Introduction

One of the most insidious cyber threats for the IT community is currently represented by a diffusion of networks containing infected computers (called bots or zombies), which are managed by attackers and are called botnets.

The use of botnets is very common in various IT contexts, from cybercrime to cyber warfare. They are able to provide a very efficient distributed IT platform that could be used for several illegal activities such as launching Distributed Denial of Service (DDoS), attacks against critical targets or starting with a “sample” attack followed up with an email or other communication threatening a larger DDoS attack (if a certain amount of money is not paid—cyber extortion), malware dissemination, phishing and frauds (e.g., banking information gathering) or to conduct cyber-espionage campaigns to steal sensitive information.

In these scenarios, the controller of a botnet, also known as botmaster, controls the activities of the entire structure giving orders to every single zombie through various communication channels.

The diffusion of the botnets measures their level of dangerousness and depends on the capabilities of managers to involve the largest number of machines trying to hide the activities of the malicious architecture too—a particular kind of “hide and seek” game.

A critical phase in the botnets arrangement is represented by its constitution. Attackers can recruit bots diffusing a malware, typically via phishing or sending the malicious agent via email.

Infected machines receive commands from Command & Control (C&C) servers that instruct the overall architecture how to operate to achieve the purpose for which it has been composed.

The diffusion of botnets has recently increased due to various factors such as:

• increased availability of powerful internet connectivity and hosts (to be understood not only as personal computers, but as objects of everyday life more and more interconnected and smart). Fifty to one hundred billion things are expected to be connected to the Internet by 2020. This paradigm is usually referred as “Internet of Things”;

• possibility of malware customization (introduced by Zeus botnet and its Software Development Kit);

• presence in the underground/black market of cyber criminals that rent services and structures that compose the malicious systems.

There are various classifications of botnets based on the overall topology and the command and control channels used, through which they can be updated and directed, the developing technology used and the scope of the services implemented.

Emerging trends show that newer architectures are migrating toward completely distributed topologies (P2P networks) instead of centralized structures, mobile implementations of malwares and the use of TOR networks and social platforms as C&C server hiding techniques. The high sophistication and spread of botnets has led to the emergence of a new criminal business model that can be synthesized with “Cybercrime-as-a-Service” (CaaS). This chapter is a botnet essay (with two use cases included) and related countermeasures.

A Botnet Roadmap

The malwares that both have introduced the concept of victim machine connected to a communication channel to listen for malicious commands, beginning with the so-called botnet-era, were “Sub7” and “Pretty Park”—a Trojan and worm, respectively. These two pieces of malware first emerged in 1999 and botnet innovation has been steady since then (Ferguson, 2010).

During 2002, there were a couple of major developments in botnet technology with the release of both SDBot and Agobot. SDBot was a single small binary, written in C++, marketed by its creator who has also made the source code widely available. As a result, many bots later include code or ideas taken from SDbot. Agobot, instead, introduced the concept of a modular attack. The initial attack installed a “back door”, the second tried to disable the antivirus software and the third has blocked access to the websites of security vendors. These two malwares started the huge increase in variants and the expansion of functionalities.

Malware authors gradually introduced encryption for Ransomware (hostage taking of encrypted files), HTTP and SOCKS proxies allowing them to use their victims for onward connection or FTP servers for storing illegal content.

Steadily botnets migrated away from the original IRC Command & Control channel—the protocol is easily identified in network traffic and TCP ports seldom opened through firewalls—and began to communicate over HTTP, ICMP and SSL ports, often using custom protocols. They have also continued the adoption and refinement of peer-to-peer communications, as would be demonstrated 5 years later by another famous botnet known with the name of Conficker.

It was around 2003 that the criminal interest in botnet capabilities began to become apparent. At the start of the decade, spamming was still a “home-work” occupation with large volumes of Spam sent from dedicated Server Farms, Open Relays or compromised servers.

Bagle and Bobax were the first spamming botnets and the malware Mytob was essentially a blend of earlier mass mailing worms MyDoom and SDbot. This enabled criminals to build large botnets and distribute their spamming activities across their entire victim PCs, giving them agility and flexibility and helping them to avoid the legal enforcement activity that was starting to be aggressively pursued.

In 2005, a Russian group of five developers known as UpLevel started developing Zeus, a “Point-and-Click” program for creating and controlling a network of compromised computer systems (Lemos, 2010). The following year they released the first version of the program, a basic Trojan designed to hide on an infected system and steal information. In 2007, the group came out with a more modular version, which allowed other underground developers to create plug-ins to add to its functionality. Five years of development later, the latest version of this software (which can be downloaded for free and required low technical skill to operate), is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information (note that there was an increase of actions you can perform with a malware). The latest Zeus platform allows users to build custom malicious software to infect target systems, manage a wide network of compromised machines, and use the resulting botnet for illegal gain. The construction kit contained a program for building the bot software and Web scripts for creating and hosting a central Command and Control server (Figure 17.1).

A survey conducted by a security firm—Atlanta-based Damballa—found Zeus-controlled programs to be the second most common inside corporate networks in 2009. Damballa tracked more than 200 Zeus-based botnets in enterprise networks. The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.

