Issue 2 – Mar 2010 | Page - 1

Issue 12 – Jan 2011 | Page - 2


JavaScript
Botnets
Heading 1
Anybody who has had even a slight brush
with the security industry would have heard
of Botnets atleast once. Botnets are a group
of computers compromised and controlled
by an attacker, these computers or zombies
would perform any actions that the attacker
commands them to do. Botnets are usually
created by compromising the victims'
systems with some remote code execution
exploits and then installing backdoors on
them. The attackers must have been
working on exploits for 0-days or newly
discovered vulnerabilities to be able to
infect more victims. Even then they are
usually restricted to only one platform
unless they have exploits and backdoors for
the different platforms out there.
There is another type of remote code
execution that is far more easier to perform
Issue 12 – Jan 2011 | Page - 3
- JavaScript in web pages. Executing
JavaScript in someone's system does not
require any 0-days or exploits but simply
requires the person to visit a website.
Moreover the same piece of JavaScript
would work across all OSs‘ and
platform(desktops, tablets, mobiles etc).
Every time a user clicks on a link he is giving
a remote website an opportunity to execute
code (JavaScript) on his machine. The
window of this opportunity is widened by
the concept of tabbed browsing. Most users
have multiple open tabs and most tabs
remain open throughout the browsing
session which could stretch for hours.
This enables an external entity to utilize the
user‘s processing power and bandwidth for
his malicious needs. Spammers, especially
on sites like Twitter, have been able to get
thousands of users to click on their links in
very short durations. But JavaScript is
believed to be handicapped due to
performance constraints and the
restrictions enforced by the browser‘s
sandbox. This however is a misconception
as JavaScript engines have become extremly

fast over the recent years. Moreover HTML5
introduces WebWorkers which is a
threading model for JavaScript. This lets
any website start a background JavaScript
thread unknown to the user and execute
code without slowing down or making the
browser unresponsive.
Creating a JavaScript Botnet:
A JavaScript botnet would include
thousands of systems that have the attacker
controlled page open on their browsers for
an extended duration allowing continued
execution of the attacker‘s JavaScript.
There are two phases in building such a
botnet:
1) Reaching out to victims
2) Extending execution lifetime
1) Reaching out to victims :
This involves getting the victim to visit an
attacker controlled website. This can be
done in a number of different ways:
1) Email spam
2) Trending topics on Twitter
3) Persistent XSS on popular websites,
forums etc
4) Search Engine Poisoning
5) Compromised websites
6) Abusing URL Shortners
These are methods used by current
JavaScript malware authors to attack
victims to their website and can draw
thousands of victms. While traditional
malware spreading website can be quickly
identified due to automated crawlers
looking for signatures of browser exploits,
JavaScript botnet payloads are less likely to
be identified since its regular JavaScript
working within the constraints of the
sandbox and does not perform any
exploitation against the browsers.
Issue 12 – Jan 2011 | Page - 4
2) Extending execution lifetime:
Once a victim visits the attacker controlled
page it is essential to keep this page open in
the victim‘s browser for as long as possible.
This can be done by using a combination of
Clickjacking and Tabnabbing.
When the page is loaded, it would contain
an invisible link with the target attribute set
to ‗_blank‘. This link is always placed under
the mouse pointer using the
‗document.onmousemove‘ event handler.
This way, when the victim clicks anywhere
on the page a new tab opens and grabs the
victim‘s attention. With multiple tabs open
the likelihood of the victim coming back to
the main tab and closing it is reduced.
To add to this effect Tabnabbing can be
used to refresh the page after the user leaves
it, to update the favicon and appearance to
seem similar to popular websites like
YouTube, Google or Facebook so that the
page blends in with the other tabs the victim
would usually have open. There is a working
demo[http://www.andlabs.org/hacks/xtend
_life.html] for this available on the Attack
and Defense Labs website.
JavaScript botnet activities:
JavaScript botnets can be used to perform
the same activities that are performed by
traditional botnets.
This article will discuss three such activities:
1) Application‐level DDoS attacks
2) Email Spam
3) Distributed password cracking
1) Application‐level DDoS attacks
DDoS attacks have been all over news in
recent time as activists belonging to either
side of the Wikileaks debate took out each
others websites. Firms like Mastercard and
Visa have suffered significant losses due to
this.

