The Lifecycle of a BotnetWritten by Jeff on August 7, 2012
Over the past few years we have seen, and rejoiced, at the fact that some of the world’s largest botnets have been dismantled. Pushdo, Rustock and Grum are some of the names that have become familiar to even casual computer users; famous only because they were huge botnets that were taken offline.
When these botnets are taken down we are able to enjoy a significant drop in spam levels, if even only for a short amount of time. Unfortunately it is only a matter of time before a new army of zombie computers is built to deliver malware-ridden, spammy, phishy emails.
Explaining how botnets are built is pretty simple. The bad guy creates multiple command and control servers to act as the generals. Once these are up, they need to find the actual foot soldiers so they create, or buy, malware that will infect computers and report back to the command and control servers for instructions.
Once the malware is ready, they need to find their victims. This is usually done through phishing and spam; sending the victims a link to a malicious web site that infects their computer via drive by download or they simply send the malicious program as an attachment for the victim to install themselves.
These bots can then be used to send spam, to participate in click-fraud or even be used in distributed denial of service attacks. The botnet will then be used by the bad guys to carry out illegal activities, or even rented out to other criminals – that is until the botnet is shut down.
Taking down the botnet
Tech Crunch detailed how Grum, one of the largest botnets, was taken down by security experts and over 120,000 zombie computers, along with the command and control servers that directed, them were a thing of the past.
In the case of Grum, the botnet caught the eye of a researcher at Spamhaus and another security team in Russia.
And that is usually where the fight starts. Someone in the know realizes that small connection in the attacks carried out by a botnet. Just like a detective finds a pattern in a series of crimes, the security professional finds that one link that gets the ball rolling.
The next step is to analyze the instructions the zombies are being given. Since the zombie needs to communicate with the command and control servers, there has to be some reference to a domain name or the IP addresses of the servers. In the case of Grum, the IP addresses of the servers were hard coded into the program. This made it easier for the servers to be identified and shut down unlike a domain name that can more easily moved.
Once the security researchers are able to identify the servers, they work to shut them down. But this isn’t as easy as it sounds.
To shut the servers down, the hosting Internet Service Provider must be contacted and willing to cooperate with security experts, and these servers are usually located all over the world. In the case of Grum, the servers were located in The Netherlands, Russia, The Ukraine and Panama.
Convincing the ISPs that they need to shut down a client’s server isn’t always the easiest task either. Most ISPs are not willing to bring a client’s server down based on an accusation from a security researcher or firm. Some ISPs are better known for protecting their clients than others and these are generally the ones that botnets operate on.
Once the ISP can be convinced that a client of theirs is running a botnet that needs to be shut down, the process still can be a bit of hit or miss. If the team is able to shut down most servers, but not all of them, then the botnet can rebuild itself. It may suffer for a bit but it can come back.
In the case of Grum, the servers in the Netherlands were taken offline first. But as the operators struggled to bring new command and control servers online and update their zombies, security experts in Russia and Panama reached out to help bring down servers in their respective countries. The coordinated effort was what ensured the success of the operation. In the case of Rustock, Microsoft leveraged its weight to convince ISPs to shut down rogue servers.
Once all servers are down, the botnet withers and the good guys move on to the next target.