Botnet study: bots spread through old loopholes
The University of Mannheim and Beijing University have published a report on IRC-based botnets plus a report on malicious websites on the Chinese internet. The botnet report summarizes the results of a year's observation of malware and bots with the aid of 17 honeypot sensors in different parts of China. The researchers used tools they had written themselves to probe the activities of nearly 3,300 botnets controlled via IRC servers.
The most common bot, accounting for approximately 26 per cent of the total, was from the Rbot family; 16 per cent were from the Virut and 8 per cent from the SdBot families. Although these bots use IRC to communicate with their Command and Control servers (C&C), only 36 per cent of the discovered botnets use the standard IRC port 6667. It is assumed that the botherders are using alternative ports in an attempt to make detection of their botnets more difficult. The authors of the study discovered that the majority (60 per cent) of botnets use the unreal open source IRC server.
Although the honeynet team registered more than 1.5 million bots, the largest botnet only controlled just over 50,000 hosts. Because of concealment functions like NAT, this can only be a rough estimate, but compared with the nearly 1.3 million bots reportedly controlled by a hacker from New Zealand, it does not appear to be particularly large.
The report includes an analysis of botnet activities. Their most frequent activity is reproduction, like their biological equivalents. They spread largely via very old Windows loopholes in the ASN.1 parser, DCOM and LSASS. The second most popular activity of the bots, according to the statistics, are DDoS attacks in different variations of SYN, TCP and UDP flooding. Information theft is lower down the list in fifth place, but the sending of spam emails does not even appear on the list.
The second report looks at the underground economy on the Chinese internet and examines the trade in exploits, malware and stolen data. The researchers went in search of malicious websites and came to the conclusion that almost every seventieth site contained and distributed malware. The report is particularly interesting on the issue of the great firewall of China, which filters international traffic. Both reports, based on the activities of the partners in the honeypot project, are available for download in PDF format.
- Characterizing the IRC-based Botnet Phenomenon, a study by the University of Mannheim and Beijing University
- Studying Malicious Websites and the Underground Economy on the Chinese Web, a study by the University of Mannheim and Beijing University