Application‐level DDoS attack is an effective
type of DDoS attack that has affected even
sites like Twitter. Usually these attacks
involve large number for HTTP requests to
specific sections of the website that could
potentially be resource intensive for the
server to process.
Background JavaScript threads that were
started using WebWorkers can send cross
domain XMLHttpRequests even though the
remote website does not support it. The
Cross Origin Request security restriction is
only on reading the response.
A website that does not support Cross
Origin requests will also process these
request thereby creating load on the server.
A simple request like
http://www.target.site/search_product.php
?product_id=% when sent in large numbers
can create serve performance issues on the
server.
A browser can send surprisingly large of
GET requests to a remote website using
COR from WebWorkers. During tests it was
found that around 10,000 requests/minute
can be sent from a single browser. With
even a very small botnet of just 600 zombies
we would be sending around 100,000
requests/sec, depending on the nature of
the page being requested this could be
enough to bring a website down.
After I wrote about DDoS attacks with COR
a very smart person[http://shellex.info]
showed me that similar numbers could also
be achieved by using the img tag to request
remote resources. Ben Schmidt has gone
one step further by creating a malcious URL
shortening service called
d0z.me[http://d0z.me/]. d0z.me seems to
work like any other URL shortening service
but it actually shows the destination page in
an iframe while perform DoS attacks on a
target website from the victim's browser. It
executes this so well that it is extremly
Issue 12 – Jan 2011 | Page - 5
unlikely that the user will even sense that he
is part of a DDoS attack.
2) Email Spam
Spam mails are largely sent using
open‐relay mail servers and botnet zombies.
Though it would not be possible to a regular
open‐relay mail server from JavaScript still
it would be possible to send such spam
mails through the web equivalent of
open‐relay mails servers.
Many websites have feedback sections
which ask the user to enter their name,
email ID, subject and feedback. Once these
are entered and the form is submitted, the
server would craft this in the form of an
email, with hard‐coded from and to mail
addresses and send it to the internal mail
server.
Poorly designed websites would contain the
from and to mail addresses in hidden form
fields on the browser and by overwriting
them to external addresses it should be
possible to send mails with spoofed
addresses if the company‘s mail server is
also configured to operate in an open‐relay
mode.
Since only GET requests can be sent
through COR, the feedback form should
either be sending all data in QueryString or
it should be differentiating between
QueryString and POST parameters.
Alternatively if it is JSP page then HTTP
Parameter Pollution can be used to submit
forms over GET.
3) Distributed password cracking
Password cracking has always been a task
assigned for programs written in native
code with performance enhancement by
writing some sections in Assembly. With its
relatively slower execution rate JavaScript
has never been considered for performing
such resource‐intensive tasks.
Things however have changed, JavaScript
engines in modern browser are becoming
 Issue 12 – Jan 2011 | Page - 6

increasingly fast and the concept of

WebWorkers allows creation of dedicated
background threads for the purpose of
password cracking. During our tests it has
been possible to observe password guessing
rates of 100,000 MD5 hashes/second in
JavaScript.
This figure is still slow compared to native
code which can easily loop through a few
million MD5 hashes/second on a machine
with similar configuration. The JavaScript
approach has been found to be on an Lavakumar Kuppan
average about 100‐115 times slower than lava@andlabs.org
that of native code but more than that it
makes up in scalability. ~110 machines Lava is a Penetration tester and
running the JavaScript password cracking Security Researcher.
program can match the cracking rate of one
machine running a similar program written
in native code.
As shown in the previous sections it would
be very easy to build a botnet of a few
thousand zombies executing our JavaScript
password cracker in the background. Even
with 1100 zombies our cracking rate would
be equivalent to that of having 10 machines
of similar configurations running a
password cracked written in native code. An
effective botnet creation effort could
potentially get hundreds of thousands of
such zombies to crack password hashes
providing unimaginable computing
capability.
I have built
Ravan[http://www.andlabs.org/tools/ravan
.html], a JavaScript distributed hash
cracking system which is an implementation
of this concept designed to be used for
legitimate needs.

Botnet detection
tool: Ourmon
Introduction
A botnet is a fusion of many exploits into a
single client-server application. The server
is called as bot server (generally an IRC
server) where as clients are called as
Botclients or Zombies or Drones. The most
interesting thing about botclients is that
they create more botclients in a coordinated
manner for accomplishing a common goal
with little or no intervention from the
attacker. Botnets are used frequently
because the attacker's machines (botserver)
are not used and all the work is done by the
drones which are generally machines other
than that of the attacker. There are many
common botnet families like Spybot,
Agobot, RBot, Mytob, SDBot etc.
A botnet can be used for sniffing packets,
starting DDoS attack, spamming, phishing,
and stealing data. In this Tool Gyan column,
we will learn about botnet detection though
Issue 12 – Jan 2011 | Page - 7
the popular network sniffing tool known as
Ourmon.
How Ourmon Works
Ourmon is a *NIX based open source tool
originally designed for network packet
sniffing. It works on the concept of
promiscuous mode of Ethernet packet
detection. It also uses port mirroring
technique through a Layer 2 (Ethernet)
switch. It works best in FreeBSD Operating
System.
Ourmon has two software parts, which are
called,
1. The probe or front-end which sniffs
packets and summarizes them into
various bits of
statistical information.
2. The back-end graphics engine, which
processes the probe result and
makes Web graphics, ASCII reports,
log entries, and reports. The
graphics engine needs web server
like Apache to be installed.

Installation of Ourmon
Ourmon can be downloaded from
http://sourceforge.net/projects/ourmon/.
The latest version is
ourmon29.tar.gz.Installation of Ourmon is
bit tricky because it depends on many things
like the OS you are using and the web server
that is running and some specific libraries.
We need following libraries to be installed
before installing Ourmon.
 libpcap-devel
 pcre
 pcre-devel
 rrdtool
 rrdtool-perl
You can use "yum install" or ―zypper install‖
whichever suits you best. Also make sure
that all these libraries and devel-tools are
compatible with the version of your OS. You
also need to install a web server for the GUI
display of results. For this article, we have
used Fedora as OS.
Here are the screen prints of installation.
----------------------------------------------------
[root@localhost mrourmon]#
./makeclean.sh
[root@localhost mrourmon]#
./configure.pl
configuration script to install
ourmon.
note: default is suggested like
so: [default]
note: just hit carriage-return
for default actions
--------------------------------
Would you like to install the
ourmon probe? [y] y
Front-end configuration phase
started ####################
Issue 12 – Jan 2011 | Page - 8
Would you like to
compile/install ourmon? [y] y
ourmon build: using make -f
Makefile.linux
cc -I. -I/usr/local/include -O4
-DLINUX -DDAEMON -c ourmon.c
cc -I. -I/usr/local/include -O4
-DLINUX -c ipanalyze.c
cc -I. -I/usr/local/include -O4
-DLINUX -c machdep.c
cc -I. -I/usr/local/include -O4
-DLINUX -c util.c
cc -I. -I/usr/local/include -O4
-DLINUX -c interfaces.c
cc -I. -I/usr/local/include -O4
-DLINUX -c filter.c
filter.c: In function
‘write_report’:
filter.c:1324: warning: passing
argument 7 of ‘print_icmplist’
makes integer from pointer
without a cast
hashicmp.h:62: note: expected
‘int’ but argument is of type
‘int *’
filter.c:1324: warning: passing
argument 8 of ‘print_icmplist’
from incompatible pointer type
hashicmp.h:62: note: expected
‘char *’ but argument is of type
‘char (*)[1024]’
cc -I. -I/usr/local/include -O4
-DLINUX -c monconfig.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashsort.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashport.c
cc -O4 -DLINUX -c signal.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashsyn.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashicmp.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashscan.c
cc -I. -I/usr/local/include -O4
-DLINUX -c ircscan.c
cc -I. -I/usr/local/include -O4
-DLINUX -c trigger.c
cc -I. -I/usr/local/include -O4
-DLINUX -c cprogram.c
cc -I. -I/usr/local/include -O4
-DLINUX -c nonipanalyze.c

