The Root of the Botnet Epidemic

Over the course of a few days in February 2000, a lone hacker was able to bring some of the Web’s larger sites to their knees, using just a few dozen machines and some relatively primitive software to cripple Yahoo, eBay, E*trade, Amazon, ZDnet and others for hours at a time. No one knew it at the time, but these attacks would come to be seen in later years as some of the earlier outbreaks of what has become a massive online pandemic.Jose Nazario on Botnets and the History of DDoS AttacksDennis Fisher talks with Jose Nazario of Arbor Networks
about the Mafiaboy attacks, the history of DDoS attacks and the botnet
epidemic.

Over the course of a few days in February 2000, a lone hacker was able to bring some of the Web’s larger sites to their knees, using just a few dozen machines and some relatively primitive software to cripple Yahoo, eBay, E*trade, Amazon, ZDnet and others for hours at a time. No one knew it at the time, but these attacks would come to be seen in later years as some of the earlier outbreaks of what has become a massive online pandemic.


Jose Nazario on Botnets and the History of DDoS Attacks

Dennis Fisher talks with Jose Nazario of Arbor Networks
about the Mafiaboy attacks, the history of DDoS attacks and the botnet
epidemic.


The attacks themselves were nothing fancy. The hacker, who would later be identified as a 15-year-old boy from Montreal named Michael Calce, used a DDoS tool called Mstream to instruct a small army of machines he had previously compromised to send huge amounts of junk data at the remote Web servers he was targeting. But the technique was brutally effective: Yahoo, then the dominant search provider and portal site, was knocked offline for about two hours after receiving more than a gigabit of data per second from Calce’s bots.

CNN, ZDnet, Dell.com, eBay and other sites experienced similar floods, each with a varying degree of success. Initial speculation in the security and law enforcement community centered on sophisticated hackers, maybe a foreign group trying to prove a point about American capitalism, or a foreign intelligence service probing the country’s networks for soft spots.

Instead, U.S. and Canadian authorities eventually traced the attacks to Calce, a high school student who used the handle Mafiaboy and had gotten the DDoS program from an online acquaintance. Calce bragged about the attacks in an IRC channel, and authorities later found that he needed fewer than 80 compromised PCs, many of them in university networks, to take down some of the Internet’s busier sites.

Threatpost editor Dennis Fisher talks about the roots of the botnet problem and how it evolved into one of the larger threats on the Web.

These attacks were seen as a novelty, a sort of interesting exercise that pointed out the security weaknesses of the sites and served as a minor wake-up call for site owners about the dangers of doing business online. The term botnet had not yet gained any currency, and few people, even inside the security research community, had any concept that these networks of compromised machines would turn out to be the single largest security threat of the decade.

Now, nearly 10 years after those attacks, botnets are not just weapons of mass disruption for hacktivists and bored script kiddies, but serve as the foundation for the worldwide cybercrime underground and are at the heart of the massive rise in malware in recent years as well as the wave of SQL injections attacks against legitimate Web sites.

“It’s a huge, huge problem and it’s one that has a lot of different components,” said Joe Stewart, senior security researcher at SecureWorks, and an authority on botnets and online crime. “There’s plenty more going on than just SQL injection and DDoS attacks that people just don’t know about.”

How did it come to this?

There are no definitive numbers on how large the botnet problem is, but experts say the number of infected PCs is in the tens of millions at any given time. Many of those machines belong to home users with relatively fast broadband connections and little or no knowledge of the security threats that lie in wait all over the Web. These PCs are easy prey for attackers. But this wasn’t always the case.

In the early days of the botnet problem, attackers most often targeted PCs inside corporate or university networks, which had the high-speed connections and powerful machines hackers needed for DDoS attacks. Universities, by necessity, also had open networks that afforded attackers more ways in and gave them easy avenues for privilege escalation and the ability to hop from one machine to the next, planting attack software at each step along the way.

“Red Hat [Linux] was the flavor of the month back then. You had all of these scripts you could use to get into their machines,” said Jose Nazario, senior security researcher at Arbor Networks, one of the top botnet researchers in the world. “These guys were really close to writing worms with some of this stuff because they would do automated scanning and installs and self-replication. That’s when it started to get really interesting.”

The tools of choice for this early crew of attackers comprised a small group of programs designed specifically to execute DDoS attacks against a single target. Programs such as Mstream. Trinoo, Tribe Flood Network, Shaft and Stacheldraht that, for the most part, were designed to run on Unix-based systems that had been previously compromised through some other exploit.