Consequently, independent developers have created compatible “exploit packs” capable of infecting victims’ systems using vulnerabilities in the operating system or browser. Other developers focus on creating plug-in software to help “wannabe” cybercriminals in making money from a Zeus botnet. For example some add-ons focus on phishing attacks, delivering images and Web pages needed to create fraudulent banking sites. With the mentioned features it is very hard for antivirus software to identify a Zeus payload (Binsalleeh et al., 2010; Falliere and Chien, 2009; Wyke, 2011).

Zeus obviously is not the only tool available for building a botnet, but its birth is a milestone for the entire cybercriminal sector since it was designed with the “non-expert” user in mind, including simple point-and-click interfaces for managing infected machines (for these reasons called ZeuS Crimeware family). For example ZeroAccess botnet—specialized in click fraud attacks and apparently disrupted in 2013—was probably wider than Zeus (it is estimated millions of infections globally in 2012, with up to 140,000 unique IPs in the US and Europe).

Just as Zeus was the cornerstone of the next-generation botnets, Blackhole is definitely the cornerstone of the next-generation exploit kits. Since it emerged in late 2010, the Blackhole exploit kit has grown to become one of the most notorious exploit kits ever encountered (Howard, 2012).

Over the last few years the volume of malware seen in the field has grown dramatically, thanks mostly to the use of automation and kits to facilitate its creation and distribution. The term “crimeware,” already used for Zeus, was coined specifically to describe the process of “automating cybercrime.” Individuals no longer profit just from writing and distributing their malware. Today’s malware scene is highly organized, structured and professional in its approach, where individuals can choose the criminal role which best fit.

Kits, as an intrinsic part of crimeware, provide the tools for criminals to create and distribute malware, but also the systems used to manage networks of infected machines. Some of these kits focus on creation and management of the malware payload—Zeus is perhaps the best example of this. Other kits are those that focus on infecting users through web attacks, specifically attacks known as drive-by downloads. It is this latter group of kits that are commonly referred to as exploit kits or exploit packs (the terms are used interchangeably).

There are several versions of Blackhole exploit kit, the first being v1.0.0 (released in late 2010). The kit consists of a series of PHP scripts designed to run on a web server (all protected with the commercial ionCube encoder). This is presumably to help prevent other miscreants stealing their code (there are many exploit kits which are little more than copies of others), and to hinder analysis.

The general characteristics of the Blackhole exploit kit are listed below:

• The kit is Russian in origin.

• Configuration options for all the usual parameters (querystring parameters, file paths for payloads or exploit components, redirect URLs, usernames, passwords, etc.).

• MySQL backend.

• Blacklisting/blocking (only hit any IP once, maintain IP blacklist, blacklist by referrer URL, import blacklisted ranges).

• Auto update (of course).

• Management console provides statistical summary, breaking down successful infections by exploit, OS, country, affiliate/partner (responsible for directing user traffic to the exploit kit) and by browser.

• Targets a variety of client vulnerabilities.

• Antivirus scanning add-ons.

However, there are some features that are (or were at first release) unique to Blackhole:

• “Rental” business model. Historically, exploit kits are goods (pay-per-use) that are sold to individuals and then used as they desire. Blackhole includes a rental strategy, where individuals pay for the use of the hosted exploit kit for some period of time. Figure 17.2 illustrates the pricing model (translated from Russian) for the first release of Blackhole.

• Management console optimized for use with PDAs.

The whole purpose of Blackhole is to infect victims with some payload. The payloads are typically polymorphic, packed with custom encryption tools and designed to evade antivirus detection (a process which is helped with the built-in AV checking functionality of Blackhole). The most prevalent payloads installed in the past few years include fake AV, Zeus, ZeroAccess rootkit and Ransomware.

One of the most important new features of Blackhole is the automation through which you can exploit servers and clients by a large amount of vulnerabilities (remember that both Zeus and Blackhole are networks constantly managed and updated remotely). Web Servers with some vulnerability (compromised servers) may be used to host Blackhole directly or to redirect clients toward “ad-hoc-builded” Blackhole Web Sites.

An attacker can use a compromised server in order to steal information of all users of the same server also known as a Watering Hole attack. The attackers study the behavior of people who work for a target organization, to learn about their browsing habits. Then they compromise a web site that is frequently used by employees—preferably one hosted by a trusted organization which represents a valuable source of information. Ideally, they will use a zero-day exploit. So when an employee visits a web page on the site, they are infected, typically a backdoor Trojan is installed allowing the attackers to access the company’s internal network. In effect, instead of chasing the victim, the cybercriminal sits in a location that the victim is highly likely to visit—hence the watering-hole analogy (Kaspersky, 2013; Symantec, 2013).

The other important aspect, from the criminal point of view, is the change of the criminal business model. Older versions of malware were offered for sale at very high prices. Actually early versions are distributed free of charge and often these former versions have been “backdoored” by criminals, meaning that the novice thief (so called lamer) also becomes the victim.

In the recent past, instead, the glut of freely available criminal tools has lowered the cost barrier of entry into cybercrime and encouraged more wannabe cyber-gangsters (lamer) into online crime. As mentioned today’s malware scene is highly organized, structured, and professional in its approach.

