Wednesday, April 22, 2009

Bot Counting via Hijacked C&C Portals

So, the question is "can you accurately size a botnet by hijacking the Web C&C portal and counting the bot agents under management?"

The obvious answer should be "yes", but I'm sorry to say that the answer is almost certainly "not really". Not meaning to rain on Finjan's parade, but just because a C&C portal has a 'total' figure - doesn't mean that's how big the botnet actually is.

Original response is over on the Damballa site... "Caution Over Counting Numbers in C&C Portals"...

C&C Portal Counting

It’s always a struggle to get definitive information about the size of the global botnet infestation. The typical way in which security researchers build the big picture is either through extrapolation of an existing dataset (e.g. there are 1,000 infections within this class-A, therefore there are probably 250,000 infections globally) or through the summation of confirmed reports.

The former method has always struck me as fraught with uncertainty, and I wouldn’t even consider it a reliable estimating method since there are way too many factors at work. The later method tends to underestimate the global number – but is a more accurate reflection of what we know.

So, it was with interest I read today’s blog by Finjan - How a cybergang operates a network of 1.9 million infected computers – which details their investigation of a Web-based C&C platform that they stumbled upon which appears to have been managing a little over 1.9 million bot agents. It’s an interesting walk through of what they found (and well worth the read), however I think it’s important that followers of these kinds of numbers (and supporting evidence) keep a critical eye open.

Some things to bear in mind with these kinds of notable finds:

  1. The absolute number quoted within these C&C portals doesn’t necessarily mean that there were (or are) as many bot agents out there.
    a. Depending upon the age of the portal, the number is probably an aggregate of all the infected hosts over time. Some hosts may have been infected and then remediated or just “lost” by the botnet herder.
    b. Just like the way in which new companies tend to start their invoices with a number other that one (e.g. start with 10000) so that their first customers don’t realize that they are so small/new, botnet herders aren’t just as inclined to start at a higher number – after all, a big number looks cool.
    c. In the majority of cases the counter increments upon the addition of a new infected host. In many cases each reinfection of an infected host (e.g. the user falls victim to the same drive-by-download attack) overwrites the malware that was first installed and creates a fresh registration to the C&C server.
    d. DHCP – an oldie, but a goodie – means that an infected host will be assigned different IP addresses (and host names if they’re subscribers of a mainstream ISP), which means that the same host can (typically) get counted each time it connects to the C&C from a different address. In conjunction with that, “new” infections that happen to reuse an older infected IP address registration may not get counted at all.
  2. A basic business model has developed over the last 18 months revolving around building large botnets as fast as possible, inventorying them for low-hanging-fruit authentication credentials and network-orientated configuration info (e.g. speed of network connection, VPN, NAT and enterprise network settings), and then carving them up for sale to other botnet operators. As such, the carved off botnet subsets (often sold in the realm of $50-400 per thousand hosts) may be removed from the C&C portal. I say “may” because the large botnet herder may not bother removing them from the count (It’s only a counter after all), or that he still keeps a backdoor open to bots that have already been sold off.
  3. In most cases, to gain access to the C&C portal, you need to supply login credentials. Depending upon which country you happen to be living, accessing the C&C portal without permission may constitute a legal offense – and be subject to jail time. Just because the bad-guys were operating a botnet doesn’t mean that the good guys are allowed to break in to their systems – sorry, but it’s true whether we like it or not. Some may argue that the good-guys are just breaking in to a system owned by the bad-guys, so that’s fair game. Unfortunately, theres no guarantee that the C&C server is actually running on a host that the bad-guys own – in fact there’s a higher probability that it’s running on a server they’ve p0wned (i.e. it’s another victims computer). Therefore, by proceeding with an unauthorized access to the previously-compromised computer, the good-guys could be prosecuted by the real owner of the system… and things can get really ugly of that host also has important/confidential files on it belonging to the host owner.

One last observation about this type of botnet C&C discussion - you’ll note that there are multiple malware samples associated with the botnet. This is a common modus operandi as botnet herders use their C&C channel to force down new malware packages to be installed – often from various organized cyber-crime malware distribution gangs – for a fee (this is part of the money making process) – and the infected host may subsequently be remotely controllable by a whole bundle of different botnet operators. As a consequence of this multiple-install process, the infected host is effectively “sub-leased” my multiple tenants – and disagreements can often result in mini-battles as the various botnet herders try to wrestle ultimate control of the host away from the other operators. There’s no trust amongst criminals.

No comments:

Post a Comment