cc -I. -I/usr/local/include -O4
-DLINUX -c patmatch.c
cc -O4 -DLINUX -c spinlock.c
cc -O4 -DLINUX -c sync.c
cc -I. -I/usr/local/include -O4
-DLINUX -c ourpcap.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashblist.c
cc -O4 -DLINUX -c thread.c
cc -I. -I/usr/local/include -O4
-DLINUX -c stringstore.c
cc -I. -I/usr/local/include -O4
-DLINUX -c hashdns.c
cc -O4 -DLINUX -c pktlinux.c
cc -O4 -o ourmon ourmon.o
ipanalyze.o machdep.o util.o
interfaces.o filter.o
monconfig.o hashsort.o
hashport.o signal.o hashsyn.o
hashicmp.o hashscan.o ircscan.o
trigger.o cprogram.o
nonipanalyze.o patmatch.o
spinlock.o sync.o ourpcap.o
hashblist.o thread.o
stringstore.o hashdns.o
pktlinux.o -lpcre -lpcap
/usr/lib/libJudy.a
Next we determine the ourmon
config/filter file to use.
By default, we use the local
/opt/ourmon/mrourmon/etc/ourmon.
conf to provide input filters to
ourmon.
WARNING: you should
read/edit/understand
ourmon.conf!
Do you want to use another
ourmon.conf file in some other
directory than
/opt/ourmon/mrourmon/etc? [n] n
Next we suggest one modification to the
ourmon.conf file.
If this is a default install, you should change
the following config directive:
topn_syn_homeip
network/netmask
Issue 12 – Jan 2011 | Page - 9
and set it to your home network
and mask (A.B.C.D/maskbits
style)
Do you want to change the
topn_syn home network address?
[y] y
note: the home net address may
be a subnet or host address
(/32).
enter a home net address and
mask. [127.0.0.1/32]
192.168.0.17/24
netmask: 192.168.0.17/24
Do you want to install the
ourmon startup script in the
ourmon bin? [y] y
WARNING: the default for the
interface may not be what you
want.
WARNING: use #ifconfig -a to
determine interfaces.
Please enter the input interface
name to sniff from: [eth0] eth0
input interface is eth0
Please enter directory for probe
output files (mon.lite, etc.):
[/opt/ourmon/mrourmon/tmp]
/opt/ourmon/mrourmon/tmp
probe output directory name is:
/opt/ourmon/mrourmon/tmp
Creating bin/ourmon.sh driver
for startup of ourmon.
ourmon.sh placed in ourmon bin
for ourmon front-end/probe
startup
./ourmon.sh start
WARNING: this is a gross guess
and it may be best handled by
you yourself!
WARNING: linux has at least two
major variations in
distributions in this area!
install the startup script
(bin/ourmon.sh) in /etc
somewhere for boot startup? [y]
y
ourmon front-end install
complete
ourmon front-end build worked

You should now run
/opt/ourmon/mrourmon/bin/ourmon.
sh to start ourmon
e.g., #
/opt/ourmon/mrourmon/bin/ourmon.
sh start
You can use ourmon.sh stop to
stop ourmon
part 2: install the back-end,
omupdate.pl, etc. (web part)?
[y] y
Back-end configuration phase
started
################################
We need a local web directory
for generated web output.
hint: the webpath given here is
a guess: give the CORRECT base
web directory with /ourmon at
the end enter absolute web
server web path directory:
[/var/www/apache2-
default/ourmon]
/var/www/html/ourmon
your output web path is:
/var/www/html/ourmon
Do you want to create the web
directory for ourmon?
HINT: good idea if it doesn't
exist. [y] y
mkdir: cannot create directory
`/var/www/html/ourmon': File
exists
cp bard/*
/var/www/html/ourmon/bard
cp batchip.sh batchipall.sh
omupdate.sh
/opt/ourmon/mrourmon/bin
cp *.pl /opt/ourmon/mrourmon/bin
cp mklogdir.sh
/opt/ourmon/mrourmon/bin
chmod +x
/opt/ourmon/mrourmon/bin/*.sh
chmod +x
/opt/ourmon/mrourmon/bin/*.pl
Issue 12 – Jan 2011 | Page - 10
INFO only: also setting up
logging directory (if needed)
creating log rrddata tmp dirs,
if necessary, in
/opt/ourmon/mrourmon
hit CR to continue:
If different, enter front-end
output file directory absolute
path: [/opt/ourmon/mrourmon/tmp]
probe output file path (back-end
input/s) is
/opt/ourmon/mrourmon/tmp
Now we copy supplied .html files
to the web directory for later
editing
do you want to copy base web
files to the web directory? [y]
y
INFO only: setting up local
rrdbase directory at
/opt/ourmon/mrourmon/rrddata
your runtime rrds get stored in
this directory, along with the
rrd error log file
if you create new BPF filters,
check rrdbase/ourmon.log for
errors.
hit CR to continue:
We need a UDP weight threshold
for UDP scan alerts
what should be the weight
(default is given): [10000000]
Install backend crontab commands
in /etc/crontab (default answer
y)?: [y] y
ourmon system config complete
see INSTALL for post-config
sanity checking
[root@localhost mrourmon]# ls
ACKS CHANGES dumps
INSTALL makeclean.sh
README.bsd README.openbsd
scripts tmp ubuntudep.sh
VERSION bin configure.pl etc
logs README
 Issue 12 – Jan 2011 | Page - 11

