Saturday, February 6, 2010

A sensation of wonder about technological developments

Putting aside hype and advertising, every news we get about new developments usually plays with our sense of wonder. It's a common thing to admire the way someone solved what was previously a limitation. The funny thing is this can be true even when faced with things we normally consider evil, because we can see that the application of the technology is different from the way it was used.

This happened to me while researching data about how to detect if your computers are members of botnets. I came upon a series of data that appears to be a timeline of bot control methods, and I can say it is great to see how the apparent generations work. Let me tell you a little story about it.

In the beginning, we had the direct control. One user infected specific computers and send direct commands to them. It's obvious to note that direct control has a limitation about how many computers it can control, the user. As each computer has to be given a command, it becomes difficult to control large groups. Here comes automation to the rescue. By scripting, the user could now control a great amount of computers, but only if all did the same thing at the same time, every time the same.

It was then time for a new innovation: Cascade Control. With Cascade control a user needs to control only primary nodes (infected computers). A second group of nodes (also infected computers) receives it's orders from the first node ones, and so on with different node levels. This method is great to control several groups that each do a different thing, but begun a pair of different problems: detection and feedback. A cascading user generally has feedback on the first node computers, but usually lacks that same feedback from the second tier and beyond. This means that he could be trying to control a healed computer without knowing it, and if it's being actively monitored after the healing, it could be dangerous.

Thus, to enhance feedback and avoid detection a simple method was devised. Every infected computer had a mini ICQ client inside the infected programs, complete with a username and password, different for each bot. So, upon connecting to the Internet, the bot logs onto ICQ, and waits. When the attacker decides to launch an attack, he simply logs with an ICQ account that has all the rest registered as friends. Now he can write messages to groups of users and everyone gets the same message that contains a command, and can answer back. This solved several problems: now the infected are the ones that report back even before starting any attack, and only the infected connect. But, of course, the number of friends you can message at the same time was low, thus leading to a different but similar method for control.

It was time to go for an old protocol. By mounting a channel on an IRC server, the user can now see which bots connect with their built in IRC clients. IRC supports real massive plain text messages, so it seems like a match made in hell. Now the attacker can issue a single command and be listened by hundreds of infected nodes. Logically, feedback now becomes burdensome, as hundreds of users talking back at the same time can be a little too much. But not every command needed feedback, as infected nodes can declare their presence by connecting to the chat room. When IRC sites begun to being policed to prevent this, it was time to move on, and they did.

The next target was a completely unsuspecting one. Now it was time to evolve into social networks. The target was Twitter. With a simple sub 140 characters command, a user can make Twitter servers to relay this command to all his friends. If all his friends are bots with twitter clients and accounts, we have a new evolution. This time it gives back some feedback and some timing adjustment (as the delay introduced by the twitter servers are unknown and variable)but gains a simply astoundingly massive control method.

So, after all this reading, one thing becomes clear: knowing where our computers are connecting to can become the difference to detect infections. Later developments seem to favor built in messaging clients with login data. This means that those bots are connecting as we connect the computer, even when not being part of any attack, only waiting forever, making it easy to spot this with any port scanner.

No comments: