How botnets expand and how to protect against them

Botnets are a major threat for web hosting providers and basically for every server. They are the fundamentals of cybercrime in the dark industry of hackers.

A botnet is a group of infected computers (aka bots or zombie machines) controlled by a hacker, the botmaster. Zombie machines can be personal computers, mobile devices, or even servers. Today we will focus on botnets formed by infected Linux servers.

Server-based botnets are especially valuable for the bad guys as servers have typically a high amount of various resources like CPU, memory, and what is the most important, internet bandwidth with trusted and in many cases unrestricted upload traffic capacity. Servers typically operate 24 hours a day, 7 days a week, and have at least one fixed IP address. In many cases servers already have every component for the hackers to operate.

As there is a huge demand for high-capacity botnets in the dark markets for different purposes like sending spam emails, different DoS attacks, and similar cybercrimes there are more and more botnet infections that web servers have to face.

Every botnet has some common characteristics, the building block of the system. The basic blocks are zombie machines, a command and control (C&C) node, and a communication link between the nodes and the C&C node. This architecture is called a centralized botnet and this is still the most popular architecture. There are other ones out there like peer-to-peer setups, but we won’t cover them in this article.

So how do the bad guys create their large botnets? There are 6 steps every zombie server goes through in the process of joining a botnet and operating in it.

the phases and the solutions

1. SCAN PHASE

The first step of finding new members for a botnet, or even finding the very first member is scanning for vulnerable hosts. The system scans for vulnerable servers. This process is specialized for scanning for a specific vulnerability, or a set of vulnerabilities the botnet is able to exploit.

For example, a very common scan is chasing for known PHP CMS systems like WordPress, Joomla, and Drupal. If these CMS systems and especially their themes or plugins are not updated regularly, then they can have many remote vulnerabilities and can be easily misconfigured. It is quite easy to scan a server for these CMS systems.

In the example below, you can see such a scan detected by BitNinja’s log analysis module. It is vital to set up a defense line at this stage as this is an early stage and relatively easy to stop attackers. Detection is easy, but it’s also to generate false positives resulting in blacklisting innocent IPs at this point.

a scan detected by BitNinja’s log analysis module

That is why BitNinja first uses greylisting (read more about greylisting in our documentation) instead of blocking these addresses. This way false positives can be eliminated.

Other scans target specific software versions installed on the server to detect vulnerabilities. Setting up honeypot traps is also very effective at this stage.

Modern botnets use many different bots to scan a particular server. Sometimes when large botnets expand, they only do one scan request per IP. This is called distributed scanning. By using distributed scanning, botnets can avoid being detected by simple log analyzers. The only way to fight against these botnets is using a distributed protection system, usch as BitNinja ServerProtection.

How does BitNinja protect servers in the Scan Phase?

Using honeypots and log analysis is useful and effective in this phase. Detecting distributed scans requires a distributed and interconnected defense system.

Related BitNinja modules:

2. EXPLOIT PHASE 

After the identification of a vulnerability, the process steps into the next phase of exploiting the vulnerability. This phase is about actually applying the attack and opening a door into your system.

There are many different kinds of exploits attackers can use. Some categories based on the vulnerability:

  • Remote Code Execution (RCE),
  • SQL injection,
  • Code injection and
  • Brute force.

Often there is a time lag between the scan and the actual exploit, and different IPs are used for scanning and applying the exploit to avoid detection. This phase is about opening a channel for a higher privilege to step into the next phase of infection. 

Determined hackers also use hybrid attacks. In the first step, the botnet creates a list of the vulnerable websites. In the second step, a human makes the exploitation because it has a much higher success rate if they do. Following the human exploitation, the attack is automated again.

How does BitNinja protect servers in the Exploit Phase?

Detecting the actual exploit requires a deep analysis of the malicious request at the application level. Web application firewalls and other application-level solutions can help to detect and stop attacks at this phase.

Some of the requests can be detected using log analysis too, but this is not sufficient as the damage has already been done by the time you detect the request. IP reputation can be useful to keep automatic exploit trials and 0-day attack requests away from your server.