README.linux rrddata The Ourmon Web Interface

src TODO uninstall.txt
web.pages

[root@localhost mrourmon]# cd
bin/

[root@localhost bin]# ls

batchipall.sh daily.pl
logbackup.pl mklogdir.sh
ombatchip.pl ombatchsyn.pl
omupdate.sh ourmon.sh ssh.pl
udpreport.pl batchip.sh
irc.pl makebar.pl
monbackup.pl ombatchipsrc.pl
omupdate.pl ourmon
sshdb.pl tcpworm.pl
wormtolog.pl

[root@localhost bin]#
----------------------------------------------------

When in doubt, read the supplied INSTALL

file at mrourmon/ as shown above. We can
detect the botnets from the GUI screen of
the Ourmon which runs continuously.
Reports are generated in daily, weekly,
monthly and yearly basis. Here are some
screen shots of the results. Note that here
we are showing you the screenshots of a
private network. In real time scenario the
screen shots will be different. But the
procedure of installation and results viewing
process remains the same.
 Issue 12 – Jan 2011 | Page - 12

Ourmon Main Web Page:

Summarizations

TCP Anomaly Detection

 Issue 12 – Jan 2011 | Page - 13

DNS RRDs:
 Issue 12 – Jan 2011 | Page - 14

Major L2 protocol Graphs:

ICMP and UDP Error Generation

Page:
 Issue 12 – Jan 2011 | Page - 15

Top N TCP and UDP flows:

UDP Summarizations:
 Issue 12 – Jan 2011 | Page - 16

Base OS and Ourmon Directory

Screenshots:
 Issue 12 – Jan 2011 | Page - 17

It is a huge tool and it can be used for

multiple purposes. Users are encouraged to
go through this tool carefully and find out
many interesting features. We also can see
evil channel sorts which show us all the
four types (PINGs, PONGs, JOINs and
PRIVMSG) of IRC messages. An IRC
channel having more than few clients with
high maxworm values can be a potential
botnet channel. Also, non-scanning host in
an evil-channel could be botnet servers.
Ashis Dash
ashisdash1@gmail.com
Further Reading Ashis is a network programmer,
blogger and open source software
1. ―Ourmon and Network Monitoring
advocate. He works extensively on
Performance", James Binkley, Bart
Massey, April 2005 Layer2/Layer 3 switches and
Freenix/USENIX paper routers. His areas of interests
2. "Anomaly-based Botnet Server include Network Security, Shell
Detection," James R. Binkley, Code and Buffer Overflow
Computer Science, PSU, FLOCON Techniques.
CERT/SEI, Vancouver WA, October
2006.
3. "Traffic Analysis of UDP-based flows
in Ourmon," Jim Binkley and Divya
Parkeh, FLOCON CERT/SEI 2009,
Phoenix, Arizona.

Documentation

1. http://sourceforge.net/projects/our
mon/
2. http://ourmon.sourceforge.net/

What are Botnets?
Introduction
Recently, Indian Cinema experienced an
unusual phenomenon of technology and
imagination - ―Ro ‗bot‘s‖. The superstar of
the south was again at his best and we could
see excellent combination of talent and
technology.
But ever wondered, if this was to happen for
real, what were the things which we saw had
unusual strength? How could just they
become ―1-2-ka-4‖ in number (or even
more)? Execute orders given to them with
most accuracy? Re-evolve even after the
destruction?
Well this was an absolute scenario which we
might face in near future. And this could be
possible by the evolution of current
technology called ―Bots‖ or ―Botnets‖. So
what exactly are bots/botnets?
Before we actually see about Botnets, one
needs to have an insight about the category
to which they belong – Malwares.
Issue 12 – Jan 2011 | Page - 18
Malwares are any malicious computer
programs, which intentionally or
unintentionally cause harmful, irritating,
unrecoverable damages to one‘s computer
systems. There are varied types into which
a malware can be categoriesed, viz-
Viruses–file infectors,
inserting/appending code in the original
code and executes when the file is accessed.
Worms – Self-replicating programs which
propagate through networks.
Trojans – Programs which disguise as
normal programs but, steal/sniff data of
victim and send it to the attackers/infectors.
Rootkits – Sophisticated malware
category, which is stealth to be detected and
perform maximum damage.
Spyware – Fake / Copy of original
programs, which are not harmful but
disguise to open backdoors into the system
for further attacks.
Ransomware – Normally termed as
spywares, but are specifically used for
money laundering and economical frauds.
And of course, the newly evolving technique
of Bots/Botnets.
 Issue 12 – Jan 2011 | Page - 19

So what exactly are Botnets? The Botmaster tries to install the malicious
A bot can be a single system infected with code in the users system by wooing them to
malicious software/code and a collection of access/download a fake file. Once the
bots form a botnet which is controlled by system is infected with the code, it tries to
the commands of the botnet controller. infect other systems connected to it. The
The above description contains some infected systems are known as ―Zombies‖.
specific terminologies which need to be Thus the infection is spread exponentially
understood in order to understand the into the computer systems and an army of
working of botnets.
A botnet starts with malicious code written
by the attacker. The attacker infects a single
system/server with the code. This in turn is
used by the attacker as Command and
Control (C&C) center for further infection.
The attacker here is often termed as
―Botmaster‖.

zombies is created
All the Zombies are connected to the
attacker by a Command and Control Center
(C&C). Attacker can send any commands to
all systems to which the connection has
been established using this.All this happens
with absolute no knowledge to the user.

