New computer worms are carrying software agents called bots that can use your network to send spam, launch attacks, and infect other computers. Find out how these bots work and how to keep them out of your network.
In I, Robot, Isaac Asimov’s classic science-fiction novel, robots are hardwired with three rules: They cannot harm humans either through action or inaction; they must obey orders from their human masters; and they must preserve themselves, except if doing so would violate the first two rules.
In the real world, rule number one isn’t yet a prime directive. But software robots known as “bots” have been programmed to diligently adhere to the second two: They follow the orders of their human masters, and they are hard to kill. And while they can’t directly cause bodily harm to human beings, they can destroy the networks that modern economies and infrastructures are built on.
Bots are beginning to prove how efficient, and how dangerous, they can be. This past summer, for example, many large organizations, including media outlets such as The New York Times and CNN, were infected with a worm called Zotob. Zotob was one of a new generation of worms that carry bots in their payload, thus handing total control of the infected computer to the bot master. (Worms are pieces of self-replicating code that can spread across a network without help from humans.)
According to security experts, Zotob—and thus the bot carried in its payload—was spread in large measure by poorly protected laptop computers that became infected, then passed along the bots when plugged into their corporate networks. If companies are to prevent bots from usurping control of their computers, they must get better at preventing infection in the first place. That likely means they will have to find an automated way to interrogate and assess every computer connected to the network to ensure that it adheres to a strict security policy.
The Zombie Army
Before discussing defensive measures, it’s first important to understand what bots are and how they are used to compromise computers. “Bots are agents that give an attacker control of a machine” by opening a door that a hacker—or anyone else given access privileges by the hacker—can then enter surreptitiously at will, explains Ed Skoudis, senior security consultant and cofounder of security firm Intelguardians.
But the bot does more than leave a door ajar. Once on an infected machine, a bot will connect back to a single point of control, typically a particular channel on an Internet Relay Chat (IRC) server.
Since bots provide a back door to an attacker, the attacker is free to come in and exploit the system’s vulnerabilities. And as new vulnerabilities are discovered, an attacker can put new worms on these infected machines and have them scan for more vulnerable machines.
Like Trojan horse programs such as Back Orifice, bots allow complete remote control of a computer; but unlike Trojan horses, bots yield huge numbers of infected computers that are controlled at a single point. “It’s an army of zombies that are centrally controlled,” says Joe Stewart, senior security researcher with LURHQ’s Threat Intelligence Group. This army is often referred to as a botnet.
Bots began to appear in the payloads of worms such as Netsky that hit in 2004, but botnets have grown considerably. Going back five years, Skoudis says, botnets were generally 500 or 1,000 infected computers; on rare occasions they might have as many as 10,000 zombies. But Skoudis has seen a botnet that’s 171,000 bots strong. “I wouldn’t be surprised if, in the space of a couple of years, we’ll see botnets that get into the multihundreds of thousands, maybe even millions of bots, under single control,” he says.
Part of the reason for the growth is that recent computer worms use easily exchanged modules. This means that serious programming skills are no longer necessary to create bots; instead, even a novice can take an existing program from the Web and easily update it with, for example, a module containing an exploit against a newly discovered vulnerability. Bots can also be altered or updated with ease to do anything from logging keystrokes to sending spam (more on these capabilities below).
The author of Zotob used a worm called Mytob and added an exploit aimed at a newly discovered vulnerability in the Windows operating system. “They all work like that nowadays,” says Stewart. “They’re like huge open-source projects, and they’re very modular.”
Malicious bots began on Internet relay chat (IRC) channels as weapons. “They started as denial-of-service [DOS] attack tools to knock somebody off a channel if they said something you didn’t like, or if they didn’t let you on their channel,” Stewart explains. Disgruntled users got the IP address of the person they wanted to attack and used simple programs that would flood that address with requests for a connection until the victim could no longer connect to the chat server.