The spread of the Internet, especially for government and commercial purposes, has led to an evolution of the business model of the criminal market behind the modern threats. It is possible to imagine a layered reverse-pyramid structure (in terms of organizations involved, the size of these organizations, skills and goals) (Figure 17.3).

Organizations with more technical skills (probably the less numerous and comparable to a kind of Cyber-Mercenaries) are those who design and distribute various types of crimeware (payloads and exploit kits) according to different modes of diffusion (spam, phishing, social engineering, drive-by or watering-hole), but do not take any particular action. In many cases, the cyber mercenaries instead of monetizing botnet activities by directly implementing fraud schemas rent a series of services to other criminals—a trend confirmed by the constant monitoring of the underground market offers. The prepared infrastructure is ready to be “sold” or better “rent” to the highest bidder. The rental model showed better revenue than the sale one. In fact many criminals made their money simply by renting access to their botnets rather than engaging in Spam, DDoS or information theft campaigns of their own devising (remember that the so-called Blackhole “landing page” could be the compromised sever by itself or an hosting server).

Those who pay to take criminal action do not need a high technical skill, but their attacks are usually more motivated and more numerous. The two most common reasons are socio-political (Hacktivist) and economic (Cyber Criminal). Criminals Pay-per-Use (PPU) to thousands of already compromised machines or provide additional malwares to these computers already infected.

Spam bots can provide secondary information, for example, via stealing malware, fake antivirus software and Ransomware, to increase the flexibility of the infected machines and to maximize the potential revenue of each infected computer.

To give an idea of the economic impact of the botnets, the “F-Secure 2012 Threat Report” revealed that the ZeroAccess threat reportedly clicks 140 million ads a day. It has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. Moreover, as we will see later, in one of the two use cases, Eugrograbber earned 36 + million euros.

The third level is obviously composed by Victims (owner of the infected machines) that, depending on the type of attack, may be a generic Internet user (if the number of the victims is the most important variable, e.g., in DDoS campaign) or belonging to a particular category of people (if the quality of the information to be subtracted is the most important variable).

Moreover, the users layer, is not necessarily monolithic, but can be further divided into intermediate levels (e.g., organizations most experienced in malware development could be not equally in its distribution) and consists of various criminal figures in a kind of partnership program where the higher level guarantees a minimum number of “customers” to the lower one (see ZeroAccess Pay-per-Install—PPI—business model).

The previous pyramid, as well as criminal business model, is considered as a measure of the real threat (the more the victim layer is wide the most of the threat is disruptive).

The mentioned botnet monetization models (PPI and PPU) affect both the direction and the magnitude of the “criminal value flows.” Moreover, in the specific case of the PPU model, the entity of a flow is proportional to the dangerousness of the threat.

In fact, while for a click-fraud-oriented botnet, money flows and their size are almost certain, for a general-purpose botnet, a criminal (User), who wants to attack for example a bank, might be willing to invest a larger amount of money to buy or rent a botnet (by Designers) sufficiently wide and sufficiently skilled for bank account exfiltration or DDOS campaigns.

So the botnet economic flows, in the two monetization models, can be represented as in Figure 17.4 (the thickness of the arrows is indicative of the amount of money).

A possible value chain for “Designers,” believed to be to most “e-structured,” can be represented by using models such as Porter’s model chart which is very similar to what can be generated for a generic software-house with a prevalence of the trustee element (for customers and suppliers) linked to the fact that the added-value will be directly or indirectly related to criminal activities.

Based on Porters model we can identify two sets of activities:

Support Activities:

• Firm Infrastructure: Labs, C&C server owned, technologies for anonymous connectivity and/or VPNs with Countries with poor legislation on cybercrime.

• Human Resource Management: Employees skilled and trusted.

• Technological Development: Variants to Crimeware SDK or brand new payloads, exploit kits, bulletproof C&C host, secure e-payments, secure e-marketing.

• Procurement: Forecasting and planning of criminal market requests, secure payment systems, trusting and skill assessment procedures for providers and partners (PPI business model) (Figure 17.5).

Botnets How Do They Work. Network Topologies and Protocols

As mentioned in the introduction a botnet is a network of infected computers (bots or zombies) managed by attackers, through one or more Command & Control Server and due to the inoculation of malware. The controller of a botnet, also known as Botmaster, controls the activities of the entire structure (from specific orders to software updates) through different communication channels.

The level of diffusion of the botnets depends on the capabilities of botmasters to involve the largest number of machines trying to hide both the activities of the malicious architecture and the location of the C&C servers.

We will not make reference to infection or dissemination practices of the payload because already mentioned in the introduction (e.g., Blackhole) and because it is intimately linked to the exploitation of the vulnerabilities of compromised systems (out of scope).

Trying to categorize the concept of botnet is not an easy task. There are many purposes for which these architectures are designed and created. They inevitably influence factors such as the malware used to compromise victims, rather than the technology involved (Balapure, 2013; Paganini, P., 2013a, 2013b, 2013c).

Botnets could be discriminated, for example, by their architecture. Some networks are based on one or more C&C, every bot is directly connected with Command & Control servers. The C&C manages a list of infected machines, monitors their status and gives them operative instructions.

