Let’s kick some bot!

2007-06-01

Martin Overton

Independent researcher, UK
Editor: Helen Martin

Abstract

Martin Overton reviews Syngress's latest security title: 'Botnets - the killer web app'.


Introduction

Title: Botnets – The Killer Web App

Author: Craig A. Schiller, Jim Binkley et al.

Publisher: Syngress

ISBN: 1-59749-135-7

Cover price: $49.95

This book covers what has become a hot topic in the security community since the move by cybercriminals and spam gangs towards business models that involve building and exploiting vast numbers of ‘zombie’ machines scattered all over the globe. These machines are infected by bots and collected, used, rented and traded by cybercriminals.

So, what does the book cover, and more importantly, does it deliver on the promises it makes?

Cover story?

The book’s cover claims that it will provide:

  • Important information on botnets, zombie armies and bot herders.

  • Answers to your questions: What are botnets? How do they spread? How do they work? How can I detect them when they don’t want to be seen? What tools are available to fight this menace?

  • Complete coverage of ourmon and other open source tools.

Under the covers

The book contains 12 main chapters and a single appendix. Each chapter starts with what Syngress calls ‘Solutions in this chapter’ (even when the chapter is all about threats, not solutions), and concludes with a summary, FAQ and a ‘Solutions fast track’ section.

Chapter 1 discusses why the botnet is such a powerful tool (or toolkit). The authors state: ‘The software that creates and manages a botnet makes this threat much more than the previous generation of malicious code. It is not a virus; it is a virus of viruses.’ I beg to differ: most (if not all) bots are not viruses at all; most are remote access trojans (RATs) or worms.

The next section offers a concise look at ‘A conceptual history of botnets’, which starts with the birth of IRC itself and GM, the first IRC bot. Next stop is PrettyPark, which the chapter’s author claims is the prototype for today’s bots. SubSeven is also mentioned before we move to what I consider to be the real prototypes of modern bots: GTbot and the grand-daddy of most modern bots, SDbot (the first bot to be written in C/C++ and most importantly, its source code was made available). Other bots covered in this section are the usual suspects: Agobot, Spybot, Rbot, Polybot and finally Mytob.

Botnets for dummies

Moving on, we come to ‘Cases in the news’, which covers the stories of some of the cybercriminals who have successfully been prosecuted, such as: THr34t-Krew, Axel Gembe and Resili3nt (aka Jeanson James Ancheta) and Farid Essebar (the author of Zotob), amongst others.

Wrapping up Chapter 1 is ‘The industry responds’, a section covering a brainstorming session in August 2006 – almost a year after the VB2005 conference at which a number of papers on bots and botnets had been presented and a lot of brainstorming and discussion of the problem had taken place.

Chapter 2 continues with the same ‘botnets for dummies’ approach and covers: ‘What is a botnet?’, ‘The botnet life cycle’, ‘What does a botnet do?’ and ‘Botnet economics’. All in all, this is quite a good overview of bots and botnets for those who haven’t come across them before and need to know the fundamentals.

Chapter 3 introduces the reader to ‘Alternative botnet C&Cs’, starting with a look at the ‘Historical C&C technology as a road map’ and continuing this voyage of discovery with ‘DNS and C&C technology’ (which is more useful as it covers newer techniques that are increasingly being used in place of traditional IRC command and control infrastructures). These include web-based, command-based, P2P and IM command and control systems or infrastructures. It also includes some of the advanced DNS techniques, such as dynamic and fastflux DNS records which allow botnet C&Cs to be more resilient than previously when they tended to use hard-coded IP addresses in the bots’ bodies or configuration files.

Chapter 4 covers common botnets and includes a more in-depth look at Sdbot, Rbot, Agobot, Spybot and Mytob, detailing known aliases, infection, signs of compromise such as common registry keys, filenames, ports and propagation techniques used.

Chapter 5, ‘Botnet detection: tools and techniques’, opens with ‘Abuse’, or to put it another way, emails to your ‘[email protected]’ address complaining that your domain is doing something bad, such as spamming, phishing, DDoSing or hosting malware/spyware or other bad stuff. For many, this will be the first clue that part of their network is under someone else’s control.

The next section, ‘Network infrastructure: tools and techniques’, covers the likes of SNMP, netflow, firewalls, switches, hubs, routers and the use of ACLs and logs from these types of devices/services.