The initial infections often were accomplished through the use of vulnerabilities in one of the various remote services often left running on these machines, such as RPC or FTP.

From there, the attacks followed a fairly standard script. A hacker would use a stolen account on a university or corporate network as a drop zone for attack tools, stolen credentials for other machines on the network, lists of other compromised accounts and machines on the network to be scanned. The attacker would then scan the network, looking for other machines with exploitable vulnerabilities and then compromising those computers and planting a copy of the pre-compiled DDoS tool.

In an analysis of Trinoo done in 1999, Dave Dittrich, a researcher at the University of Washington, found that attackers often went out of their way to hide the existence of a bot infection on a machine. In some cases, he found, hackers would plant a rootkit on a compromised computer–especially if that machine was serving as a master, directing traffic for other bots–to disguise the infection. He also found a more insidious method of avoiding detection.

“It should be noted that in many cases, masters have been set up on Internet Service Providers’ primary name server hosts, which would normally have extremely high packet traffic and large
numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected. The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity,” Dittrich wrote.

This pattern was repeated over and over, all over the Internet, creating small, privately owned networks of attacker-controlled machines that could be called upon at any time. And that’s exactly what happened.

Within a few months of the attacks on CNN, eBay and the other sites, DDoS attacks had become a serious problem on the Internet. Hackers of all abilities, and with every conceivable motivation, were joining IRC channels, buying (or downloading) attack software and going on their merry way.

“That really kicked off a gold rush in this space,” Nazario said. “Within a year, everyone and their brother had a botnet. Guys that couldn’t even spell IRC, let alone use IRC, had botnets. These were young guys who had grown up on IM and had no idea what they were doing on IRC. But they hear that some idiot can do this, so they think, so can I. That led to this huge land rush. Everyone sees this wide open space and all of a sudden there’s pressure for easier-to-use botnets, and then things just went from there.”

The next logical step was the creation of user-friendly attack tools, and there were plenty of programmers out there willing to oblige.

“Very quickly, we started seeing attack programs that had a Windows UI, they were point-and-click and people could get whatever options they wanted,” Nazario said. “They could say, I’d like this and this module, please encrypt it, include anti-analysis tricks, and then click compile and they’d be done.”

That land rush that began in 2000 following Calce’s attacks has only gained momentum since, and shows no signs of slowing down. DDoS attacks have been a constant threat for the last 10 years and innovations in attack software and techniques will likely keep that trend going.

“These DDoS attacks still work, and they will for a long period of time, as long as there’s a disparity between what the attackers have available and what we have,” Nazario said.

This is the first in a series of occasional stories examining the roots, growth and effects of the botnet epidemic.

Suggested articles

Discussion

  • Doug on

    It's curious that you managed to not mention that the vast majority of the botnet client machines run on Microsoft Windows ..

  • Saleh Alsanad on

    There's no solution to Botnets problem but to track and shut them down.

    It's like a cat and mouse game.

  • Doug on

    "There's no solution to Botnets problem but to track and shut them down"


    Designing a desktop computer that can't be compromised by clicking on a URL or opening an email attachment would go a long way, else do your browsing/e-commerce from a bootable CD ..

  • Dennis Fisher on

    Not at all. This story was about the beginning of the botnet problem and what caused it. 10-12 years ago, virtually all of the bots were on Unix machines. Windows PCs obviously are the problem now, and I'll be writing about that in two follow-up stories in the next couple of weeks.

  • Tom Caldwell on

    Correct, the majority of botnets do run on a version of Windows, however we have detected spam sending botnets in the last 12 months on linux kernel, iPhone which if I'm not mistaken includes a unix base.

    I'd look for greater trends coming based on market share, where the iPhone is pretty well "locked down" it will still be a target, as will all mobility with speed increases and lack o security layers on the phones.  In summary, a well written bot does not discriminate based on OS, as it's a complex backdoor with encryption and an smtp engine, all platform agnostic.

    Nice article and research...

    Tom

  • Anonymous on

    DDoS is not a big problem. No matter how many hosts you have, it's possible to find defence. Besides, it's like (for instance) shoes getting worn, nobody likes it, but it works for the economy and creates workplaces. There is a need for faster bandwidth and CPU's because of server being (over)loaded.