This type of architecture is quite simple to organize and manage, but has the drawback of being very vulnerable, since turning-off the C&C server(s) would cause the malfunction of the entire botnet. The server(s) in fact represent a single point of failure since the operation of the whole botnet is functional to the capacity of its bots to reach the control systems.

Initially C&C IP addresses were hardcoded into each bot, which made their identification easier and resulted in their eventual disruption by researchers, but the “attackers” learn from their failures every time. For example a natural evolution could be the use of a reverse proxy (in some environments called rendez-vous point) to address a C&C server. In this way is easier to hide C&C IP addresses and the botmaster identities (but we have just moved the single point of failure from the C&C to the Reverse Proxy). This is the case of centralized architectures (Figure 17.6).

A more radical and increasingly popular way to increase botnet resilience is to organize the botnet in decentralized architectures as a Peer-to-Peer (P2P) network. In a P2P botnet, bots connect to other bots to exchange C&C traffic, eliminating the need for centralized servers. As a result, P2P botnets cannot be disrupted using the traditional approach of attacking centralized infrastructures.

So the bots are not necessarily connected to the C&C servers, but they compose a mesh structure where commands are also transmitted “zombie-to-zombie.” Each node of the network has a list of addresses of “neighbor” bots with which they exchange commands. In a similar structure, each bot could send orders to others and attackers to control the entire botnet, but they need access to at least one computer.

Tracking of P2P botnets requires the complete node enumeration, while in ordinary botnets it is necessary to find only the C&C servers. The security community has been trying to identify the infected machines in this way, collecting the IP addresses of the participating nodes. The collected items can be used by security defense systems to identify sources of infection, but it is very hard because in many cases, bots are behind firewalls or NAT devices (Figure 17.7).

Symantec security researchers detected a variant of the popular Zeus malware that relies on P2P communication as a backup system in case the C&C servers were not reachable. The variant isolated by Symantec does not use C&C servers implementing an autonomous botnet.

This type of botnet is really concerning and is hard to fight due to the absence of a single point of failure as represented in classic botnet architecture. Despite the fact that destroying a decentralized botnet is more difficult (or maybe impossible?), this type of architecture presents a higher management complexity (Wang, 2013).

It should now be clear that C&C play an essential role for botnets functionality, which are generally hosted on hacked, bought or rented servers. Moreover, regardless of the architecture used, a botnet has the need to connect every single bot with one or more C&C servers, in order to receive commands or to steal informations, then the communication channel is another essential discriminator for botnets (Lanelli and Hackworth, 2005).

So botnets can also be classified on the basis of network protocol used. An old botnet scheme was the classic IRC-oriented, that is, on the basis of the Internet Relay. Every bot receives a command via an IRC channel from an IRC-Bot. An IRC bot is composed of a set of scripts connecting to Internet Relay Chat as a client.

Since then, there have been numerous developments, however, all geared to obfuscate and/or encrypt the communication channel. Most advanced botnets use their own protocols based on protocols such as TCP, ICMP or UDP. For example before Zeus P2P variant, the expert noted that authors implemented communication through UDP protocol.

Historically, the UDP protocol has already been used in the past as a real data transmission channel (fake DNS A-queries carrying a payload), but it is the UDP protocol, or rather the DNS protocol, that has been heavily used by the bots to identify the domain name of their own C&C servers. Botmasters have coded algorithms into their malware, automatically and dynamically generating a high number of Internet Fully Qualified Domain Names, also known as Domain Generation Algorithm (DGA). In this way authors, executing the same algorithms, can hide their C&C servers behind different and highly dynamic domain names. Obviously, all domains that are generated by a DGA have a short life span, since they are used only for a limited duration, and generate a lot of NXDomain traffic. They also need some collaboration from particular type of hosting providers that guarantee the operators that they would not respond to abuse complaints nor cooperate with takedown requests. These providers are commonly known as “bulletproof hosting” and are widely used in the cybercrime ecosystem (however, their services are typically more expensive and they might not be 100% reliable).

Of course we must not forget web-based botnets which are a collection of infected machines controlled through World Wide Web. HTTP bots connect to a specific web server, receiving commands and sending back data. This type of architecture is very easy to deploy and manage and very hard to track if encryption (HTTPs) is added.

The Nugache botnet (Rossow, 2013), which appeared in early 2006, was one of the first to use strong encryption. Commands were signed with a 4096-bit RSA key, in order to prevent unauthorized control, and the communications between peers was encrypted using session keys which were individually negotiated and derived from a particular RSA scheme.

The highlight value of botnets is the ability to provide anonymity through the use of both a multi-tier C&C architecture and different communication channels. The use of standard application protocols such as HTTPS can also facilitate the spread to corporate networks. Instead the use of custom protocols (typical of P2P botnet), while providing greater flexibility, may be neutralized by firewall systems.

Finally, the individual bots may not be physically owned by the botmaster (criminal reverse-pyramid in previous paragraph), and may be located in several locations all around the globe. Differences in time zones, languages, and laws make it difficult to track malicious botnet activities across international boundaries.

Case Study—Eurograbber (2012)

This is a case study about a sophisticated, multi-dimensional and targeted attack which stole an estimated 36 + million Euros from more than 30,000 bank customers from multiple banks across Europe. The attacks began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland. Entirely transparent, the online banking customers had no idea they were infected with Trojans, or that their online banking sessions were being compromised, or that funds were being stolen directly out of their accounts.