Intrusion detection is the next area to be discussed, including some coverage of anti-virus, with information on signatures and heuristics. Snort is covered in some detail as an example IDS, along with a number of example signatures which are dissected and explained well. Integrity management systems are also covered.

Some material on darknets, honeypots and ‘other snares’ is then given, before the rest of the chapter covers in more detail how you can use the tools/techniques mentioned in the first half of the chapter to fight back.

Botnets for techies

Chapter 6 offers an overview of ourmon, starting with some case studies and then explaining how it works and how it is installed. In a nutshell, ourmon is a network-monitoring tool that the author claims can be used for ‘low-level anomaly detection and higher-level detection of botnets’.

Chapter 7 covers ourmon’s web interface as well as using it to detect TCP, UDP and email anomalies. In my opinion, chapters 6 and 7 are not suitable for those with little or no computer security/network experience.

Chapter 8 discusses the IRC protocol, then moves swiftly on to ‘Ourmon’s RRDTOOL statistics and IRC reports’. The chapter is wrapped up with ‘Detecting an IRC botnet’ and ‘Detecting an IRC botnet server’. Chapter 9 is also dedicated to what seems to be the authors’ favourite tool. This time it covers advanced ourmon techniques. As with the previous ourmon chapters, this would not be suitable for non-techies.

Chapter 10 covers the use of sandbox tools. It starts by explaining what a sandbox is and mentions not only a number of well-known sandboxes, but also ‘real’ systems and virtual machines used for the same purpose, rather than the emulated ones that sandboxes usually use. The rest of the chapter focuses on one of the better-known sandboxes, CWSandbox, which is described as ‘an application for the automatic behaviour analysis of malware’ – a good description of what it does. Yet again, though, this is not suitable for non-techies.

Chapter 11 is entitled ‘Intelligence resources’, and identifies the information that an organisation should try to gather. It also covers disassemblers (although why this is included here rather than in chapter 5 or 10 is beyond me). Next, a list of places/organizations that provide information about botnets is provided. The short list includes anti-virus and anti-spyware sites as well as Microsoft’s security site. A list of ‘Professional and volunteer organizations’ includes a number of mailing lists as well as groups such as NANOG, APWG and UNISOG. Interestingly, there is no mention of AVIEN or AVIEWS.

Finally, chapter 12 is entitled ‘Responding to botnets’. Here, the authors state that ‘giving up is not an option’, which seems to be at odds with the data on the front and back covers and in the book’s own introduction. Another section asks ‘Why do we have this problem?’, which may have been more useful at the start of chapter 1. The usual suspects are named: phishing, spam and money, as well as touching on policies and processes (or lack thereof) within organisations.

The final section asks ‘What is to be done?’, which is a good question, but it’s a shame they left it to the last chapter to try and answer it. The answers offered include effective practices for individual and enterprise computer users as well as reporting botnets to some or all of the groups mentioned in the previous chapter. The section is completed with ‘Fighting back’, which covers the saga of Blue Security, and ‘Law enforcement’, which details how to report a botnet (although no suggestions are given for those of us outside the US). It swiftly covers darknets, honeynets and botnet subversion in very little detail and finishes with ‘A call to arms’.

Conclusions

This book is very good in parts; chapters 5 and 10 are excellent. Chapters 1 to 4 are a good introduction to the subject and could easily have been extended into a ‘botnets for dummies’ type of book. However, chapters 6 to 9 are far too technical for a non-techie or a techie that doesn’t have lots of security and network knowledge/experience.

I’m left with a strong impression that this book was rushed to market, as it seems to be two books in one. The really technical stuff and the ourmon chapters belong in an advanced book, while the rest of the material could easily have been expanded and sold as an introductory or intermediate-level guide (in my opinion this would have been a significantly better move by the publishers).

As it stands, the book will be of no real use to those not already in IT or security with at least a year of real hands-on experience, and I suspect that the ‘propeller-heads’ won’t get much out of it either, apart from the material on ourmon. However, as a single reference tome, it will end up on many bookshelves in organisations worldwide.

Things may improve if and when the book is revised, or another publisher comes up with another book on botnets. Until then it will be a one-horse race, so for now this book is the de facto winner.

Found a useful infosecurity book? Why not tell us about it so we can let others know - email your suggestions to [email protected].

View Botnets: The Killer Web Applications on Amazon.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.