When a botnet is being considered, some of
the important aspects which are involved
are,
 Botnet Control Methodology,
 Zombie Control Techniques,
 Propagation Techniques,
 Target Exploits and Attack
Techniques,
 File Delivery and
 Deception Strategies used.
All the above points define the architecture
of a Botnet.
 Botnet Control Methodology :
When an Attacker writes a code to deploy
botnet, attacker first needs a control
mechanism to find his victim, deploy the
botnet and to have control on the infected
systems. When botnets were first deployed,
the only mechanism which was used was
(Internet Relay Chat) IRC Servers. IRC
servers were one of the most vulnerable and
easy to use Control mechanisms used by
attackers to start a botnet. Attackers used to
setup an IRC server and woo users to join
into it. Once a user joins in, attackers
Issue 12 – Jan 2011 | Page - 20
infected his/her system and deploy their
stub for the botnet. Thus the infected
system is now turned into a Zombie. Most of
the analyzed botnets till date used IRC
based C&C mechanism. For E.g., SDBot,
Agobot, etc.
But to create more sophisticated botnets
attackers have already slowly moved on to
P2P services, Dynamic DNS services, HTTP
C&C, etc. One of the major advantages of
these is that many organizations may not
allow IRC connections into their network,
but almost all, allow services like HTTP.
 Zombie Control Mechanism :
To control the zombies, attacker decides his
own commands and protocols. Using these,
attackers control the infected systems
(zombies). Many known bots have their own
set of commands to change the passwords,
download a file to the victims computer,
upload the logs of victim and to gather
victims sensitive information. Attackers
change the passwords/ deploy a backdoor so
that the access can be maintained for the
next time. Attackers disable the antivirus
software in order to avoid
detection/removal from the system.
 Propagation Techniques :
As mentioned earlier, once a system gets
infected with the botnet, it itself can infect
other machines connected to it.
For e.g., if one system gets infected, it tries
to infect other systems connected to it. Thus
there are now total two systems spreading
the botnet.

Thus the botnet spreads exponentially.
(Remember the movie scene where snake
kind of thing spirals out from nowhere.)
Attackers use different mechanism for the
propagation. Attackers send emails to users
and ask them to click on a malicious URL or
to download a greeting/joke file.
An automated code tries to perform a
vertical or horizontal scan to find out open
ports across a single address or a range of
addresses.
 Target Exploits and Attack
Techniques :
Most of the systems which fall prey to
botnets are often unpatched systems.
Attackers try to exploit known
vulnerabilities of a system. A specific botnet
can be designed to exploit a specific
vulnerability. In such cases, attacker only
makes changes to the malwares it drops into
victims system. These kind of botnets have
the same basic architecture and hence are
variants of their previous.
 File Delivery :
By now it is quite clear, that every botnet
involves some kind of malware which is
deployed onto victim machine. When a
system has been compromised, attacker
acquires sufficient rights and
sends/downloads malwares into the victim
machine. Attacker may use utilities
provided by IRC server for
download/upload purpose.
Attacker may also use HTTP/FTP protocols
to send/receive files depending upon the
system vulnerabilities.
Issue 12 – Jan 2011 | Page - 21
 Deception Strategies :
Since long IRC base bots could be used
without any stopping into a botnet. But with
the increase in awareness among the people
about the botnets, it has been easy to detect
compromised machines. Hence attackers
have started to come up with more and
more sophisticated techniques to avoid
detection. Common methods used were,
- disabling any AV programs found onto the
systems,
- disguise as a legitimate program,
- delete system logs, etc.
Now attackers are even trying to hide into a
system using rootkit technology. Rootkits
are the most stealth and undetectable
malwares. Attackers have been trying to
incorporate this kind of technology to avoid
detection.
All work and no play makes
jack a dull boy –
With all its strategies,
techniques and its spread,
what does a botnet do?
Typically botnets evolved with
a view to demonstrate
programming skills of its
creator.
But with its technological
advances, botnets are now a
lethal weapon for cyber
criminals and hackers. Botnets
are now used for,
- DDoS
- Spamming
- Phishing
- Financial Frauds
- Identity Theft
- Cheating in online games /polls
- Click Frauds
 Issue 12 – Jan 2011 | Page - 22

- Espionage

Botnets cause a significant amount of loss to

an organization which has been plagued by
a botnet.Once a system/network gets
infected by the botnet it no longer belongs
to the user/owner. The attacker can have
full control of the system and can perform
all kinds of malicious activities using the
system. If current scenario of terrorism is
taken under consideration, botnets can be
an important weapon to affect a country‘s
stability and infrastructure. Pushkar Pashupat
According to recent observations, around push.pashupat@gmail.com
10000bot nodes are created per hour. Also
Pushkar aka- push is a Security
as stated in the Wikipedia page for Botnet,
evangelist, Working with Content
up to one quarter of all personal computers
Security and Anti-Virus Product
connected to the internet may be a part of
Company.
some or other botnet. There have been
many attempts to bring down as many
botnets as possible.

