Botnets getting harder to kill

In their current form, botnets are bad enough, but they are quickly evolving into a much tougher species to kill, according to security researchers.

At a conference last week called HotBots, in Cambridge, Massachusetts - the first Usenix conference devoted to botnets - researchers from three US institutions last week presented a paper highlighting the recent evolution of peer-to-peer botnets.

The paper, "Peer-to-Peer Botnets: Overview and Case Study," was written by Julian Grizzard of The Johns Hopkins University Applied Physics Laboratory, Vikram Sharma, Chris Nunnery and Brent ByungHoon Kang of the University of North Carolina at Charlotte, and David Dagon of the Georgia Institute of Technology.

Currently, most botnets use a centralised command-and-control structure based on IRC, partly because there is such a deep existing body of knowledge and code base around the technology. But their centralised structure makes them relatively easy to shut down - a fact that hasn't stopped crooks from using them to take over large portions of the Internet.

Peer-to-peer (P2P) botnets are another matter. Taking their inspiration and underlying technology from the same P2P networks used to exchange files, they have no centralised control point, making them much harder to detect and shut down, the researchers said.

These botnets are an emerging phenomenon, but have already made a big impact. For their case study the researchers chose the botnet implanted by the Storm worm, called Trojan.Peacomm. Trojan.Peacomm first made an impact in January, but also had a major re-emergence last week.

IRC bots go back to 1993 in the case of the benevolent EggDrop bot, and 1998 in the case of GTbot and its variants, one of the first malicious botnets, the researchers said.

A turning point came in 2002 with the first Agobot variants. "Agobot variants are possibly one of the most widespread bots due to its well designed and modular code base," the researchers wrote. "In our opinion, Agobot marks a turning point in which botnets have become a more significant threat."

Gnutella emerged as the first fully decentralised P2P protocol in 2000, and several other such protocols have been developed since then. Trojan.Peacomm uses the Overnet network, which implements the Kademlia algorithm.

Overnet was originally set up to service file-sharing clients such as eDonkey 2000, and while Overnet's own resources were shut down in late 2006 as a result of legal actions, Overnet clients, being completely decentralised, can still function.

Trojan.Peacomm is distributed through email worms, and once installed, goes through a bootstrap process to become part of the Overnet network. To do this the client uses a list that appears to be Overnet nodes likely to be online.

This could be one centralised way of stopping the node from activating, the researchers noted, but since the list includes 146 nodes it could be difficult to ensure all of them are offline.

The node then uses pre-set keys to search for and download a value from the Overnet network. The value is an encrypted URL which points to the location of more files that can be downloaded, fully setting up the node with communications and attack tools.

How to counteract this sort of system? That is proving to be highly difficult so far, the researchers said.

Besides use of the bootstrap list of nodes, the researchers are studying the use of index poisoning as a way of attacking P2P botnets. Index poisoning was first mooted as a way of stopping exchange of copyrighted files, but that isn't its only use, the researchers said.

"Index poisoning could be used in order to slow the infection rate of the bot or possibly to measure the number of bots infected," they wrote.