  • JollyRoger on

    80% of the world is using a Windows based computer (I’m not), but pointing a finger at a single operating system does nothing to encourage a global OS change.  It is like saying a gasoline engine is the issue with Global Warming and expecting people to use a bicycle.

    Educating the masses about anti- virus/spam/malware/bots/etc. is a better answer.  If some fool decides not to use anti-everything protection, then the fool is part of the problem.  If I don't ware my safety belt in my car, I get a ticket.  Let us not only subject the hacker to criminal proceedings, let us have a monetary fine for the users that do not have even the basic protection on their machines.

     

  • J. Merrill on

    It's a shame that it's a criminal offense for an ISP to do anything to the compromised machines belonging to its customers.  They can't even put a warning that the machine is infected on it -- and users who respond to any kind of "your machine is infected" popup are part of the problem!

    The only thing they could do that would be effective is to tell them (perhaps via email) to call the ISP -- but that'd just be a cost for the ISP, and they have a negative incentive to avoid incurring that support cost.  If the world could cloud-source a phone bank of people who could help users disinfect their machines, maybe we'd have a chance of getting the ISPs to do the work to email the infected customers something with the disinfectant-assistance phone number.

    Not likely, sigh.

  • Dennis Fisher on

    The way it works now is that the security community (vendors, researchers, etc.) notify the ISPs that are seen to be hosting C&C servers, and get them taken down. There's essentially no effective or practical way to eliminate the individual bots on a large scale. Most of the infected users have no idea their machines are owned.

  • Paul B on

        Denial of service type attacks are a concern, but I haven't seen one that has caused longterm damage, due to the nature of the attack.  Although annoying, and dangerous to your companies reputation, they are mostly just that.
        One thing we haven't seen (yet) is this type of an attack against antivirus update sites (to my knowledge).  Imagine a malware that is set to launch at a specific point, and antivirus sites across the globe are scrambling to provide a timely solution, but their clientelle are unable to receive that update for the critical hours it takes to become infected...  Regardless of what the payload of the virus/malware does, this vulnerability needs to be addressed.
        I think that some type of torrent is the solution for this, since instead of a few dozen update sites, your update site is made up of dozens if not hundreds of torrents, but DON'T locate them on client machines.  Instead, lease bandwidth on a hundred sites, allowing your customers to receive lightning fast updates, and effectively preventing this type of attack.
        Another fear I have is what I would call a rolling blackout type of attack, where the client computer is turned into a bot/zombie and probogates the virus/malware onto the next machine, then once a certain number of computers have been communicated with, it resets the host/client PC, and deletes a key file, such as NTLDR on XP.  Computers across the web would go down, even if the repair was simple enough, and be effectively unusable until repairs could be enacted.  Entire companies, universities, hospitals, and small businesses would be crippled for critical hours, days and weeks as repaired were enacted.  Another simple glitch would be just to do a bit flip on the registry key that tells windows it is activated, and force hundreds of thousands of computers to be reactivated.  It would force Microsoft to increase their bandwidth or face a type of flood attack, and thousands upon thousands of computers would be unusable until they were reactivated.  Nasty stuff, but we need to realize this is where these type of attacks could head.

  • Anonymous on

    Trying to fight malware with "anti-virus" software is a pathetic wild goose chase, and a delusion. A better designed OS (not windows) would do more in easing the problem than any other silly game tactic told by some four-eyed lackey assface pseudo-lawyer.

  • healthelectron on

        I think that some type of torrent is the solution for this, since instead of a few dozen update sites, your update site is made up of dozens if not hundreds of torrents, but DON'T locate them on client machines.  Instead, lease bandwidth on a hundred sites, allowing your customers to receive lightning fast updates, and effectively preventing this type of attack.
        Another fear I have is what I would call a rolling blackout type of attack, where the client computer is turned into a bot/zombie and probogates the virus/malware onto the next machine, then once a certain number of computers have been communicated with, it resets the host/client PC, and deletes a key file, such as NTLDR on XP.  Computers across the web would go down, even if the repair was simple enough, and be effectively unusable until repairs could be enacted.  Entire companies, universities, hospitals, and small businesses would be crippled for critical hours, days and weeks as repaired were enacted.  Another simple glitch would be just to

  • Lv·Man on

    Show me your all moneyl 8023263  U.S.dollar.Thank you ,please give me I don't  know you, Lv Man ,miss u,forever. Two years, said in my all life , city of  ruzhou I miss  you  come here  look out!   张少锋 测试

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.