But as the old saying goes ―Prevention is

better than cure‖, its always better to
avoid getting infected than to detect and
remove it after infection. You never know
how much amount of damage has been done
till its detection.

- Standard methods of computer

security should strictly be followed
in an organization.

- Keep users well acquainted with the

best security practices to follow at
the workplace.

- Even though Content Security

products like AVs, IDS, IPS may not
be able to detect the new emerging
threats, its still a best practice to
keep them updated.

And of course,

“Patch!” “Patch!” “Patch!”

 Issue 12 – Jan 2011 | Page - 23

About Information world‘s top experts on RBN, the infamous

Russian Business Network we‘re used to
Warfare: hear about. Besides being a wonderful
person and an highly-skilled professional,
new rules for a Jart belongs to an international network of
experts, closing working with Law
new world Enforcement and the IT Industry while
fighting cybercrime every day.

Summing up our backgrounds, we have

Introduction been able to develop this very first
presentation on such topics, bridging both
During my presentation at Club Hack
experiences and contacts, in order to build
Conference on day 2, the one named
something new, aiming to bring a totally
―Cybercrime, CyberWar, Information
new approach to the subject. Giving the
Warfare: what‘s this all about, from a
amount and nature of feedbacks, both on-
Hacker‘s perspective? New rules for a new
side (after my talk) and those emails I‘ve
world‖, I‘ve noticed a deep interest by the
received, I may definitely say that we‘ve
audience.
been able to reach the goals :)
All of the delegates, no matter if operating
in the InfoSec industry or in Military
Reasons to speak about
environments, attended this presentation
with an high and true interest, possibly due
Information Warfare from a
to the topic and keywords of the talk itself. hacker’s perspective
After 9/11, the IA (Intelligence Agency)
I have designed the slides along with Mr. world started to ―hunt‖ for hackers,
Jart Armin, RBN exploit and meaning that they made up their very first
Hostexploit.com founder and among the move into the digital underground, looking

for hacking resources to be hired, with
specific goals.
At the beginning, US Government was
informally seeking for hackers, in order to
attack and/or infiltrate into Al Qaeda
communication network. I do remember
requests related to hacking into Thuraya
(http://www.thuraya.com/), a Middle-East
based satellite operator.
Intelligence gossip at that time was claiming
that Al-Qaeda‘s members were seen while
using Thuraya phones, and obviously this
may have lead IAs to imagine a scenario in
which, if somebody would have been able to
obtain both CDRs and satellite information
of specific Thuraya‘s users, then analyzing
and correlating those data, the war against
one of the main actors in worldwide
terrorism could have been won.
Then, the time passed by, and no more
requests of ―on-demand‖ hacking to
Thuraya‘s network have been made to
world‘s most notorious, old-school hackers,
at least as far as I know. During 2002 and
2003 tough, those guys assisted to a huge
escalation of different requests, this time
coming from US and Israel based IAs. These
agencies were asking for 0-days, probably to
be used in specific scenarios. Also, a few
people got ―softly detailed‖ requests to run
black operations (hacking attacks for
Intelligence purposes)
2005 observed the official claim of attacks
pointing to China as the source of them, and
popped up the very big issue of the Source
of the Attack or Attack Source Attribution,
that‘s still pending today.
Finally, since 2008 up to now we started
being aware of National Critical
Infrastructures (NCIs) and those issue while
trying to secure them, summed up to the
Issue 12 – Jan 2011 | Page - 24
very deep link with SCADA and Industrial
Automation (IA) security.
Analyzing the nutshell
If we take a look at the wonderful graph
made by the folks at Hostexploit.com, we‘ll
notice how all of the above I‘ve written in
this article, perfectly fits the reality of facts
and what effectively happened.
While the 2000-2003 period has been for
testing purposes, then during 2003 and
2004 we can see rising the extortion
approach, that would explain and justify
USA and Israel IAs (namely, just the ―top of
the iceberg‖) to possibly seek for e-weapons.
Then, all of this leads us to 2005 and 2007,
where I can see a deep, highly-shaked mix
between the China attacks and the ―botnets
for hiring‖ boom, while not forgetting about
what happened in Estonia (2007) and
Georgia (2008).
The last three years made all of us seeing
the botnet concept nicely applied both to
Cybercrime and Information Warfare
environments, while affairs such as the
Vodafone Greece (2004/2005), Telecom
Italia ―Tiger team‖ scandal (2003/2005),
Stuxnet (June 2010) and Israel VS Lebanon
& Egypt (December 2010), not speaking
about the Wikileaks (and CableWeaks) one,
definitely helped us at drawing the big
picture and realize what this is all about.
Today‘s trends see IAs and MoDs deeply
scouting hacker‘s environments and
underground, hiring specialized know-how
for mission-oriented capabilities, such as 0-
Days e-arsenary, launching cyber attacks,
protecting National Security, rather than
relying on the Industry and the
Underground and Public communities in
order to analyze malware and obtain early
 Issue 12 – Jan 2011 | Page - 25

