Blog‎ > ‎

Mitigating Botnet Information Security Risks through EA and the ITSA - Part 1 of 4

posted Apr 1, 2015, 1:35 PM by Christopher Furton   [ updated Dec 13, 2015, 10:37 AM ]

Written by: Christopher Furton

Abstract 


This paper investigates the threats of botnets to the enterprise environment. First, this paper looks at the history of botnets and the evolution of command and control topologies. Propagation techniques are reviewed as well as analysis of advanced botnets that target enterprise information systems. The use of botnets is analyzed resulting in a list of 19 botnet risk area topics that, if unmitigated, can be devastating to the organization’s business processes. Next, this paper examines mitigation activities, namely the Information Technology Security Architecture model (Bernard & Ho, 2008), that can help organizations reduce the possibility of botnet infection and reduce the impact if an infection occurs. Lastly, this paper presents a case study where a nation-state uses part of the business continuity planning process of the Information Technology Security Architecture to mitigate a distributed denial of service attack.

Mitigating Botnet Information Security Risks through Enterprise Architecture (EA) and the Information Technology Security Architecture (ITSA)

Part 1 of 4



Often referred to as zombies, malware compromised computers take part in criminal cyber activity without the knowledge of their owners. Zombies are members of large networks called Botnets. These networks range in size and complexity, but all have serious implications to enterprise security. As a tool for criminal activity, botnets can ‘earn’ criminals substantial revenue by engaging in spam mass emailing and information theft campaigns. Similarly, some criminals generate revenue by renting access to their botnets to other cyber criminals (Ferguson, The history of the botnet - Part II, 2010). Besides financial gain, botnets are a common tool for hacktivism where hackers use malicious attacks to further a political viewpoint (Schectman, 2012).


This paper explores the world of botnets. The paper is broken into four parts: 1) The Problem; 2) The Mitigation; 3) The Case Study; and 4) The Conclusion. In ‘Part 1- The Problem’, the goal is to explain the types of technologies utilized in botnets and identify the potential risks associated with them. In ‘Part II – The Mitigation’, the goal is to offer recommendations for combating botnet risks specifically through the use of proven methodologies such as the Bernard & Ho’s Information Technology Security Architecture (2008). In Part 3 – The Case Study, a real life look at a nation state that used business continuity planning to reduce the impact of a botnet distributed denial of service attack. In ‘Part 4 – The Conclusion’, the goal is to tie the main points of this paper together.

Part I – The Problem


This section of the paper provides background information on botnets and identifies the problems faced by internet users and the enterprise environment. The contents include: a brief technical overview, explanation of propagation techniques, topology differentiation for command and control, discussion on intended targets, typical use of botnets, and the history of botnets. The aim of Part I is to ensure an understanding of botnets and introduce the problems that they cause to the enterprise environment.

Botnet Technical Overview

To help understand the risks of botnets to the enterprise environment, a technical understanding of botnets is essential. “Botnets are proving to be the most recent and disastrous threat to the field of information technology” (Naseem, Shafqat, Sabir, & Shahzad, 2010). Botnets come in many different sizes and structures, but all of them have potential to cause significant damage to the enterprise environment. As shown in the history section, botnets have been around for a significant amount of time and are constantly evolving with technology.

The first step to understanding how to mitigate botnet risks involves learning and understanding the lifecycle of a botnet. As discussed by Naseem et al. (2010), a botnet attack begins by exploiting vulnerabilities in user computers. These vulnerabilities provide the attacker, referred to as the Botmaster or Botherder, with an entry point to a system to install malicious software. Once the botmaster has installed the software, the computer is now a ‘bot’ or ‘zombie’ which can be used to execute attacks or continue spreading (Naseem, Shafqat, Sabir, & Shahzad, 2010).
One unique aspect of botnets typically unseen by other forms of malware is the command and control (C&C) channel. The communication mechanism behind this channel varies depending on specifics of the botnet, however, all are used to control the activities of the bots, issue commands, and accomplish the botmaster’s agenda. Once this communication channel is detected, the whole botnet maybe exposed (Naseem, Shafqat, Sabir, & Shahzad, 2010). 