As botnets grew ever larger, Stewart says, it didn’t take long for their masters to realize that there was money to be made simply by knocking someone offline. For example, attackers would threaten an online gambling site just before big sporting events, such as college basketball’s March Madness tournament. To prove the threat was real, Stewart says, the attackers would actually flood the site for a short time. In exchange for a payment, the hackers would spare the site from an attack that would have prevented gamblers from laying bets on its Web site.
In a recent report on computer security trends, antivirus vendor Symantec estimated that more than 900 denial-of-service attacks occurred each day on average between January 1 and June 30 of this year, an increase of some 680 percent.
Botnets have moved well beyond the simple job of DOS attacks, however. They are increasingly being used to hijack computers that can then be used as testing grounds to ensure that new vulnerabilities can be exploited, says Bruce Hughes, senior antivirus researcher at Trend Micro. Infected machines serve as “R&D testing grounds,” he says, so exploits can be tested repeatedly until they are deemed effective.
Spam. Hackers can also rent out the botnets that are under their control. Spammers are becoming favorite customers, says Stewart, as their old ways of sending their bulk e-mails are increasingly being shut off.
In the past, spam was sent via open relays, essentially unprotected mail servers that allowed spammers to send mass messages without leaving a trail. But eventually open relays were identified as the primary sources of spam, and the antispam community went to work to educate administrators on the importance of securing those mail servers, cutting down on the ability of spammers to use them to get their mass mailings out.
“People with botnets were the perfect solution for spammers,” Stewart says. Botnets could include thousands of computers, so enterprising botnet masters added a proxy-server module to the bots which allowed spammers to use those zombies to send spam. Open relays are no longer needed, and since spam can now come from so many different sources, it’s impossible for companies to keep blacklists current to block these spammers.
Size of the Problem
Despite the growth of botnets, the threat that they pose to corporate and government networks has been held in check by progress being made on the other side.
“The fact is, we have gotten better in the defensive community,” says Skoudis. He compares the hundreds of thousands of machines that were quickly compromised by the Blaster worm in 2003 to the lesser number hit by Sasser in 2004.
“Flash forward to August 2005,” he says, “and we did even better. We had less infection and less downtime and less problems.” And while Zotob received plenty of publicity, the fact that media outlets were infected is likely the reason, rather than the seriousness of the attack itself, Skoudis says.
Although large corporations are getting better at defending their networks, the threat remains serious. Even one infection can hurt a company’s bottom line and reputation. Security professionals need to understand how some companies are still getting infected so that they can protect their own organizations
Laptops may be the primary culprits, because they are often less protected than hardened corporate networks, are typically on broadband connections, and are used in an environment where safe security practices are easily neglected. Other risks arise when patching problems leave vulnerabilities to be exploited.
Laptops. David Kennedy, senior risk analyst for the Cybertrust Corporation hears of many bot incidents from colleagues who are involved in remediation efforts and directly from the companies whose systems are infected. What he finds is that most of the companies had many of the proper defenses—such as patches and up-to-date antivirus signatures—in place on their networks. That raises the question: How did the bot enter the network?
Kennedy says the most frequent method of infection was from someone who took a notebook home, hooked it up to a cable modem or DSL connection, became infected, and then brought the notebook back to work. Once the employee connected the laptop directly to the corporate network, it bypassed the firewalls and antivirus scans that might have detected and blocked a bot. That allowed the bot to spread via internal networks, despite the outer defenses of the corporation.
Trend Micro’s Hughes agrees that if you attached a laptop to a home network that was inadequately protected and then became infected, as soon as you connected that laptop to the company’s network, it could start spreading an infection if the proper procedures were not in place at the company (more on solutions below).
Perhaps the greatest threat to network security is the so-called “zero-day” attack, in which a worm exploits a previously unknown software flaw before anyone can create a patch. Precisely this scenario occurred in December, when attackers found a new way to exploit a hole in certain graphics files; it took Microsoft more than a week to release a patch.
