|
 |
Hostile Code: Worms and Bots
Malware is a general term for malicious code that attempts to disrupt the normal function of computer networks. Two of the most popular types of malware today are worms and bots. This white paper will explain what worms and bots are, how they work, and how to protect yourself and your network against them.
Worms and bots are increasingly the tools of professional criminals. Internet users need to know what the threats are, and how to protect themselves from them.
Worm Overview
Worms are pieces of code, generally small, that can spin off copies of themselves. They usually spread very quickly, with little or no help from the users on the affected systems. Some worms can be embedded in other files types. For example, a worm could send emails containing more worms to users, who would have to activate the code with their mail reader. Or the worm could beginning scanning the network for vulnerable hosts, and attack them with an automated exploit that required no human intervention.
One problem defenders face is that worms mutate and evolve very quickly. The attacker community shares code, and a successful worm will be imitated and improved upon. Worm writers use both technical means to defeat operating system controls and old-fashioned trickery to get users to manually execute their program. The situation can be compared to an arms race: both sides are constantly improving their technique.
Antivirus systems (AV) and intrusion detection systems (IDS) exist to detect worm code. The initial response of worm writers was to encrypt the code, but the AV and IDS systems then scanned for the encryption code. The response to this was polymorphic code: code that is continually modified, then encrypted, with the decryptors hidden. Sophisticated application of polymorphic techniques makes worm detection difficult: the appearance of the code changes, but the functionality does not.
The Structure of Worms
The code in a worm can be broken into several distinct pieces. There is a target selector, which is usually a host scanner, a network scanner, or both. This piece picks out new targets to try and exploit. A host-based example of this is a bot going through all the Outlook contacts on a host. Network based target selectors may scan all the computers on the local network, or scan computers at random on the Internet. The scans can be for specific network resources, such as a file share, that can be exploited or for other computers that can be targeted. More sophisticated systems may do operating system identification of hosts, and attack for several specific vulnerabilities.
Every worm must contain an exploit, or infection mechanism. This is the "trick" the worm contains that allows it to infect more computers. Researcher Ed Skoudis has called this the "warhead", since it is the piece of code that makes the worm or bot dangerous. Some worms use more than a single exploit. Typical exploits include buffer overflows, using default passwords and accounts, sending mass emails, and exploiting vulnerabilities in available peer-to-peer networking programs.
Worms usually have some sort of communications module, so that the infected computer can "call home." This may be as simple as keeping a count of the number of systems infected, or it may be more nefarious, such as downloading programs from the attacker's systems. The array of tools available to hackers is diverse and powerful. The simplest approach is to put a backdoor listener on the infected host, so that the attacker can reconnect to a shell on the host at will (if the infected hosts are behind a firewall, that may defeat this tactic). Some bots come with their own mail server (SMTP engine), so that they can bypass controls in place on the local host's mail client. Further, most networks allow outgoing SMTP traffic, so this method is likely to be allowed through the firewall. Another approach is to connect the infected computer to a peer-to-peer network or an Internet Relay Chat (IRC) server, and use this to communicate with the attacker.
The most dangerous part of a worm is the payload. Not all worms have payloads. A worm without a payload may be a nuisance, and may even do damage by consuming all available bandwidth, but its potential for mischief beyond denial of service is limited. SQL Slammer is a good example of this. It was so aggressive that it spread across the Internet in a couple of hours, and clogged bandwidth everywhere it went, but it did not delete, alter, or disclose files. The dangerous worms can do all these things.
Payloads can perform all sorts of mischief. They can install a variety of applications on the infected host, and the applications an attacker will install aren't usually welcome. A common install is a distributed denial of service engine (DDOS engine). This application can cause the host to spew packets at a designated host with all the bandwidth available, which reduces what is available to legitimate users. Hackers use networks of thousands of these clients to attack large sites, and consume all their available bandwidth. This can be used for extortion, or to disrupt a rival site for a competitive advantage.
Another unwelcome payload is a spam engine. An infected host can be used to send out spam. The spam is usually for commercial gain, although some cases of political spam have been seen. Having an infected host running a spam engine not only reduces the bandwidth available to your network, but it could also create legal problems.
Many worms leave a backdoor as a part of the payload. This is a listener running on the host that allows the attacker to reconnect at will, and run any program they wish. Some worms, such as Bagel, have password-protected backdoors. Given the advent of techniques such as port knocking, backdoors can be stealthed, so that a routine network scan will not expose the listening ports.
Some payloads actually apply patches to the infected system to prevent another attacker from using the same exploit to control the system. This is NOT the recommended way to protect your systems! The Welchia worm attempted to download the patch for the specific vulnerability it used, and even attempted to remove infections from the Blaster worm.
Some malware writers will include timers and trackers in their work, although these components aren't necessary for the program to function. Timers can disable the program after a certain date, or cause it to perform certain actions at a specific time. Trackers send information about the infected host to some location that the attacker can monitor.
Worm researchers have speculated on the development of a "superworm," which would be able to infect multiple types of hosts (Windows and Linux, perhaps), contain multiple exploit methods, alter its appearance while spreading, and use effective distribution techniques. There is a sophisticated and experienced community developing these programs, and this is their objective.
