools have gotten more advanced and easier to use.

I think all this bull about OS X & Linux is daft. Windows has millions and millions of users and it just doesn't make sense creating a virus specifically targeting OS X or Linux because using simple math it would be better targetting the OS with the most users. It not the fact that Linux is better or OS X is better, its just simple math that makes Windows the better OS to target.

Just to put this is even more simpler terms, its like comparing two cars,

Car A is sold to 10million people and 10% crash the car.
Car B is sold to 10 people and 10% crash the car.

You cannot compare safety stats and at every opportunity praise Car B for being the safest car. It just doesn't make sense.

I have toyed with botnets in the past and once had about 17,000 zombies. I was 15 and really didn't do much with it and eventually the box it was hosted on got removed, a great learning curve and I really do think that creating 100,000+ botnets is easy if the right amount of time is dedicated to it.

Things will get worse before they get better! That is for sure!

[gertruded]

A lot worse. This botnet problem will sink Microsoft, and it should. Too many Windows machines and too easy to do to Windows machines.

The Microsoft shill bull about OSX and Linux is not only daft, but calculated FUD, attempting to maintain profits as long as possible.

[Jim From Greece]

macos owns 10% of the market that is not a small percentage my friend. And really as you correctly put it , it all about the math.

For an OS that owns 10% of the market compared to Windoom which owns almost 90% with more than 20.000 malicious software , MAC OS has only 9-10 real threats. By math alone is a piece of cake to argue that not only mac os is light years better than windows but also that is a real operation system. While there is nothing operational in Windoom if you let it run by itself for a few month without any third party help (see antivirus , firewalls, spyware removal apps, blah blah blah).

And if we want to be sincere then we should argue that an OS that has one of the bigest security in the world will most likely be a target by any hacker that respect himself. Afterall every single malicious attack against MAC OS , is immediately HEADLINE news and we know that hackers love fame. While who cares for yet another virus in 20.000 of windows ?

Sorry but the whole "less market share equals less security threats " is old , ridiculous and stereotypical.

[fmcentire]

LOL, because these hackers and thieves are in it for respect and a good ol challenge? I bet they have a code of conduct and a mission statement as well. Windows is used way more than Mac OS, as you even said yourself. There are a lot of machines with Mac OS out there, but there are exponentially more with Windows. You would be inept if you focused an attack on Mac OS when there is so much more to be had from attacking Windows based software.

[Michichael]

I love getting script kiddies on my honeypots. Since they don't know what they're doing when they hit a real Infosec specialist. Hell, even a Sysadmin with a rudementary understanding of perl can counterhack them in seconds.

[willbw]

idiot lol @ counterhack

[lisa donaho]

I have got to laugh at this. Are the upper management guys worried about this? It is their choice what operating system/hardware is run. Cutting costs by going to the cheapest hardware/software gets you what you pay for.

[victor_sf]

hey, anybody try and hack Plan9 yet?

[narwhal2]

This article fails on so many levels it's priceless. What kind of noobs work at cnet anyway? Sub7? Really?

Welcome to 1998 enjoy your stay.

[Lerianis3]

We need to realize that this is a problem that is not going to go away.

People (idiots mainly) keep on bashing on Windows XP and lower being so 'insecure' when they fail to realize that the reason that Linux is so 'secure' is because you cannot do crap on it most times! I'm serious there: I tried Linux and gave up because of all the command line BS it wanted me to do.
OSX? Just as insecure as Windows XP and lower, it just doesn't have a lot of people bashing on it day in and day out trying to find vulnerabilities.

We need to stop blaming the OS companies and start putting the blame on these script kiddies, slamming them down HARD and teaching children from VERY YOUNG that you don't steal from people, you don't write viruses to damage computers (no matter what your 'goal'), etc.

[Motyoj]

We need to stop blaming the OS companies and start putting the blame on these script kiddies, slamming them down HARD and teaching children from VERY YOUNG that you don't steal from people, you don't write viruses to damage computers (no matter what your 'goal'), etc.

Good luck on that. Also, OS X is not nearly as flaky or insecure as Windows XP. The only bot net for OS X is one that had users download pirated software, type in the administrator's password and install the rogue software. Not nearly as easy to infect as a Windows box. Secondly, if you're stupid enough to download "warez", you deserve a lesson.