In the case of Zotob, within two days after Microsoft announced the discovery of a new critical vulnerability and patch, exploits had already appeared that targeted that vulnerability, and two days later, a worm was born. Since exploits come out so quickly, “it’s really important to keep up-to-date with patches for the operating system,” says Hughes.
But with a large system, patching takes time. Sources at Finland-based antivirus company F-Secure, which saw the worm first and called it Zotob, tell the story of how one company, with more than 20,000 workstations and some 1,500 servers, was infected despite its efforts to patch all its machines quickly.
The day after Zotob appeared, the company had already installed the patch that Microsoft had created when it announced the vulnerability, but one critical server could not be rebooted during business hours, and the patch could not take effect until that was done. The reboot was scheduled for after-office hours.
However, by 4:30 p.m., the company saw the first signs of infection, when unusual traffic was noticed by automated sensors on the network. Company administrators later discovered that a laptop connected to the network had carried the infection from the user’s home network. By 9:00 p.m., more than 500 of the company’s computers were infected.
Since mobile users plugging laptops into corporate networks can be a major cause of bot infections, companies need to better protect those machines. In addition, in the event that a laptop does get infected, companies must have ways of preventing that malicious code from spreading from the laptop to the corporate network. Experts say there are several strategies that will help.
Protecting laptops. Companies should make sure that any laptops that are to be connected to the network have properly configured firewalls as well as current antivirus signatures. In addition, mobile users need to be taught the importance of safe-computing measures (such as not opening file attachments in emails). By following safe-computing policies, users can cut off the main entry point of bot infections.
Shutting doors. In addition to educating users and strengthening laptop protections, the company must fortify the network internally. Shutting doors to the network is an effective first step toward blocking attacks. For example, many worms take advantage of the specialized rules, known as protocols, standard to all computers that define the ways in which computers transmit data. One example of a protocol is NetBIOS, which allows applications to communicate across computers, Skoudis says.
Not all of these protocols need to be in place, however, meaning that certain kinds of communications need not be allowed between computers. Skoudis notes that many organizations have finally begun to block these oft-unneeded protocols at the perimeter of their networks, and even within the network whenever possible. The more that organizations block unnecessary protocols, the less vulnerable they will be to getting hit by the most common worms—and that will reduce the opportunity for the accompanying bots as well.
A company can only go so far in curtailing the functionality of its network, however. For example, Zotob, like many other worms, spread via port 445, which is used for a file-sharing protocol. Blocking access to this port via a firewall can reduce the risk of infection by many worms. Unfortunately, experts say, that’s not always practical, because keeping port 445 open is sometimes a business necessity.
IPS. Where ports cannot be shut off, intrusion prevention systems can be useful in keeping bots out. LURHQ’s Stewart says that organizations that cannot turn off unneeded protocols because their functionality is important to business operations absolutely need to use IPS on
“You might not be able to live without Windows networking, for example, and that port is a primary vector,” Stewart says, “so in those cases you’re going to have to deploy things like intrusion prevention devices so that you can still allow the good traffic through and then log any worm attempts.”
IDS. Despite the technologies and tools available to lock down networks, in the arms race against bots and viruses, network administrators are always on the defensive—and even the best measures may not keep out every infection. Therefore, experts say, networks need intrusion detection systems (IDSs) in place to prevent bots and worms from functioning and spreading.
IDSs are extremely effective at detecting bot-related traffic, says Trend Micro’s Hughes. That’s because bot masters typically send a message to their botnets to find another vulnerable host so that they can increase the size of the botnets they command.
“They don’t do this once every minute; it’s usually hundreds every second, so you see a large amount of traffic,” he says, enough to suddenly and completely clog even the fastest Internet connection. With IDS in place, this traffic can be immediately noticed and terminated.
Outbound access. Bots similarly need to communicate with their masters, so blocking outbound avenues of communication can prevent bots from contacting IRC channels or sending out sensitive information such as passwords. Firewalls can block outbound access from unknown programs or unusual ports, says Hughes.