As technologies evolve, botnets have also evolved communication methods. As mentioned in the History section, early botnets often used IRC channels for command and control. Further evolution developed into peer-to-peer and web traffic (hypertext transfer protocol) command and control channels (Naseem, Shafqat, Sabir, & Shahzad, 2010). In today’s Internet, other communication mechanisms are becoming common. Botnets have been detected that utilize the popular Twitter social networking website for C&C activities (The H Security, 2011). Furthermore, researchers have developed a theoretical covert social network botnet that embeds C&C messages into images uploaded to the Facebook website. This proposed botnet “use[s] image steganography to hide the presence of communication within [an] image” (Nagaraja, Houmansadr, Piyawongwisal, Singh, Agarwal, & Borisov). A more detailed discussion on botnet topologies can be found in the subsequent section on ‘topology.’

At face value, a botnet sounds similar to a virus or worm. However, one significant difference that puts botnets into a category of their own is the botmaster’s ability to control compromised computers (Naseem, Shafqat, Sabir, & Shahzad, 2010). Traditional malware may perform similar functions as a botnet, however, the propagation is not controlled in the same way that botnets are. By design, botnets are stealthy and covert malware with potential to cause substantial damage to an organization’s enterprise environment. Preventing infection and reducing the propagation of botnet malware is key to protecting the infrastructure. 

Propagation Techniques

In order to discuss propagation techniques, it is first important to clarify that botnets are a network of compromised hosts. Developing a botnet occurs by infecting vulnerable computers with command and control malware giving the botmaster control of the newly created bot. When discussing propagation techniques, this paper focuses on activities used by botmasters to initially infect vulnerable computers.

In the beginning stages of propagation, botnets look for vulnerable hosts that have unpatched operating systems or software applications. The methods used to exploit these vulnerabilities are often controlled by the botmaster during propagation. Successful botnet propagation relies on a controlled rate of infection that doesn’t interfere with network stability. Too rapid of propagation can result in network instability and reduce the overall effectiveness of the botnet (Xin-liang, Lu-Ying, Fang, & Zhen-ming, 2010).

In contrast to the preferred controlled propagation, some botnets spread similar to malware worms. In these instances, an already compromised host finds other vulnerable hosts and exploits them without influence from the botmaster. This form of propagation is wild and uncontrollable.

The propagation methods discussed above do not require user interaction. However, many botnets propagate in a matter that requires a user to perform a task. The first and most common method (Dagon, 2005) of propagation is by email. As seen in mid-2011, the ZeuS botnet used email to spread in the form of a fake IRS spam email. In this example, the emails appear to originate from the irs.gov domain where the subject reads “Your IRS payment rejected” or “Federal Tax payment rejected.” The body of the email refers the victim to an attached PDF file containing the ZeuS malware (MXPolice, 2011). Using social engineering tactics (the fear of IRS audit), the ZeuS botnet leveraged email as a method for propagation.

Another propagation method is through instant messaging. In this method, botmasters attempt various forms of attack through instant messaging including social engineering attacks attempting to lure the victim into clicking a malicious link. Additionally, the botmaster can send a malicious file to the victim and entice him/her into opening it (Dagon, 2005). As seen in the Mariposa botnet, which was shutdown in March of 2010, the instant messaging software MSN Messenger was used by threat actors to spread malicious code to unsuspecting victims (Kolakowski, 2010).

Web pages are also often used to spread malicious code that enables botmasters to increase the size of their botnets. In this method, webpages host content that installs malicious code on visitors computers permitting botmasters to gain control. As identified by WebSense (2008),
  • 75 percent of websites with malicious code are legitimate sites that have been compromised. This represents an almost 50 percent increase over the previous six-month period.
  • 60 percent of the top 100 most popular web sites have either hosted or been involved in malicious activity in the first half of 2008.
  • 12 percent of web sites infected with malicious code were created using Web malware exploitation kits, a decrease of 33 percent since December 2007. Websense researches believe this decrease may be attributed to attackers launching more customized attacks to avoid signature detection by security measure.
  • 29 percent of malicious web attacks include data-stealing code
  • 46 percent of data-stealing attacks are conducted over the web.
These figures show a potential change in threat climate pointing to internet web browsing as being a significant contributor to botnet propagation.

Lastly, botnets can exploit vulnerabilities in other malware already running on the host. For example, the Bagel and MyDoom worms contained backdoors that were exploited by botnets in April of 2004 (Cooke, Jahanian, & McPherson, 2005).