This attack campaign was discovered and named “Eurograbber” by Versafe and Check Point Software Technologies (Kalige and Burkley, 2012). The Eurograbber attack employs a new and very successful variation of the ZITMO, or Zeus-In-The-Mobile Trojan. To date, this exploit has only been detected in Euro Zone countries, but a variation of this attack could potentially affect banks in countries outside of the European Union as well.

The multi-staged attack infected the computers and mobile devices of online banking customers and once the Eurograbber Trojans were installed on both devices, the bank customer’s online banking sessions were completely monitored and manipulated by the attackers. Even the two-factor authentication mechanism used by the banks to ensure the security of online banking transactions was circumvented in the attack and used by the attackers to authenticate their illicit financial transfer. Further, the Trojan used to attack mobile devices was developed for both the Blackberry and Android platforms in order to facilitate a wide “target market” and as such was able to infect both corporate and private banking users and illicitly transfer funds out of customers’ accounts in amounts ranging from 500 to 250,000 euros each. This case study provides a step-by-step walkthrough of how the full attack transpired from the initial infection through to the illicit financial transfer.

To improve security for online transactions, the banks added a second authentication mechanism, different from account number and password that validates the identity of the customer and the integrity of the online transaction. Specifically, when the bank customer submits an online banking transaction, the bank sends a Transaction Authentication Number (TAN) via SMS to the customer’s mobile device. The customer then confirms and completes their banking transaction by entering the received TAN in the screen of their online banking session. Eurograbber is customized to specifically circumvent even this two-factor authentication.

Bank customer’s issues begin when they click on a “bad link” that downloads a customized Trojan onto their computer. This happens either during internet browsing or more likely from responding to a phishing email that entices a customer to click on the bogus link. This is the first step of the attack and the next time the customer logs into his or her bank account, the now installed Trojan (customized variants of the Zeus, SpyEye, and CarBerp Trojans) recognizes the login which triggers the next phase of the attack.

It is this next phase where Eurograbber overcomes the bank’s two-factor authentication and is an excellent example of a sophisticated, targeted attack. During the customer’s first online banking session after their computer is infected, Eurograbber injects instructions into the session that prompts the customer to enter their mobile phone number. Then they are informed to complete the “banking software security upgrade,” by following the instructions sent to their mobile device via SMS. The attacker’s SMS instructs a customer to click on a link to complete a “security upgrade” on their mobile phone; however, clicking on the link actually downloads a variant of “Zeus in the mobile” (ZITMO) Trojan. The ZITMO variant is specifically designed to intercept the bank’s SMS containing the all-important “transaction authorization number” (TAN). The bank’s SMS containing the TAN is the key element of the bank’s two-factor authorization. The Eurograbber Trojan on the customer’s mobile device intercepts the SMS and uses the TAN to complete its own transaction to silently transfer money out of the bank customer’s account. The Eurograbber attack occurs entirely in the background. Once the “security upgrade” is completed, the bank customer is monitored and controlled by Eurograbber attackers and the customer’s online banking sessions give no evidence of the illicit activity.

In order to facilitate such a sophisticated, multi-stage attack, a Command & Control (C&C) server infrastructure had to be created. This infrastructure received, stored and managed the information sent by the Trojans and also orchestrated the attacks. The gathered information was stored in an SQL database for later use during an attack. In order to avoid detection, the attackers used several different domain names and servers, some of which were proxy servers to further complicate detection. If detected, the attackers could easily and quickly replace their infrastructure thus ensuring the integrity of their attack infrastructure, and ensuring the continuity of their operation and illicit money flow.

The Infection

Step 1: The customer’s desktop or laptop is infection.

Step 2: The Eurograbber Trojan intercepts the banking session and injects a javascript into the customer’s banking page. This malicious Javascript informs the customer of the “security upgrade” and instructs them on how to proceed.

Step 3: The Eurograbber Trojan then delivers the bank customer’s mobile information to the dropzone for storage and use on subsequent attacks.

Step 4: Receipt of the customer’s mobile information triggers the Eurograbber process to send an SMS to the customer’s mobile device. The SMS directs the customer to complete the security upgrade by clicking on the attached link. Doing so downloads a file onto the customer’s mobile device with the appropriate mobile version of the Eurograbber Trojan.

Step 5: Simultaneous with the SMS being sent to the bank customer’s mobile device, the following message appears on the customer’s desktop instructing them to follow the instructions in the SMS sent to their mobile device in order to upgrade the system software to improve security. Upon completion they are to enter the installation verification code in the box below to confirm that the mobile upgrade process is complete.

Step 6: Upon completing the installation this text box appears in the customer’s native language acknowledging the successful installation and displays the verification code the user is to enter in the prompt on their computer.

Step 7: Eurograbber completes the process by displaying messages on a customer’s desktop informing the user of successful completion of the “security” upgrade and that they can proceed with their online banking activities (Figure 17.8).

The Money Theft

Step 1: A banking customer logs into their online bank account.

Step 2: Right after the bank customer’s login, the cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers.

