By Kim S. Nash Print this article Print

In moments, hackers with bot code can break into vulnerable computers, turn them into zombies, steal information and spread the infection. While you scramble to secure your network--and the vital data on it--botmasters sell access to your hacked machines

What Bad Bots Do

Bots aren't always bad. Using C++, Assembler or other low-level languages that produce compact code, a programmer can create a bot to do mundane tasks online—maybe check stock quotes or compare prices at e-commerce sites. Search company Google uses its Googlebot, for example, to collect and index documents on the Web.

In the hands of hackers, however, bots make trouble.

Ancheta, who an uncle and cousin say is self-taught on computers, didn't write his own bot code from scratch. According to his plea, he modified Rxbot, a bot strain well known among hackers and available for download at several Web sites. Most botmasters, in fact, rely on pre-written code refined over time by other hackers, says Dmitri Alperovitch, a research scientist at CipherTrust.

This is akin to how the legitimate open-source community works, Alperovitch says, where many people pool knowledge to improve a product, "but [it's] not as public."

Stealing another page from the mainstream computing world, botmasters prefer modular systems, where instructions for different tasks can be plugged into or removed from bot code depending on what the user wants to do with it. "He might want to harvest CD keys or e-mail addresses, take information from the software registry or find code for doing denial-of-service," Alperovitch explains. The bot code can install other software that records keystrokes or finds these pieces of information itself, he says: "All these are pluggable modules."

To his version of Rxbot, Ancheta added instructions to seek out computers with a specific weakness, according to the plea. Rxbot can be tweaked to exploit several unpatched Windows vulnerabilities, including LSASS.

LSASS itself should be a crucial safeguard, as it was built to handle local security and authentication, so people without passwords can't log on to individual PCs. But as Microsoft revealed in an April 2004 security bulletin labeled "critical," LSASS suffers from a buffer overflow problem that, if left unpatched, opens any computer running Windows XP or Windows 2000 to hijack.

A hacker "could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges," the bulletin warned.

A buffer is a limited amount of memory allocated to a certain task. Software creates buffers to hold data the program might need later. If you can fool the program you're targeting into overflowing that region, it's possible to inject malicious programming instructions into the machine's memory. A hacker attacking LSASS can flood its buffer with hundreds of lines of nonsense text laced with real programming instructions telling the system to do what he wants. In this case, he'd want to be authenticated as a valid user.

The garbage text crashes LSASS but leaves the instructions in memory for the computer to execute like any other execution request, such as booting up or opening a file.

As recently as last November, 19 months after Microsoft put out its initial patch, the LSASS buffer overflow was the most exploited vulnerability in networks facing the outside world, according to Qualys, a security company in Redwood Shores, Calif. Qualys studies computers at 2 million IP addresses worldwide and manages security problems for customers such as DuPont, Hershey and eBay.

Stephen Toulouse, a security program manager at Microsoft, contends that the issue isn't technical error anymore—patches exist—but a human one. "This speaks more to the importance of making sure software is up to date," Toulouse says. "Criminals will look at even the oldest of vulnerabilities and try it."

Once Ancheta's bot infiltrated an exploitable computer, the code instructed the computer to connect to a private IRC channel he had created to direct his zombie computers, according to his plea. The password to the channel was embedded in the bot code. He "owned" these machines, in hacker lingo.

Typically, Ancheta would send over IRC a command code for the activity he wanted the bot to perform—open a certain port and start sending spam, or continue scanning a range of Internet Protocol addresses for PCs with particular software flaws, for example. At any given time, several dozen to several thousand bots would go to this spot looking for instructions.

Newer bot attacks are even more insidious, says Gary McGraw, chief technology officer at Cigital, a software quality consultancy in Dulles, Va., and author of the book Software Security. Bots can now come as rootkits—code that embeds itself into the operating system and can modify key functions performed by the system.

In a setup like Ancheta's, the bot program is visible, at least to a technology professional who knows where to look. It sits in an area on the operating system known as the user space, along with common applications like Web browsers and word processors.

But when a bot is coded as a rootkit, the bot inserts itself into what is called the kernel space, close to a computer's core operating system. The kernel is where behind-the-scenes programs such as network drivers communicate with the operating system or access the computer's hardware. Because a rootkit can modify key functions performed by the operating system, it can conceal the bot code.

For example, if antivirus software requests from the operating system access to a particular memory location to check it for malicious code, the rootkit can intercept the request and provide the security software with fake data saying, in essence, that everything is OK.

Bots that "can't be seen" by current antivirus software, McGraw says, can live longer on an infected system.

Worse, a highly skilled botmaster can use a rootkit to insert a bot into a computer's hardware, McGraw says. Specifically, the Erasable Programmable Read-Only Memory chip in every computer, which holds data when the power is turned off, can be violated, in a technique called "flashing the EPROM." If the computer survives this procedure, it becomes permanently infected.

Yet the simplest means of infiltrating a corporate network is still to supplement bug exploits with trickery, says a person interviewed by Baseline who claims to be SoBe, Ancheta's accomplice in Boca Raton, Fla. That is, getting people like the one at Auburn University to click on a link.

For example, according to SoBe, an employee may take his laptop home to browse the Web over a weekend. He doesn't know it, but bot code rides into his system when he downloads a freeware application for, say, tracking local weather. Also unknown to him is the fact that the botmaster then uploaded a virus that will spam an instant message to the employee's buddy list when he plugs into the corporate network on Monday. The message might read, "Hey, check out my new pictures," and give a hyperlink that, when clicked, sets off a bot.

Since the note is from a friend, many of the people receiving it will indeed click, thereby infecting themselves and growing the botnet.

Such social engineering, say security experts, is highly effective and growing. "It happens all the time with very annoying frequency," says TransUnion chief security officer Lines.

SoBe agrees. "Basically, some of these spamming methods rely on friendship," he says. "You don't use an exploit to infect people, you use their stupidity."

This article was originally published on 2006-04-06
Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.