Topology based on Command and Control method

IRC botnets

The first topology seen within botnets relied heavily on Internet Relay Chat for command and control. As the birthplace of botnets, IRC channels were used for running games, file distribution, and for user misbehavior. “Early bots were not always malicious” (Bu, Bueno, Kashyap, & Wosotowsky, 2010). In IRC botnets, the IRC channel acted as the command and control server for the compromised zombies. IRC traffic typically occurred over a particular port number from zombie client to IRC server (Bailey, Cooke, Jahanian, Xu, & Karir, 2009).
Peer-to-Peer botnets

The next topology seen within botnets relies on peer-to-peer (P2P) communication for command and control. Instead of using a centralized architecture as seen in IRC botnets, P2P botnets allowed peers to connect to other peers as long as their IP address is known within the botnet database. The botmaster can inject commands to any peer within the botnet and the command is then relayed to other peers (Bailey, Cooke, Jahanian, Xu, & Karir, 2009). This type of botnet has many variations and has evolved to keep up with security researcher’s attempts to track down known peers. “In the last several years, botnets such as Slapper, Sinit, Phatbot, and Nugache have implemented different kinds of P2P control architectures” (Wang, Sparks, & Zou, 2010). Some have implemented cryptography for update identification and encrypted or obfuscated control channels. Although the botmasters have evolved the malware to defeat inherent weaknesses in P2P botnets, these modifications often open up new methods for detecting and compromising the botnet’s anonymity (Wang, Sparks, & Zou, 2010).

HTTP Botnets

In this topology, botnets use standard web requests that operate over port 80 to facilitate command and control. This topology uses a webserver as the centralized command and control channel similar to how IRC botnets used IRC channels. However, the web server C&C channel stays always connected with eliminates the fundamental problem of connection loss to IRC channels. In HTTP botnets, the traffic flows with regular web browsing traffic. However, the HTTP botnet traffic is structured different than normal traffic making it easier to detect (Bailey, Cooke, Jahanian, Xu, & Karir, 2009).

One of the most popular HTTP botnets found in the wild today is the ZeuS botnet. ZeuS consists of both a client and a server component where anyone with little computer expertise can create a custom version of the malware. Ironically, the current version of ZeuS uses a strict commercial software license which links directly to the buyer’s physical hardware. “The creation and distribution channel of this malware displays a strong business sensibility” (Bu, Bueno, Kashyap, & Wosotowsky, 2010).

Web 2.0 Botnets

The last topology discussed is the newest growing for botnets. These botnets leverage Web 2.0 technologies often seen within social networking websites. Similar to HTTP botnets, Web 2.0 botnets utilize web applications such as Facebook, MySpace, RSS, and Blogging for command and control purposes. Although the concept of social network C&C dates back in academic work as early as 2007, the first reported botnet – named Naz – was found on Twitter.com and Jaiku.com (Kartaltepe, Morales, Xu, & Sandhu, 2010). The Naz command and control attack flow and control flow is diagrammed in figure 1 below. This type of botnet exhibits the increased complexity and innovativeness of botmasters.
BotNet Figure 1

Intended Targets

In research conducted by Damballa (Ollmann, 2009), a distinguishing factor identified directly relates to what type of victim is targeted by a botnet: broad-spectrum internet user or the enterprise asset. In this research, 50 percent of botnets identified in the enterprise environment were Internet Targeted botnets. These broad-spectrum attacks are aimed at any Internet user but often enter enterprise environments due to relaxed security or usage of personally owned computing equipment in the workplace. These botnets often have readily available fixes but require enterprise security teams to patch software properly and keep anti-virus signatures up to date (Ollmann, 2009).

The next target group identified is called the Enterprise Targeted botnets. In this case, botnets found within the enterprise are hardly ever found circulating the Internet. These botnets are designed to penetrate and propagate within enterprise networks and are a blend of sophisticated remote access Trojans with worm propagation functions. These botnets are often targeted at specific industries such as online retail companies or specific people within the organization such as the Chief Financial Officer. These botnets are typically more advanced than Internet Targeted botnets. Around 35 percent of botnets encountered within the enterprise are of this type (Ollmann, 2009).