Step 3: Upon submission of the illicit banking transaction, the bank sends a Transaction Authorization Number (TAN) via SMS to a user’s mobile device.

Step 4: However, the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information. If the SMS was forwarded straight to the drop zone it would be more easily detected.

Step 5: The TAN is then pulled from storage by the computer Trojan which in turn sends it to the bank to complete the illicit transfer of money out of a bank customer’s account and into the attacker’s “mule” account. The customer’s screen does not show any of this activity and they are completely unaware of the fraudulent action that just took place (Figure 17.9).

At this point, the victims’ bank account will have lost money without their knowledge. Cybercriminals are being paid off via mule accounts. This entire process occurs every time the bank customer logs into his or her bank account.

Case Study—ZeroAccess (2013)

The fastest growing botnet was surely ZeroAccess, which racked up millions of infections globally in 2012, with up to 140,000 unique IPs in the US and Europe (F-Secure 2012). The actual malware that turns users’ computers into bots is typically served by malicious sites which the user is tricked into visiting. The malicious site contains an exploit kit, usually Blackhole, which targets vulnerabilities on the user’s machine while they are visiting the site. Once the machine is compromised, the kit drops the malware, which then turns the computer into a ZeroAccess bot.

The bot then retrieves a new list of advertisements from ZeroAccess’s command and control (C&C) server every day. The ZeroAccess botnet reportedly clicks 140 million ads a day. As this is essentially click fraud, it has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. Click fraud has been on the rise as the online advertisement vendors realistically have no way to differentiate between a legitimate click and a fraudulent one.

ZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attention for its capability for terminating all processes related to security tools, including those belonging to antivirus products. When too many researchers focused on this self-protection capability however, ZeroAccess’s authors decided to drop the feature and focus more on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. Four distinct variants have been observed (Neville and Gibb, 2013) (Figure 17.10):

After the change, ZeroAccess became easier to spot by antivirus products, yet it continued to spread like wildfire around the world due to the improved P2P technique. This success can be largely attributed to its affiliate program, a well-known marketing strategy widely used by many e-commerce websites. Essentially, a business owner with an e-commerce site can promote commissions to other site owners to help drive customers to it (and hopefully eventually make a purchase). The website owners are then compensated for providing these customer leads.

Adopting this concept, ZeroAccess’ author or operator(s) has managed to distribute the program to a large number of machines with the help of its enlisted partners. The ZeroAccess team advertises the malware installer in Russian underground forums, actively looking for distributor partners. Their objective was to seek other cybercriminals who are more capable in distributing the malware and do so more efficiently. The malware distributors generally consist of experienced affiliates, each of them employing their own methods of distributing the Zeroaccess installers, in order to fulfill the recruiter’s requirements.

The most popular distribution methods seen involve exploit kits, spam e-mails, trojans-downloaders, and fake media files available on P2P file-sharing services and video sites, although the specific details depend on the distributor handling the operations. The variety of distribution schemes, and methods used by the numerous affiliates have contributed to the volume of “Trojan dropper” variants detected by antivirus products every day.

They are all driven by the same motive which is to collect attractive revenue share from the gang. The partners are compensated based on a Pay-Per-Install (PPI) service scheme and the rate differs depending on the geographical location of the machine on which the malware was successfully installed. A successful installation in the United States will net the highest payout, with the gang willing to pay USD 500 per 1000 installations in that location.

Given the rate of pay, it is no surprise that ZeroAccess is widespread in the US alone. After the US, the commission rate sorted from highest to lowest are Australia, Canada, Great Britain, and others. Some distributors even post screenshots of the payment they have received in underground forums to show the reliability of their recruiter. The ZeroAccess team can afford to pay such high incentives to its recruits because the army of bots created by the affiliate’s efforts is able to generate even more revenue in return. Once the malware is successfully installed on the victim machines, ZeroAccess will begin downloading and installing additional malware onto the machines, which will generate profit for the botnet operators through click fraud operations.

The affiliate program, as an interesting criminal business model, encourages the spread of malware and attracts more cybercriminals due to the botnet operators’ established reputation for reliably paying its affiliates and adjusting commission rates to maintain their attractiveness. The criminal organizations behind the botnet have shown that they are willing to experiment and modify their “product” in order to increase their ability to make money.

The Europol’s European Cybercrime Centre (EC3), supported by Microsoft Corporation’s Digital Crimes Unit and other industry partners, announced that has successfully disrupted ZeroAccess network in 2013, but, as we know, P2P networks are very resilient to disruption and some backfire are expected (EC3, 2013).

Countermeasures for Fighting Botnets or Mitigating Botnets Effects

Due to the high level customization of malwares, it is quite difficult to adopt an effective and efficient countermeasure through code analysis and fingerprint definition which, of course, is what well known Antivirus systems practice. So we need methods that analyze malware behaviors (regardless of architectures and protocols used, bots need to contact with their C&C—you can hide everything except the network traffic!).

Even behavioral analysis, however, is not easy to manage. Typically a lot of work has already been done in the analysis of standard protocols (typically level 4 and 5 of the TCP/IP stack) in order to distinguish legitimate traffic from the botnet.

