Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet
1 Introduction to Bots
2 Thr34t Security Krew and the TK Worm
2.1 The Investigation of the Thr34t Krew
2.1.1 First DYNDNS Account (BestIce)
2.1.2 Second DYNDNS Account (Phreeze)
2.1.3 Third DYNDNS Account (D00M)
2.1.4 Seth Fogie
2.1.5 Help with Additional Technical Details
2.1.6 A Trip Across the Pond
2.1.7 Sitexec
2.1.8 DiSice
2.1.9 XaNiTH
2.1.10 Sitexec
2.1.11 Second Search Warrant Sweep
2.1.12 Jadaka
2.1.13 Mr40
2.1.14 Thr34t Krew Investigation: Concluding Comments
3 Demonstration: How a Hacker Launches a Botnet Attack
3.1 Step 1: Find, Modify, and Build a Bot
3.2 Step 2: Customize the Binary for Attack
3.3 Step 3: Launch the Attack
3.4 Step 4: Managing the Botherd
3.5 Step 5: Payloads, with an Emphasis on “Pay”
4 Introduction to the Use of Botnets in Criminal Activity
4.1 Timeline
4.2 Bots: A Pathway to Criminalization of the Information Age
4.3 Bots: The Integrated Business Solution for Criminals
4.4 “Botmasters” Who Were Caught
4.4.1 International Botnet Task Force Conferences
4.4.2 Operation “Bot Roast” I and II
4.5 How Big Do Botnets Need to Be to Pose a Serious Threat?
4.6 Peering Inside the IRC Botnet
4.7 Post-IRC-Based Bots
4.7.1 Botnet Attack Statistics
4.8 Botnet Features and the Criminal Enterprise
4.8.1 A Modular Approach to Botnets: A Major Aid to Criminals
4.8.2 Granular Spreading Capabilities
4.8.3 A “Service Bot”
4.8.4 The Degradation Feature of Botnets and Its Impact on Criminal Activity
4.9 Botherds Through the Eyes of a Criminal Mind
4.10 Criminal Vectors Utilizing Bots
4.10.1 Theft of Sensitive Information
4.10.2 DDoS Attacks and Extortion
4.10.3 Bot for Rent or Hire
4.10.4 Spam
4.11 Spam Bots and Criminalization
4.11.1 Pump-and-Dump Fraud
4.11.2 Covert Communications
4.11.3 Click Fraud and Affiliate Abuse
4.11.4 Adware Abuse
4.11.5 Taking Out the Competition
5 Botnets and the eCrime Cycle: The iSIGHT Partners’ Approach
6 Technical Introduction to Bots
6.1 Common Ports
6.2 Command and Control Strategies
6.2.1 IRC C&C
6.2.2 Peer-to-Peer C&C
6.2.3 Web-Based C&C
6.2.4 Use of Encryption or Obfuscation
6.2.5 Types of Distributed Denial of Service (DDoS) Attacks
6.2.6 Introduction to Selected Bots
6.2.6.1 AgoBot
6.2.6.2 SDBot
6.2.6.3 PhatBot
6.2.6.4 The Infamous Hang-UP Team and IRC-Based Fraud Operations
6.2.6.5 Reptile
6.2.6.6 ZoTob
6.2.6.7 PBot
6.2.6.8 Tsunami
6.2.6.9 Kelvir
6.2.6.10 MetaFisher
6.2.6.11 Storm
7 Mitigation
8 Concluding Thoughts
USA Today: Botnets Used for Blackmail in Cyber Extortions
The Kraken Botnet
A Botnet That Targets .edu and .mil Servers
"Poisoning" the Storm Botnet
The Battle Is Joined!
The "Cyber Parasites" of the Internet
On the Edge of a Precipice
Glossary
Bibliography
The fascinating and never-before-revealed account of the Thr34t Security Krew investigation and arrest is presented here by Lance Mueller. Lance collaborated with the authors of this book during the active investigation and provided the account below as a contributor to this book. He provides this documentation as a former CATCH team member and criminal investigator in California.
A multitude of sources talk about various types of bots and their features but fail to demonstrate how hackers actually perform bot attacks in the wild. This section introduces several subjects that can be quite complicated, such as how to modify code and compile a binary (a bot executable). However, we have attempted to provide an overview that is both technically compelling and thorough enough without losing less technical audiences. Some more advanced technical data has been purposely omitted to avoid encouraging possible abuse of this information for illegal or immoral purposes. Individuals who desire to know about technical topics can contact the authors for additional resources. Chapter 3 looks at how a hacker wanna-be might create, launch, and manage a botnet for criminal gain.
The main theme of this book is that cyber-criminals and nefarious actors of all stripes are utilizing botnets as one of their primary tools to defraud innocent victims on a global basis and to threaten others. Understanding how they are doing this, as well as what the relative value is of stolen credentials in the underground marketplace, is crucial in knowing how to combat this growing and dangerous threat. A hacker can easily create, rent, or purchase what is required to launch a bot attack upon multiple machines in order to quickly create a botnet for financial gain. As stated at the beginning of this book, bots started out as something non-malicious, but eventually developed into a criminal tool of choice over a ten-year period during the dawn of the World Wide Web.
What used to be child’s play, Trojan “fun stuff,” petty theft, and denial of service attacks against adversary hacker sites have turned into sophisticated organized crime activities and massive profits in the twenty-first century. Understanding how criminals actually make money from bots is critical for the proper context of understanding both the future of bots as well as other automated and saleable financially motivated attacks.
The bots documented in this portion of the book have been selected for their historical importance, prevalence in the wild, important incidents, or notable technical features. These case study examples are not comprehensive by design. Our goal is to generally describe relevant families of selected malicious code and the details pertinent to each investigation. Chapter 6 provides examples of how bots are installed on computers (such as user interaction—tricking and double clicking), as well as exploits and similar vectors.
The purpose of this book does not emphasize bot code analysis or mitigation. However, in the interest of promoting best practices and providing some with a venue for the removal of malicious bots, Chapter 7 provides some general guidelines for the mitigation of bots.
This book began with the assertion that bots, when they were first created, were neutral entities. It took some time before malicious actors began to harness the power they offered into all sorts of nefarious purposes. But harness them they did, and today, without question, malicious bots have impacted the entire cyber realm and significantly contributed to automated and highly scalable criminal operations. Or, to put it another way using underground-like terms, “Botnets Rule!” Bots have served their purpose well in the early portion of this new era for Internet fraud, helping to move beyond child’s play and one-off attacks into a mature criminal underground for fraud operations. Bots will remain a constant threat for years to come, through both highly sophisticated financial fraud attacks and “death by a thousand cuts” opportunistically on the Internet. More importantly, they will continue to impact many areas of technology as the Internet matures, exploiting new vectors such as VoIP and PDA/cell phone fraud opportunities. Botnets have become so important that, on the nation-state level, there has even been a call recently to create a “military botnet” that could be used for the online equivalent of “carpet bombing in cyberspace”!