around it: server farm rather than home

warning, alerts, malware trends and
users, so to speak.
statistics.
This is one of the main reasons why
So, during the very next years will hear
Industrial Espionage incidents raised up
about a few new terms, such as Next
drastically in the last 20 years, thanks to the
Generation Cybercrime (NGC) and Next
Digital Revolution, and IT and TLC
Generation Walfare (NGW), along with the
resources and chances.
evergreen Cyberwar and Information
Warfare. In both cases we found ―instruments‖ like
botnets, DDoS tools, 0-days and so on that,
From Cybercrime to Information
depending on the scenario itself, can be
Warfare, through Industrial
labeled as ―cybercrime tools‖ or ―e-
Espionage
weapons‖.
They do exist deep links between
While the Underground Economy business
Cybercrime and the concept itself of
model is indeed a wonderful and exciting
Information Warfare. This happens because
study, it‘s my opinion that what we should
today‘s information is digitally stored,
learn – and apply to our needs and
parked on hard drives rather then on-line,
scenarios – from the cybercrime
from virtual hard drives to social networks,
environment is mostly the technical-related
passing-by the Cloud. So, we just said that
part. Analysing the ―life‖ of botnets, rather
this information is digital. This means,
than reverse engineering latest malware and
beside the media where it is stored, that it
0-day exploited vulnerabilities may lead us
stays into a file: it could be an email file, an
to a total new world and perspectives, where
Excel or Word document, a PDF or a Power
the concept of electronic weapons to be
Point presentation, an Open Office
applied and used in Information Warfare
document, a simple text (txt) note. But it‘s
scenarios become totally true.
still a file, whose security relays on the
operating system of the computer storing it, We will assist to an escalation of digital
rather than the whole context and scenario attacks, where some of them will became
 Issue 12 – Jan 2011 | Page - 26

public while others will not. The recent

NATO interest shown in Lisbona a few
weeks ago is an important sign: in case of
cyberattacks to a NATO Member, the other
Members should support and help the State
under attack‖. This means really a lot, and
automatically includes perspectives such as
Information Sharing, CERT (Gov and Mil
ones, mainly) involvement, Incident
Management, a Coordination Center, and
establishing defined Point of Contacts
among all the Members, as well as defining
the Chain of Cyber Command and how it
will interlink and interact with the external.

Because the threat is global, just as well as

the cybercrime is borderless.

What’s already happening?

Former speaker at Duma, Nikolai

Kuryanovich, back in 2007 made a very
strong but visionary statement:

―In the very near future, many conflicts will
not take place on the open field of battle,
but rather in spaces on the Internet, fought
with the aid on information soldiers…
This means that a small force of hackers is
stronger than the multi-thousand force of
the current armed forces.‖
Nowadays many States already began,
trough their Minister of Defence, to work on
topics such as an Official Cyber Doctrine,
Cyberwarfare Training, Cyberwarfare
exercise and simulations, building an IT
roadmap (from a military and National
Security point of view), working as well with
the IT industry and technical universities
(see Malaysia, China and many others),
establishing Information Warfare units and,
obviously, starting keeping record of
hacking activities on other Nations.
It‘s not a futuristic scenario, here we are
talking about something that already
happened a long time ago. It was in the
middle of the 80‘s when CCC members
Hagbard and Pengo used to hack into
Government and Military contracts, as well
as centers and research labs, in the USA,
giving back the results of their hacks to the
KGB and receiving money and facilities
from them. Hagbard was found dead,
hanged to a tree out of the town he was
living it, and burned.
Vodafone Head of Network Design, possibly
involved in the 2005 Vodafone Greece
affair, was found suicide. The same for
Adamo Bove, working at Telecom Italia
Lawful Interception System. And, the same
recently happened to Majid Shahriari in
Iran, and everything seems to be related to
the Stuxnet worm
(http://www.debka.com/article/20406/).

It’s out there, right now.
No, we are not talking about an Hollywood
movie, tough it would be a great screenplay.
This is reality. It‘s a paradigm shift, where
the classical war between armies has
reached his long-term apogee, and a new
paradigm recently started. So, the ―good &
old‖ Menani‘s scale on cyberconflicts,
raising from Cybervandalism to Internet
crime, Cyberespionage, Cyberterrorism and
Cyberwar, will sadly need to be ―enhanced‖:
new rules for a new world.
Note from the Author
In this article I have reported information
that have been gathered from personal
experience and network of contacts:
nevertheless, everything I am stating here is
―suspected to be so‖, meaning, speculations
and possible scenarios.
Also, I have to underline that the views
expressed are those of the author(s) and
speaker(s) and do not necessary reflect
the views of UNICRI or others United
Nations agencies and institutes, nor the
view of ENISA and its PSG (Permanent
Stakeholders Group).
Issue 12 – Jan 2011 | Page - 27
About the Author
Raoul ―Nobody‖ Chiesa is 36 years old and
lives in Turin, Italy. At UNICRI (United
Nations Interregional Crime & Justice
Research Institute) he‘s a Senior Advisor on
Cybercrime and manager for Strategic
Alliances. Raoul is also a member of ENISA
(European Network Information & Security
Agency) Permanent Stakeholders Group
(PSG) and a recognized international
security expert, running its own
independent security consulting companies,
@ Mediaservice.net (a Security Advisory
company) and @ PSS (Digital Forensics
consulting). He can be contacted at chiesa
[at] UNICRI [dot] IT
 Issue 12 – Jan 2011 | Page - 28

Botnet attacks Applicable Sections

and the Law Sections 43, 66 and 66 (A) of the

Information Technology Act and Section
426 of Indian Penal Code

Introduction  Sec. 43
A botnet (a contraction of the term If any person without permission of the
―RoBOT NETwork‖) is a computer owner or any other person who is incharge
network made up of a vast number of of a computer, computer system or
compromised computers that have computer network,—
been infected with malicious code, and can
be remotely-controlled through (c) Introduces or causes to be introduced
commands sent via the Internet. any computer contaminant or computer
Typically, users whose computers have been virus into any computer, computer system
conscripted into a botnet are unaware that or computer network;
their computers have been compromised.
The computer so affected is called as He shall be liable to pay damages by the way
“Zombie”. of compensation to the person so affected;