Unfortunately the increasing use of high encryption mechanisms and of techniques of traffic customization/obfuscation (as we shall see in the next section), will make this work ineffective in the medium to long term, even because much of the work mentioned in this paragraph have revealed great response only for specific botnet architectures.

First of all, from an operational standpoint, the necessary condition (probably not enough!) where you have to be ready to deal with an in-progress botnet attack, considering for example the two cases for excellence, as a spam campaign and a DDOS, is to verify that:

• firewall facing the Internet has capacity of “Intrusion Detection/Prevention System” and throughput greatly overestimated compared to the normal conditions of work and the Internet bandwidth available;

• Antispam system is configured as rigidly as possible (e.g., only accept messages from the MTA that have the common DNS MX, PTR and A records correctly configured);

• your Internet Service Provider is equipped with monitoring tools that highlight timely surge of traffic to your Internet services and in the worst cases, can quickly disable entire portions of the Internet (e.g., all international routes) to reduce temporarily the firepower of the botnet;

Regarding the goals to be achieved, we formerly need to distinguish two different of approaches. In fact, network and security administrators usually have an interest in detecting the presence of bots and C&C servers on their networks or to withstand a botnet attack (mitigation), while researchers focus their attention on the direct identification of the botnet itself (payload, architectures, protocols, capacity criminals, etc.) to its vulnerability and, consequently, disruption.

In regards to the methodology used, botnet hunting methods can be divided in two key categories:

• Passive: such capabilities are usually organized with network monitoring solutions within corporate LANs. These techniques are essentially based on statistical analysis of both TCP and UDP traffic, on specific application protocols analysis such as HTTP or DNS as well as on the pattern recognition of specific keywords or IP addresses to be put in the blacklist.

• Active: these techniques are usually based on scanning, crawling or sinkholing of IP address ranges, probing the presence of bots and/or C&C peers as a result of the analysis of specific query answers (usually via honeynet). These practices also attempt to exploit any protocols or C&C servers vulnerabilities.

As previously mentioned, we can assume that botnets are different from other forms of malware in that they use C&C channels which are the essential mechanism that allows a botmaster to direct the actions of bots in a botnet. As such, the C&C channel can be considered the weakest link of a centralized botnet. That is, if we can take down an active C&C or simply interrupt the communication to the C&C, the botmaster will not be able to control the botnet. Moreover, the detection of the C&C channel will reveal both the C&C servers and the bots in a monitored network. Therefore, understanding and detecting the C&Cs has great value in the battle against centralized botnets.

Botnet C&C traffic is difficult to detect because: it follows normal protocol usage and is similar to normal traffic; the traffic volume is low; there may be very few bots in the monitored network and may contain encrypted communication. However, the bots of a centralized botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. For instance, at a similar time, all the bots within the same botnet will execute the same command and report to the C&C server with the progress/result of the task (and these reports are likely to be similar in structure and content).

Regular network activities are unlikely to show such a synchronized and correlated behavior and, although the traffic is encrypted, might be useful to investigate on traffic generated by groups of clients that have the same (IP, TCP port) destination pair (Gu et al., 2008).

When botnets switch to a peer-to-peer (P2P) structure and utilize multiple protocols for C&C, the above assumptions no longer hold. Consequently, the detection of P2P botnets is more difficult.

One possible approach is to design a particular kind of a “Network Traffic Data Warehouse.” Capturing enough network traffic data (training data), the proposed approach can profile (cluster) the behavior of normal application/users activities from other ones. In fact the action sequence differs greatly between the normal user and the botnet. Since the botnet is dynamic: peers in the botnet can be dynamically shut down or removed from the botnet at any time, a bot may first generate traffic to find the online peers on certain ports from its peer list, and then send a command to all the available peers. On the other hand, it is very unlikely that a normal user (or a majority of normal users) generates the normal behavior in this way. Although normal users are capable of choosing arbitrary destinations, they usually associate themselves on a small range of destinations of different popularity. On the other hand, the peers chosen in P2P botnets are random regardless of the destination popularity.

In this way we could be able to compute some statistical measures (e.g., Behavior Proportion based Test or Behavior Mean Distance based Test) in order to identify new samples of network traffic data (Chang and Daniels, 2009).

If the C&C server cannot be taken down, another option is to redirect malicious traffic to sinkholes, a strategy that found its way into recent mitigation techniques, either locally or globally. The sinkholes record malicious traffic, analyze it and drop it afterwards such that it cannot reach the original target it is meant for. One example of sinkholing is DDoS null-routing. In the case where traffic belongs to an ongoing DDoS attempt it is dropped and sometimes counted for later analysis. DDoS null-routing at border-routers is a promising approach to mitigate DDoS attacks but comes with the challenges of reliable identification of attack-related traffic and clean dissection of high-bandwidth data streams at an early stage. This is generally only possible at ISP level (Leder et al., 2009).

Two completely different approaches in botnet hunting are based on protocol failure information analysis (Zhu et al., 2009) and passive DNS protocol analysis (Bilge et al., 2011) to detect zombies. The first one uses a new behavior-based approach to detect infected hosts within an enterprise network. The goal is to develop a system that is independent of malware family and requiring no “a priori” knowledge of malware semantics or command and control (C&C) mechanisms. The approach is motivated by the simple observation that many malware communication patterns result in abnormally high failure rates that is extended to broadly consider a large class of failures in both transport and application TCP/IP levels. In fact a survey conducted on 32 different malwares instances highlighted some commonly failure messages listed in Figure 17.11.