The next group identified is called the Deep Knowledge botnet. Although only making up 10 percent of the botnets identified in the enterprise, these botnets can be very sophisticated and very dangerous. The botmaster often has a high degree of knowledge about the infiltrated enterprise and the information architecture. It is believed that many of the Deep Knowledge botnets are created and installed by hand for legitimate remote administration by employees. The bigger problem is that many commercial do-it-yourself malware construction kits have backdoors to their creators or partners (Ollmann, 2009).

That last group identified by Damballa is a catch-all group referred to as Others. In this group, the remaining 5 percent of botnets encountered in the enterprise vary in sophistication and functionality and don’t fit neatly into any other group. These include small botnets targeted at a specific group for industrial espionage and competitive advantage or possibly state-sponsored botnets aimed at specific goals (Ollmann, 2009).

Use of Botnets


Because of the flexible nature of botnets, the use by cyber criminals is vast and evolving. One common use of botnets is the execution of Distribute Denial of Service (DDoS) attacks. In a DDoS, botnets are used to deplete the network bandwidth and other computational resources of target sits. Using a botnet for this type of attack magnifies the impact of the attack and eliminates the need to mask or spoofidentifying information (Choo, 2007). In the enterprise environment, botnet DDoS attacks may pose a substantial risk particularly for e-commerce lines of business. Also, DDoS attacks aimed at unique network resources such as the Dynamic Name Service (DNS) may prevent normal business operations within the enterprise environment. Similarly, ‘spidering’ attacks on a company’s website uses HTTP floods that recursively access resources causing denial of service conditions (Uses of botnets, 2008)

In addition to DDoS attacks, botnets are also used for spam dissemination. In April of 2005, Symantec spam statistical report indicated that 61 percent of global email was identified as spam (Choo, 2007). The financial gain achieved by botmasters through spamming encourages ever increasing vigilance. A spambot malware, known as SpamThru, included sophisticated features that used advanced encryption, installs its own antivirus scanner to eliminate competing malware, and even enacted functions to evade anti-spam measures (Choo, 2007). Enterprises inflicted with botnet malware may be producing spam inside the enterprise.

Information theft is a major concern for botnets in the enterprise environment as well as individual privacy for home users. Sniffing traffic and key-logging components are often found in botnet malware allowing botmasters to collect unencrypted traffic passing through the bot or log all keystrokes entered by a user (Uses of botnets, 2008). In the enterprise environment, there is a substantial risk of compromising critical sensitive information or business trade secrets. This information must then by ex-filtrated back to botmasters through covert channels.

Botnets have also been used to spread new malware. Newly created malware can obtain a substantial rapid existence by using computers under the control of a botmaster to launch the new malware. Many botnets include functionality to remotely download new files and execute them. The Witty worm was initially launched through the use of an existing botnet (Uses of botnets, 2008). Botnets existing in an enterprise environment pose a substantial risk as newly released malware may not have antivirus signatures available magnifying potential compromise.

Another substantial motivator for botnet use is for financial gain. Often referred to as “click fraud”, botnets are able to abuse ad programs like Google AdSense by using bots to ‘click’ on ads to artificially increase the click counter. The use of this type of financial gain is not common (Uses of botnets, 2008); however, a 2010 study indicated a growth in this activity with 42.6 percent of all click fraud originating from botnets (Singer, 2010). A similar type of financial gain was seen with a recent Twitter-based botnet that mines the online currency known as bitcoins. This type of botnet was aimed at stealing virtual currency by leveraging the massive distributed computing power of the botnet to solve complex mathematical tasks. Based off the bitcoin economy, the more computations a user accomplishes the more virtual currency can be created. That virtual currency has exchange rates for conventional currency (The H Security, 2011).

Of greater concern than bitcoin mining, botnets can be used for mass identity theft. Botnets can deploy phishing scams that lure victims into entering sensitive private information into compromised or bogus websites like PayPal or banking institutions (Uses of botnets, 2008). This tactic combined with packet sniffing and key logging introduces substantial risk to the enterprise and the organization’s employees.

History of botnets

The origins of botnets can be traced as far back as 1999 with the creation of the malware Sub7 and Pretty Park. Both of these offered a control method utilizing an IRC channel where the creator could send malicious commands to infected computers. A year later, the Global Threat bot, or GBOT for short, was introduced that included higher sophistication. Namely, the GBOT was able to access raw network level sockets (both connection-oriented TCP and connection-less UDP) allowing for Denial of Service attacks. Additionally, the GBOT had the ability to hijack Sub7 infected computers and “update” them to GTBots (Ferguson, The history of the botnet - Part I, 2010).