Bots
A bot is a simple program that runs automatically, derived from the word robot. A malicious bot is self-propagating malware that infects a host and connects back to a central controller. The controller acts as command and control for entire networks of infected devices. These networks are known as botnets. Bots are often installed on a host by some other malware, such as a worm or virus. When the bot is activated, it tries to establish a connection with a controller, from which it receives instructions.
Botnet controllers are usually compromised systems, which do not actually belong to the attackers. The controllers are often systems located in Europe or the Pacific Rim. The advantage to the attacker is that locating controllers there hampers investigations due to differences in language, time zones, laws, and other factors. The controllers usually talk with bots by HTTP or IRC. The attackers manage the controller, and thus the botnet, from another computer under their control.
Like worms, bots mutate rapidly to achieve greater levels of functionality. There are a handful of major bot families. The newest variants can sniff traffic, including usernames and passwords. The latest generation of bots is picking up many of the characteristics of a root kit, such as hiding files and processes. They can use peer-to-peer networks (P2P) for communication.
The most common control mechanism for today's botnets is IRC. Internet Relay Chat is a simple protocol for realtime, client-server based chat on the Internet. It is simple, freely available, and lightweight. It allows both public and private channels. IRC lets attackers execute simple commands on multiple systems at a time. It also provides the advantage of allowing attackers to hide their identifies by connecting to controllers through anonymous proxies. IRC is rarely controlled at the borders of university environments, although corporate networks have begun limiting it.
Botnets often use a specific channel on an IRC server, sending and receiving commands like any other client. The attacker sends the commands to the selected channel, where the bots listen for instructions. A single command to the IRC server can launch a horde of waiting bots.
The newest approach to controlling botnets is to use peer-to-peer networks. The bots pretend to be Gnutella clients, and connect to the Gnutella cache servers, where they distribute software to infect new hosts. Because the software is distributed through the network, there is no central controller, which makes it harder to detect and eliminate the clients.
Bots can open backdoors on the infected host. This is often a simple web server using either HTTP or HTTPS. The attacker can then reach the host through a browser, accessing any files or shares on the system. The bot can also use HTTP or HTTPS to update itself. Once established, the bots try to download more software to exploit the system more fully (such as a keystroke logger), or to spread and attack more systems. HTTP is preferred for this work, because it is allowed through most firewalls, and because it makes it harder to detect that a bot is on the system. Bots may also install FTP or TFTP servers for file transfer.
A bot is born when a system is exploited, and the bot code is transferred to the local system, usually by HTTP, TFTP, or FTP. A Windows service is installed, one or more Run keys are modified, and the system is forced to reboot. The new bot is started up on the reboot, and it connects to the IRC server identified in the exploit code, often by dynamic DNS (dynamic DNS can be used to change the location of the controller). The bot generates a nickname, and tries to join the IRC channel. The IRC server replies to the bot with the message of the day, and the bot interprets the data on the IRC channel as commands.
The dangerous thing about having a bot on your system is that it is open ended. A bot can be instructed to download a new application that watches for online banking traffic, for example, and reports URLs, usernames, and passwords back to the attacker. It can be used for spam one day, distributed denial of service another, and to delete local files another.
There are two primary motivations for gathering bots. The most obvious is economic. Botnets have been used to generate spam for profit. Botnets have been found that were used in click fraud, that is, to generate HTTP requests that look as if a user clicked on a link, which results in advertising revenue, or costs competitors advertising money even though no real customers have clicked on the advertising link. Botnets have been used in criminal activity such as online banking fraud and identity theft. Distributed denial of service for extortion is another economic use of botnets.
Another motivation for gathering bots is simply file space. Bots allow attackers to fill the disk space of infected computers with movies, and software. There are legal liabilities associated with storing pirated content on your network, just one more good reason to be diligent about keeping malware out.
Defending Against Worms and Bots
How do you defend against clever malware like this? Here are three general approaches a network administrator or home user can use to protect them computers.
Limit your exposure. There are two parts to this. First, keep your systems and antivirus software up to date. An ounce of prevention is worth a pound of cure. Worms and bots usually exploit known vulnerabilities that have not been addressed. Second, deny all traffic that originates on the Internet unless you have a good reason to accept it. In the corporate world, this is the job of firewalls and DMZs. But even home users behind a simple router are protected against most Internet based attacks.
Avoid peer-to-peer networks. Peer-to-peer networks are currently riddled with malware. Unless you have a good reason to do so, it is best to avoid public P2P networks. If you do need to access these networks, take steps to protect the hosts involved, and to isolate these hosts from the rest of your network.
Restrict outbound traffic. If a bot does land on one of your computers, and it is unable to connect to a controller, it is much less likely to cause harm to your network. Limiting access to IRC and P2P networks is another key way to defend yourself from bots.
Conclusion
The threat from malware is real, and growing. Worms and bots are increasingly being used in professional criminal activity. It is worth time and effort to protect your network from these threats. The current defensive technology is good, but it must be in place and configured correctly to protect you.
If you have questions about this or other security issues, please feel free to contact us at Sage Information Security.
|
|
|
|
|
