Executive Overview: With the survival time of a fresh Windows install sometimes measured in seconds, knowing a little about some of the more pervasive bits of malware out there and how to ferret them out on your network can't hurt.
Sometimes it's satisfying to leave the
confines of the NOC and take a stroll through the cube farm, secure in
the knowledge that the machines on your network are secure and in hand.
Except, perhaps, when they're not.
A "botnet" is a collection of computers that have been infected with
remote-control software. An IRC "bot" is the software that gets
installed by a virus, which in turn connects to an IRC (Internet Relay
Chat) server — the control plane for sending commands to the
A typical botnet scenario involves thousands of compromised Windows
machines and a single "attack" command issued by the owner of the
botnet, resulting in once innocent computers executing an attack on an
unsuspecting Web site. This article will explore common methods of
infection and the capabilities the bots have, for the sake of better
understanding these perils.
When an unpatched Windows computer connects to the Internet,
survival is an unlikely prospect. Within minutes, the computer can
become infected with a trojan or virus that installs an IRC bot. The
bot will immediately "phone home" by connecting to an IRC server then
stand by, awaiting commands. SANS has cited 24 minutes as the average
amount of time a freshly installed Windows XP computer can last on the
internet before infection. If you're running a fresh install of MS-SQL
server, the time is considerably shorter. Some have cited sub-minute
survival times for new, unpatched SQL servers.
What Can They Do?
Botnets have various capabilities, including denial of service attacks,
spam relays, theft of personal information, and they even start web
servers on infected computers to aid in phishing attacks. These are all
illegal activities, and definitely not something you want coming from
your computer. There's nothing worse than receiving e-mail from a
different company's security officer with evidence you've been
attacking them or sending spam.
Reading the source code for one specific IRC bot leads to
much enlightenment, and fright. The repertoire of tasks a bot can carry
out on its owner's behalf is truly astounding. Here's a brief list of
a few of the more interesting things bots can do:
- Run their own IRC server, becoming a master for other bots to
- Capture or "harvest": CD Keys from the Windows registry, AOL
traffic including passwords, and the entire Windows registry
- Start flooding a specific IP or network using TCP, UDP, or
- Add/delete Windows services from the registry
- Test the Internet connection speed of the infected
- Start the following services: http proxy, TCP port redirector,
and various socks proxies
- Scan and infect other computers on the local network
- Send spam
- Download and execute a file from a given FTP site
And if that wasn't horrific enough for you, consider the following:
all of the IRC bots (that I've seen) also have modular capabilities. So
if someone programs a new module to extend the bots' capabilities, the
owner of the botnet simply runs a single command to install and use the
new module on every bot. The capabilities listed above were taken from
the agobot source code, but other popular ones probably have similar,
if not better, functionality.
Continued on page 2: What Can You Do?
Continued From Page 1
What Can You Do?
IRC bots are normally installed via known vulnerabilities, so
preventing your computer from being taken over should be as easy as
keeping up to date on Windows Updates and virus definitions. Windows
file sharing (ports 135-139 and 445) and MS-SQL (1433, 1434) should
never be allowed in from the Internet. In a case where a new computer
is being installed, it is common for an infection to take place before
Windows update has a chance to complete. Installing in a secure area
with the appropriate ports blocked should allow for a safe installation
and update, assuming no internal computers are infected and trying to
fan out. NAT (define) is
the obvious solution for this, but doesn't always work in enterprise
environments doing unattended installations of Windows.
Tracking IRC bots has become quite a hobby for some people. From a
network perspective, most anomalous traffic these days is turning out
to be IRC bot related. IRC bots will respond to an "infect" command,
and start scanning the local network and infecting others. This type of
activity (scanning) normally raises a few eyebrows on carefully managed
networks. Intrusion detection systems, like snort, also have signatures
for some of the more common IRC bots.
For example, if the string "Exploiting IP" is seen in an IRC
message, chances are very high that this is an IRC bot reporting home.
They don't attempt to conceal what they are doing most of the time, as
can be seen by running ngrep "#exploit" on a network monitoring host
(#exploit is the IRC channel name). Even though you will be able to see
the IRC traffic once you have identified which host is possibly
infected, detecting infected computers on your network is not always a
simple task. Snort does a fair job, if you've updated the signatures to
tell it what to look for.
Owners of a botnet are always looking to expand operations. They are
in a constant struggle to own more and more slave computers. The more
high quality the botnet, the more revered the owner will be. Corporate
and educational owned computers are prime targets, since they are
normally well connected in terms of Internet bandwidth. The sad part
is, in general, infecting corporate and educational networks is just as
easy as infecting residential computers.
Sdbot, rxbot, and agobot are a few of the most common bots at the
moment. It doesn't really matter which bot is running on a computer,
since they all provide complete control to the new owner of the
compromised computer, resulting in a very bad day for the original
Antivirus software, along with the new Malicious Software Removal
Tool from Microsoft, are both able to detect existing bots. Some bots
have been known to propagate via e-mail as well, making the infection a
bit harder to block.
Aside from user education, the best method to prevent previously
unseen infections from taking over a computer is to simply block the
above mentioned ports. New Windows vulnerabilities may exist in the
future, but for the time being, you should be relatively safe.