In 2002, the release of SDBot and Agobot fueled the growth of botnets and initiated the creation of variants. These two botnets introduced techniques such as creating backdoors, disabling anti-virus, and blocking access to security vendor websites. These early botnets were aimed at information theft and remote control. SDBot, due to the public release of its source code, became the standard for several variants including the Spybot botnet in 2003. With Spybot came new functionality such as key logging, data mining, and Instant Messaging Spam (SPIM) (Ferguson, The history of the botnet - Part I, 2010).

Also in 2003, two more significant functionalities were first seen in the wild. First, the Rbot botnet introduced proxying for relaying commands and the coordinated Distributed Denial of Service (DDoS) attack. Rbot also included information stealing tools as well as encryption techniques to try to evade detection. Second, the Sinit botnet introduced a new topology of peer-to-peer. This marked the evolution of botnets away from the IRC command and control channels due to easy detection and frequent blocking at enterprise boundary firewalls (Ferguson, The history of the botnet - Part I, 2010).

Criminal interests surfaced in 2003 with several botnets that facilitated spamming. The Beagle, Bobax, and Mytob botnets included mass-mailing functionalities enabling criminals to distribute their spam with agility, flexibility, and covertly to avoid ever increasing law enforcement efforts (Ferguson, The history of the botnet - Part II, 2010).

Throughout the next several years, many famous botnets were introduced. RuStock in 2006 and the infamous ZeuS crimeware family. As an information stealing tool, ZeuS has been updated to newer versions several times with increased functionality and lethality. The botnet interfaces have been designed to entice less technically savvy criminals by allowing for simple point and click controls. Subsequently, developers have included backdoors in the command and control software turning criminal controllers of botnets into victims as well (Ferguson, The history of the botnet - Part II, 2010).

Efforts to fight back have been launched by government and private companies. In 2008, two Internet Service Providers de-peered – or stopped routing traffic – the McColo hosting provider which routinely hosted command and control servers for botnets. This takedown resulted in a 75% reduction in spam Internet-wide (Security Focus, 2008). In June of 2009, the Federal Trade Commission closed down the Internet Service Provider ‘3FN’ which impacted some botnet command and control networks. Despite efforts to disrupt these botnets, the creators become more innovate and increase efforts at evading detection. One technique used by the Conflicker botnet was to generate 50,000 alternative hostnames daily making in near impossible for the security industry to block them all (Ferguson, The history of the botnet - Part II, 2010).

In the late 2007s, the landscape of botnets continued to evolve into the Web 2.0 technologies. Having left behind IRC and basic peer-to-peer command and control, alternate channels were embedded in blogs and Real Simple Syndication (RSS) feeds. Criminal innovation continues to evolve as seen by ZeuS bot storing configuration files in the compromised Amazon EC2 cloud service. With botmasters using Facebook, Twitter, and Google as command and control channels, detection has become more and more difficult as communication to these sites is very common and expected. Finding the hidden, covert channels is and will continue to be challenge for security specialists. Future expectations include use of highly effective encryption techniques such as Public Key Infrastructure (PKI) and advanced peer-to-peer cloud services. Already in use, the Koobface botnet uses social networking services for propagation of spam by sending messages, making posts, and even creating it’s own Facebook profile page (Ferguson, The history of the botnet - Part III, 2010) (Ferguson, 2010 - Year of the Zombie Cloud?, 2010).

 

 


About the Author

Christopher Furton author bio picture
Christopher Furton

is an Information Technology Professional with over 12 years in the industry.  He attended The University of Michigan earning a B.S. in Computer Science and recently completed a M.S. in Information Management from Syracuse University.  His career includes managing small to medium size IT infrastructures, service desks, and IT operations.  Over the years, Christopher has specialized in Cyber Security while working within the Department of the Defense and the United States Marine Corps. His research topics include vulnerability management, cyber security governance, privacy, and cyber risk management.  He holds active IT Certifications including the CISSP, CEH, ITIL Foundations, Security+CE and Network+CE.  He can be found on , , and .  

Additional information available on Christopher Furton's website at
Comments