Cisco Blogs


Cisco Blog > Security

Exploring a Java Bot: Part 3

January 19, 2010 at 1:18 pm PST

Before we begin part 3 in this series, let’s review what we’ve covered so far. In the first post we learned how this bot was discovered and some basics about botnets. In the second post we covered botnet fundamentals like command and control (C&C) and various other capabilities. In this post we will examine some of the offensive features incorporated into a botnet designed to launch attacks and maintain control of hosts (aka victims). First we will discuss how botnets spread and then we will look at flooding and how it’s implemented in this bot.

There are two main ways malware spreads. It’s important to note that these two methods are not mutually exclusive. The first method, made famous by the Morris worm, involves targeting a network-based vulnerability; the author designs an exploit to spread his malware. Once the malware takes over a machine it then infects other machines. Every time the binary moves from one machine to another the botnet has the potential to see exponential growth. Most vulnerabilities only affect a specific operating system at a specific range of patch levels. Malware of this nature often hits big and then its growth rate takes a steep dive as patches become available and as malware is removed. Once the vulnerability is patched, the malware must adapt or accept a shrinking attack surface. Two recent examples of this method are Conficker and Slammer. It is important to note the distinction between the growth rate slowing down and the number of compromised machines. There are still countless machines connected to the Internet running both worms. Even as the growth rate approaches zero, many, many computers have already been infected and continue to run the malware. In two days time on a single Intrusion Prevention System (IPS) we saw over 178,000 slammer attacks.

An attacker simply needs to trick an unsuspecting user into running a binary that is under the control of the attacker. This attack vector is known as a trojan horse. A malware author would package his wares as a link from a friend, a new game of interest, or even a program to create keys for pirated software, etc.

Read More »

Tags: , , , ,