Skoudis says that putting up this kind of roadblock is common sense, and he suggests an additional method. Computers on an internal network should not be allowed to send packets directly to the Internet, he says, but rather should go through some centralized proxy servers because these are easier to monitor and protect, and create chokepoints for inappropriate traffic as well.
Better patching. Thom Bailey, director of product management with Symantec, says that given the importance of keeping systems patched, many companies are looking for an automated approach—what Bailey calls the “thermostat approach.”
“The problem with that approach is that it misses a very critical piece in any patch-management discipline, and that is testing,” he says. Testing, Bailey says, can take as long as 60 days in a large network.
“We’ve had a lot of customers who have had a bad experience because they’re looking for that thermostat approach” but have done more harm than good when an untested patch damaged a system, he says.
Virtualization. There are no easy answers to this dilemma. But Symantec and other companies are looking at innovative techniques to streamline the process. One of these techniques is virtualization, in which specialized software replicates a network environment. Patches can be tested against this virtual environment without having to worry about crashing the real network, Bailey explains. This means the patch can be tested and rolled out to the network in a much shorter time than before.
Replication. Some well-heeled companies set up identical sets of servers that are synchronized with the working, production-environment servers. These, Bailey says, can be patched so that the systems can be switched at the flip of a switch. However, the obvious costs of such a plan include not only the price of duplicate servers, but also the technology needed to ensure that data on the two sets of servers is replicated in real time and consistently.
Access control. Networks need to segregate “clean” from “dirty” computers; that is, those that are known to be infection-free from those that are coming in from outside and are potentially contaminated. Hughes reiterates that laptops are often implicated here.
“If you were to get infected and then come inside, as soon as you started up your computer, it would start spreading inside your organization,” he says. Vetting computers before they are allowed onto corporate networks can prevent that harmful scenario from occurring.
Many companies have technologies that can do this vetting. “Cisco and other vendors are pushing network access control,” or NAC, says Hughes. “Companies that have that were ahead of the game on this, because a good NAC function will check a system for infections before it allows access to a network.” Microsoft is building a type of NAC called network access protection (NAP) into Vista, the newest release of the Windows operating system, as well as Longhorn, its updated Windows Server software.
These types of solutions validate that any computers that connect to a network meet a set of minimum requirements. “Network access control will make sure machines can’t connect to the network until patch levels are where they’re supposed to be and virus scanning is up to date,” says Stewart.
Symantec’s Bailey says that his company recently acquired Sygate, an acquisition which brought technology for interrogating and quarantining computers that plug into a network. In explaining how this kind of technology works, he gives the example of a sales rep who has been out of the office for a long time, and whose laptop may harbor a worm or bot. When the laptop is plugged in, it is immediately interrogated by a machine on the main network before it is allowed to fully connect, he explains.
“There’s a set security policy which indicates that in order to get onto this production environment, I need to have the following things done. That could be I need to have the latest antivirus definitions, I need to have file and print sharing turned off, I need to have certain parameters in Symantec or the Windows XP firewall enabled here or there, or I need to ensure I have the following software installed for any type of compliance with HIPAA or Sarbanes-Oxley,” he says, referring to regulations that affect the way that healthcare and financial organizations protect data.
If the laptop is found to be out of step with a given security policy, it’s pulled off the network and put into quarantine, and then is provisioned accordingly. Then, the machine is reinterrogated and, if it is it fully in compliance, can safely connect to the network.
Asimov’s three rules for robots were meant to ensure that any automated assistants remain in our service, incapable of doing us harm. Today that concern is as much science as fiction.
For us to stay ahead of the bad guys, we need to understand how bots work and what their limitations are. Then we can take steps to ensure that bots are blocked where they are not wanted or needed, and maintain our position as their masters and not their victims.
Peter Piazza is associate editor at Security Management.