Bots and Botnets

By some measures bots make up more than half of all internet traffic and are the number one catalyst for attacks, ranging from botnets launching distributed denial of service (DDoS) attacks to malicious bot traffic that simulates human behavior to perpetrate online fraud, all at an exponentially expanding scale. Reports on a recent industry study analyzing more than 7.3 trillion bot requests per month reveal that in the last three months of 2017, the attacks made up more than 40% of malicious login attempts. The study also reports that attackers are looking to add enterprise systems as a part of their botnet by exploiting remote code execution vulnerabilities in enterprise-level software.¹

The terms bot and botnet get thrown around a lot, but what do they really mean? There are a lot of different types of bots that perform different functions, but a malware bot is a piece of code that automates and amplifies the ability of an attacker to exploit as many targets as possible as quickly as possible. Bots generally consist of three parts:

• Scanning

• Exploitation/tasking

• Command-and-control communication

The first task involves a bot wading through millions or tens of millions of public-facing IP addresses probing for specific technologies and applications that the bot is designed to exploit. Sometimes, that scanning is made easier by the use of third-party sources such as the Shodan databases, but often these bots are operating completely autonomously.

When the bot finds a system that it can exploit, it attempts to do so. That exploitation might consist of an actual exploit (discussed in more detail in a few moments), but the exploitation might also be a brute-force login attack using a list of common username–password combinations. It could also be a website where the bot is trying to gather information by sidestepping CAPTCHA protections.

After a bot has successfully exploited a system, it either installs a payload or communicates directly back to a command-and-control (C&C) host that it has successfully exploited a system. The attacker might act if it is a high-value target, but often the attacker is just collecting systems that will be used to redirect other attacks or activated all at once to launch a DDoS attack.

Those collective systems, controlled by an attacker from one or more (C&C) servers, are known as a botnet. Figure 3-1 shows the topology of a C&C botnet. The botmaster is the attacker that manages the C&C servers, which are responsible for tasking the infected systems in order to continue growing the botnet or attacking targeted systems.

Figure 3-1. Botnet hierarchy

Botnets tend to be single purpose, depending on the tools installed by the attacker. The most common type of botnet is one that is used for DDoS attacks. DDoS attacks are a very profitable industry on underground forums, and attackers that control large botnets sell their services for anywhere from $50 for a one-hour attack to thousands of dollars for a large-scale sustained attack. DDoS botnets are generally looking to exploit home routers used for residential high-speed internet access. These systems are rarely monitored, often left unpatched, and therefore make easy and persistent targets for attackers.

Some botnets are used to spread malware by compromising websites and embedding code that redirects victims to an exploit server owned by the attacker. These botnets often exploit flaws in web applications such as WordPress or Joomla. The attacker is generally not using this malware to gain access to an organization (and most of the time these sites are hosted on separate infrastructure outside of the organization, so there is not direct access); instead, the attacker is looking to infect visitors to those sites with ransomware, cryptocurrency mining malware, or banking trojans.

Some botnets are designed to help an attacker gain access to enterprise-level organizations. These botnets tend to target vulnerabilities in internet-facing applications that usually allow direct access to the network. Often these bots will target tools like JBOSS or attempt to brute-force Microsoft’s Remote Desktop Protocol (RDP). These botnets use exploits that target well-known vulnerabilities and are usually looking for systems that vulnerability management teams don’t know about or left unpatched. The attacker that controls access to these systems can use that access to further exploit networks that are of interest, or they might sell access to those networks in the underground market.

Finally, there are botnets that are designed to steal information from websites. These bots, often operated by unscrupulous competitors or price aggregate sites, are built to scrape target websites for information or pricing and use the collected data to give the attacker a competitive advantage. These bots are particularly difficult to block because they are designed to mimic web user behavior pretty assiduously, and organizations that attempt to block these bots run the risk of keeping legitimate users from accessing their website and losing customers.

Bots and Remote Code Execution

Using bots and botnets for remote code execution is one of their earliest and most common uses. These bots tend to operate in two stages. The first stage scans hundreds of millions of IP addresses looking for internet-facing systems that appear to have a predefined list of vulnerabilities. When the scanning bot finds a potentially vulnerable system, it reaches back to an exploit kit, such as Metasploit, which launches the attack and installs a loader that calls back to one of the C&C servers owned by the attacker.

This is one of the reasons why bots can be so difficult to track and stop: in the anatomy of an attack, the bot will originate from one IP address, the actual exploitation will come from another IP address, and the C&C server will be a different IP address. None of these IP addresses will be connected, because they are from systems compromised by the attacker. This means there is no rhyme or reason to where the attacks originate, which makes it very difficult to put rules in place to block them.

Not all exploit bots operate using the two-stage process. Purpose-built bots that are targeting only a single application or technology will often embed whatever necessary exploit code or login credentials in the scanning bot. This allows the bot to infect a system and then turn the newly infected system into a bot that continues the scanning and infecting process. As a result, there are hundreds of thousands of bots looking for new systems to infect at any one time.

Most exploits targeting an OS or application are specially designed and include some sort of buffer, stack, or heap overflow combined with a piece of remote code that is then executed by the targeted system. When doing a search on http://cve.mitre.org/ for the terms “remote code execution,” the search returns with 16,035 known vulnerabilities dating all the way back to 1999, and the list is growing daily. These are pinpointed weak spots that would allow code to be remotely executed by the vulnerable operating system (OS) or application. When attackers are crafting their exploits, they add additional code that they hope is executed by the target system. When the “remote” code is executed, most of it allows a back door to be opened on the target system, thus allowing the attacker control over your systems, right through any edge defenses.

Often, the remote code that is executed by the targeted OS or application not only allows attackers to gain access to a system, but also potentially downloads additional code to enable attackers to remain resident in that system for long periods of time. The vulnerabilities in these cases are not created by the “usage” of the OS or application directly. Instead, they are mistakenly created by the manufacturers or developers of the OS or application.

One of the most effective deterrents against exploitation-based botnets is good vulnerability management. Vulnerability management and prioritization of patching is not the most exciting aspect of information security, but it is critical to stopping systems from becoming part of a botnet, and there is a role for AI and machine learning in vulnerability management.

It is important to keep in mind that these botnets are not using so-called zero day exploits, which are exploits that have not yet been publicly released. Instead, they are relying on shared proof-of-concept code for well-known vulnerabilities. Using AI and ML, companies that specialize in vulnerability management tools can determine which exploits are active in the wild and being used by the various exploit kits. That information is then shared with vulnerability management teams (VMTs) so that they can prioritize patching of publicly exposed systems that might be susceptible to currently widely exploitable vulnerabilities. Of course, in order for this to be an effective strategy, an organization must perform regular scans of its systems, both internal and external, and it must have a regular patching cycle.