What if you wanted to build your own botnet to act as a spam relay or to launch a denial-of-service attack against an organization or a country? "It's actually a lot of work," says Joe Stewart, director of malware research at SecureWorks.
I had a chance to talk with Stewart at this year's Black Hat security conference in Las Vegas where, in a talk, he provided insight into the inner workings of one botnet, the Storm worm botnet. Using unpackers, debuggers, and decompilers, Stewart was able to dissect the rogue network and learn how it works and why Storm remains so resilient when other botnets simply fail over time.
Joe Stewart of SecureWorks at Black Hat Las Vegas 2008
(Credit: Robert Vamosi / CNET)Botnets, whose combined computing power can equal that of a large supercomputer, are organic, yet they only evolve when they need to, such as after they've been discovered and shut down, Stewart said. But he said anyone wanting to copy a successful botnet like Storm would simply be wasting their time. While all the coding tricks used to make Storm successful are available on the Internet, it's combining them that's the trick.
"How you are going to make all that work for your specific needs? It's pretty complex," he said. "The person who developed Storm did it over a long period of time. They didn't start out with the peer-to-peer program (as used today); they started out with something much simpler. They then made small modifications. A lot of hours have been put into it."
Storm's structure
A basic botnet would includes a Command and Control (C&C) server contacted to thousands of compromised desktop computers worldwide. Were that always the case, botnets could be taken down quickly by simply finding and shutting down the C&C server. Storm's approach is more nuanced and layered. Top level is a Command & Control server running Apache (presumably somewhere in Russia). Next level is a server running a Nginx 0.5.17 proxy; this server is designed to hide the Apache machine from view. At the third level are a couple more Nginx 0.5.17 proxies used to hide the master Nginx 0.5.17 proxy from view. Sitting at the fourth level are public nodes that act as reverse proxies leading back to the controller and perform as fast-flux name servers. Fast flux means that a hard-coded URL can be sent out with the bot code, but where that URL resolves changes.
The final level is composed of thousands of compromised computers worldwide. Stewart says that Storm starts out infecting a computer with a dropper. Right now the preferred infection process is via an e-mail link, but this might change to a peer-to-peer process. However infected, the initial click by the end user installs a rootkit which, in turn, reaches out to the EXE file from a fourth-level supernode. Once infected, the compromised computer and supernode trade the infected desktop's IP information. This information is sent to a third-level supernode proxy as pert of its mapping operation. At the third level it is also compressed and encoded for obfuscation, then sent on to the second level proxy, and finally to the top level server.
Overnet/eDonkey
At the second and third levels, the Nginx proxies listen for Overnet/eDonkey peer-to-peer Internet traffic. Overnet/eDonkey was a popular peer-to-peer network application until it was shut down by the Recording Industry Association of America. While the service is gone, the code still exists. What botnet operators like most is Overnet/eDonkey's distributed nature; it lacks a central peer list. Thus, each of the nodes keeps only a small list of neighboring peers.
This decentralized network is what Stewart and many other experts say is the key to Storm's resilience.
And it almost proved to be Storm's undoing. Overnet/eDonkey is still used for file-sharing, so in Storm's view there is a lot of bogus traffic out there. To better distinguish its traffic from other traffic, Stewart says Storm uses the Kadamlia distributed hash table (DHT) and its C&C servers listen only for predictable MD4 hashes. Those hashes are derived from a simple checksum algorithm that includes IP address and the port used. Authentication is accomplished through a 4-byte challenge and response.
The predictable hashes also have a positive effect for researchers, says Stewart: If a given peer doesn't know the location of the specific node you're searching for, the known peer will provide you with a list of peers closest to what you asked for. And, because the Overnet/eDonkey supernode peers all broadcast their presence, Stewart and other researchers can walk all the nodes in a network to get a fairly accurate count of the botnet's size.
Not perfect
Lately, though, Storm has been evolving yet again. This time it's isolating its network further from the general Internet traffic by encrypting packets using an embedded key and simple XOR. It also has been changing its initial infection packing or compression process. The outer layers change every 10 minutes, while the interior bot code changes packing more on the order of once a month. Neither the packing nor the encryption have so far proven defeating to security researchers.
However, one downside to encryption is that Storm's handlers could now segment parts of their network--that is, they could rent or sell off pieces of the botnet to others. Although speculation around segmentation has been widespread, Stewart says he has not observed it.
In addition to Stewart's research, see Brandon Enright's report for another detailed look at the structure of this venerable botnet.
On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.
According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.
With the help of Spamhaus, an antispam organization, SecureWorks was able to gain cooperation from one of the command and control centers for Coreflood. What Stewart found was not only source code but 50 gigabytes of compressed data, searchable in a MySQL database.
Within was 378,758 unique bot IDs over a 16-month period. Logged was the time-stamped lifecycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The other find was that many computers within a single company would get infected. Not surprising in and of itself, however, the time stamp provides an insight into the growth of bots within corporate networks and government agencies.
The graph shows how a state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)What Stewart found by looking at the log files is that Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft. If the infected machine had administrator rights, the malicious file ie1823en.exe would be executed on every computer within that domain.
"Mitigating the problem of malware using domain administrator credentials is harder," wrote Stewart. "It is not really possible to disable this feature without removing the ability of authorized users to remotely administer workstations entirely (including the ability to push needed updates to all computers in the domain)." SecureWorks is aware of one other bot that uses this technique, and expects other bots to use it in the future.
Stewart concludes: "It falls upon the domain administrator to be aware of this tactic and be increasingly aware of the security of not only his/her workstation, but any workstation accessed with administrator credentials."
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
- prev
- 1
- next