From a quantitative point of view the mentioned survey found that most malware instances (18/24 instances) have triggered DNS failures.

Because of the important role that DNS plays in the operation of the Internet, the second approach is based on exclusive analysis of this protocol. It is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. Bots resolve DNS names to locate their C&C servers, and spam mails contain URLs that link to domains that resolve to scam servers. Thus, it seems effective to monitor the use of the DNS system in order to investigate if a certain name is used as part of a malicious operation.

If the IP address of the C&C is hard-coded into the bot binary, there exists a single point of failure for the botnet. Whenever this address is identified and is taken down, the botnet would be lost. So attackers, by using DNS, give the flexibility and the fault tolerance they need in the malicious architectures that they manage. Furthermore, they can hide their critical servers behind proxy services so that they are more difficult to identify and take down.

Hence, by studying the DNS behavior of known malicious and benign domains, as largely as possible in terms of observation time and traffic volume observed, could possibly identify the distinguishable generic features that are able to define the maliciousness of a given domain. For example the 15 different features listed in Figure 17.12 may be indicative to detect malicious behaviors.

There are many other approaches aimed at the identification, enumeration, and poisoning usually referred to the P2P botnet (peer crawling). These approaches commonly deal with very vertical studies of small botnet families, if not the single botnet. The basic idea is to try to join with a particular botnet and contextually understand its architecture, protocols, size and then subsequently outline its disruption or simply mitigation modes.

Conclusion and Future Trends (TOR, Mobile and Social Networks)

The temple of botnets relies on three main pillars (Figure 17.13). The pervasive diffusion of the Internet fortifies these three pillars. All devices equipped with internet connectivity can potentially become future zombies. In fact, the main candidates are currently smartphones and tablets and we have already witnessed criminal actions due to the spread of malware for mobile devices (e.g., ZITMO).

Still few people are aware of the risks that can arise from a modern device. The technological convergence is more and more invasive—almost all everyday life objects are “Internet connected” and smart. There will hardly ever be a countertrend.

In addition to the widespread use of encryption of communication channels, recently we have seen the spread of using social networks as part of a botnet. One of the primary intents of botmasters is to reach a wide audience of users, so it is natural that they are exploring the possibility to exploit social media platforms, for recruiting new zombies and controlling infected machines (typically creating fake accounts that send encrypted messages to malware on victims), since social networks have monopolized the majority of user’s internet experience. Botmasters have begun to exploit social network websites (e.g., Twitter.com) as C&C headquarters, which turns out to be quite stealthy because it is hard to distinguish the C&C activities from the normal social networking traffic (Kartaltepe et al., 2010). “UPD4T3” is an example of a fake Twitter account owned, of course, by a botmaster.

Moreover, we know that TOR is an anonymity network operated by volunteers which provides encryption and identity protection capabilities. Tor is a great tool that helps people all over the world to protect themselves from Internet censorship. It is widely used by anyone concerned about the privacy and safety of their communications. At the same time though, it does get abused a lot, as in the case we are going to describe.

The potential use of TOR in botnet infrastructure has been discussed several times in the past (e.g., at “Defcon 18 Conference” by Dennis Brown). In September 2012 the German Antivirus vendor G-Data briefly described a similar case.

As we already know, hosting C&C infrastructure on “Internet servers” could expose the botnet. A much stronger infrastructure can be built just by utilizing Tor as the internal communication protocol and by using the Tor Hidden Services functionality.

Hidden services, introduced in 2004, permit the creation of completely anonymous and concealed services accessible through Tor only. An “onion” pseudo-domain is generated, which will then be used to resolve and contact the hidden server. It is very difficult to identify the origin of the hidden service and to revoke or take over the associated onion domain (Figure 17.14).

The advantages of this approach are:

• The traffic is encrypted.

• The hidden services do not rely on public-facing IP addresses.

The threat posed by the spread of botnets is still, unfortunately, a prerogative of worlds that, for various reasons (technical or historical), are closely linked to the words “Internet” and “Computer.” Moreover, only recently we have seen concrete examples of its translation into effective criminal activities (monetization of the operational capabilities of a botnet).

Google uses the Internet, e-mail uses the Internet, Home Banking makes use of the Internet. Are we still using the Internet to play with a friend (who lives on the other side of the world) through our home Wi-Fi? Is “Waze App” still using the Internet? Yes, of course.

If you can see YouTube through your Smart TV maybe you need an antivirus or (why not) a firewall installed on it (usually installed on a PC or Laptop).

The countermeasures described in the previous paragraph should be extended to those vendors whose core business to date has been completely different. In a not too distant future, a DOS attack to a “TV broadcasting cable system” or to the VOIP system of a telephony operator—two real examples of critical infrastructure—could foreshadow Cyber Terrorism scenarios.

The aforementioned scenarios pose severe concerns for botnet development in the future, extending the threatened perimeter of the target infrastructures. Hence, a plurality of stakeholders will be called to cope with this problem, via different balance of synergic countermeasures to mitigate the risk.