Explanation — for the purposes of this

section,—
The Law
Case Study
(i) "Computer Contaminant"
Siddarth, a skilled programmer creates a means any set of computer
malicious code and releases it on the instructions that are
internet. It has compromised vast number designed—
of computers and caused a loss of worth
millions of dollars.
 Issue 12 – Jan 2011 | Page - 29

(a) to modify, destroy, record, transmit data  Sec. 66A

or program residing within a computer,
computer system or computer network; or
(b) by any means to usurp the normal
operation of the computer, computer
system, or computer network;
Any person who sends, by means of a
computer resource or a communication
device—
(a) any information that is grossly
offensive or has menacing
character; or

 Sec. 66

Any person ―dishonestly‖ or ―fraudulently‖ (b) any information which he knows

– to be false, but for the purpose of
causing annoyance,
(c) Introduces or causes to be introduced inconvenience, danger,
any computer contaminant or computer obstruction, insult, injury,
virus into any computer, computer system criminal intimidation, enmity,
or computer network; hatred or ill will, persistently by
making use of such computer
He shall be liable for an imprisonment
resource or a communication
which may extend upto 3 years and fine
device,
upto Rs. 5 lakh.

For the purpose of this Section,

(c) any electronic mail or electronic
The word “dishonestly” shall have the
mail message for the purpose of
meaning assigned to it in Section 24 of the
causing annoyance or
Indian Penal Code. , i.e.:-
inconvenience or to deceive or to
―Whoever does anything with the intention mislead the addressee or
of causing wrongful gain to one person or recipient about the origin of such
wrongful loss to another person is said to do messages,
that thing "dishonestly".‖
He shall be punishable with imprisonment
The word “fraudulently” shall have the for a term which may extend to three years
meaning assigned to it in Section 25 of the and with fine.
Indian Penal Code, i.e.:-

―A person is said to do a thing fraudulently

if he does that thing with intent to defraud
but not otherwise.‖
 Issue 12 – Jan 2011 | Page - 30

 Sec. 426 of Indian Penal Code

Punishment for mischief

Whoever commits mischief shall be

punished with imprisonment of either
description for a term which may extend to
three months, or with fine, or with both.

Additionally provisions are also made in Sagar Rahukar

Sec. 66F Cyber terrorism and Sec. 69B sr@asianlaws.org
Power to authorise to monitor and collect
traffic data or information through any Sagar Rahukar, a Law graduate, is
computer resource for cyber security Head(Maharashtra) at Asian
regarding introduction, intrusion and School of Cyber Laws. Sagar
spread of Computer Contaminant. specializes in Cyber Law,
Intellectual Property Law and
Corporate Law. Sagar also teaches
law at numerous educational
institutes and has also trained
officials from various law
enforcement agencies.

Who is leaving my
home?
Introduction
The whole team came to me and said this
issue will have to be on BOTNET only. They
gathered article in all sections related to the
same topic & now it was my responsibility to
make ―Command Line Gyan‖ on the related
topic. So finally I decided to give you a
closer look at my good old. cross platform
friend ‗netstat‘. There is a reason why I
chose ‗netstat‘, this would give you an idea
and help you keep an eye on outgoing
connection & monitor if your machine is a
part of botnet or not.
You can say that my antivirus is up-to-date
and it will take care of the same, but having
said that are we sure all the malware are
caught by ‗my‘ antivirus? Am I sure my
Linux box doesn‘t have a malware which is
leaving me vulnerable to this?
And that‘s where our friend ‗netstat‘ comes
handy but we‘ll take a different approach to
use it this time.
Issue 12 – Jan 2011 | Page - 31
Windows
Although again we are dividing this article
in windows vs linux subsections, remember
most of the commands will work on both
the OS. All you have to be careful is with
additional tools you are using to filter
results.
To start with we‘ll see on how many ports is
my machine listening to a connection
C:\> netstat -na | find /i
"Listening"
This will give you a list of ports on your
machine which are in listening mode. Make
sure you check reason behind each. to be
sure which application has opened that port
You may want to use switch –o to see the
PID of the process which has opened the
port
C:\> netstat -noa | find /i
"Listening"
Now how can you check which application
does that PID belong to?
For that use WMIC
 Issue 12 – Jan 2011 | Page - 32

C:\> wmic process where Aah! I hate & love the case sensitivity of
processid="pid" list full Linux environment. And that‘s why we use
–i to ignore case while searching and use
This will tell you the process with your only ―listen‖ in filter as it may differ among
chosen PID. various Linux flavors.

You may also try other switches of netstat
like
-b = display executable name responsible
for the connection
I know Linux users are geek themselves, so
this article was just a reminder that don‘t
forget your friend netstat, keep using it 

-p = specific protocol

-o = display process ID

-a = display all

-n = display IP only and no the fqdn

Rohit Srivastwa
But the most interesting you‘ll find is using
rohit@clubhack.com
a continous netstat to keep looking at the
results

C:\> netstat –na 5

This will keep checking the result of ―netstat

–na‖ every 5 seconds. You may choose your
own time interval and make a script out of it

For more work on netstat there is an

interesting but more difficult way in
Microsoft Powershell but we‘ll keep that out
from this article

Linux
For linux more or less all the parameters are
same. You may want to try the same
command on linux too. Remember
parameter for netstat are same, not the
other executables
Like the first example in linux will become

# netstat -na | grep –i "listen"

Issue 2 – Mar 2010 | Page - 1