Related BitNinja modules:

3. INFECTION PHASE

Botnet expansion software will infect some files on your system when they gain access to set up a backdoor they can use to come back anytime later, which can be used for remote access at a later date.

The classic backdoors were binary programs installed on servers, but in the age of CMS systems and script languages, it is enough to upload a script suitable for the server environment, like a PHP, Perl, Python, or hash script, and hide it under an unexpected subdirectory.





 most simple backdoor written in PHP

Above you can see the most simple backdoor written in PHP.





obfuscated malware

This second is a more complex one, designed to avoid pattern-based malware detection, a good example of obfuscated malware. It is quite challenging for pattern-based virus detection mechanisms to detect such malware. 

This is why we developed a new (patent pending) detecting method that differs from any other solution on the market. The new technique is based on the structure of the source code.

First BitNinja detects if the obfuscation method was used in a file. The system doesn’t determine yet whether the obfuscated code is malware or not. In order to figure it out, the code needs to be run to see its purpose but running a potentially malicious code on your server is risky. 

sandbox

The second step is to run the code in a sandbox farm and inspect the behavior of the code (e.g. generated network traffic, newly created files, etc). We can find out from these behavior signatures if the code was legitimate or malicious. 

Quarantining all the obfuscated files is not the best idea because several valid files use obfuscation techniques too.
By running the code in a sandbox, Bitninja deobfuscates the code, and after that, regular matching mechanisms can be used to find out the intention of the code.

How does BitNinja protect servers in the Infection Phase?

Although there are mechanisms to keep attackers away, this is very challenging to stop the infection at this point as the attacker already has a door and gained more privilege, and can also upload content. You should take steps to prevent attackers from reaching this point. Anti-malware software and web application firewalls can help you at this phase.

It is really important to react as soon as possible if we find malware. We have to find the vulnerability and virtual-patch it quickly.

We developed the BitNinja Defense Robot for this purpose. A comprehensive, automated tool, which does the aforementioned task in less than a second. It is the only real-time malware root cause analysis solution in the world. This module identifies backdoors and attacking IPs at each malware upload attempt.

For SMEs, this would be insolvable because it requires a 24/7 charge. But with BitNinja, it doesn’t require any manual intervention. The Defense Robot auto-greylists the attack source and sets up customized WAF patterns, so the hacker doesn’t have the opportunity to upload malware again. If it finds suspicious malware, it validates the malware automatically.

That means we can easily discover the original malware, determine the exact intrusion points and fix them.

Related BitNinja modules:

4. REGISTER C&C SERVER

After planting a backdoor by infecting your files or uploading new files, the botnet will register the new member of the botnet in their database. The basic idea behind a command and control server is to centralize the botnet so that the botnet master can send a command to all of the bots simultaneously.

In addition, it helps the botmaster to hide his own identity by not connecting directly to the zombie servers but sending commands indirectly using the C&C server as a proxy. It also means you can disarm an infection by blocking communication between your server and the C&C server.

register c&c server

How does BitNinja protect servers in the Register and C&C Server Phase?

You can block the C&C requests by analyzing and filtering the outgoing and incoming requests of your server. Outgoing requests are made by your server to ask the C&C server for commands, or as a result, for the C&C request.

Related BitNinja modules:

5. RESOURCE USAGE

After the botnet registered the newly planted backdoor, it is ready to use your resources.

Often higher data traffic is the first symptom a server owner can identify on the server. Users complaining about outgoing emails as your IP has been blacklisted? Your server is part of a botnet! Your datacenter suspended your server because of an outgoing DoS attack? It was not your users! It is a botnet activity. Have you received an incident report from BitNinja about many different happenings? You can be sure your server has been infected.

There are many different cybercrime botnets can use your server for. Some example you might already experience on your server:

  • DDoS,
  • Spam,
  • Phishing,
  • Identity steal,
  • Proxy.

There are services like outgoing spam filtration and DoS mitigation but they just treat the symptom, not the root cause!

Related BitNinja modules:

6. EXPANSION

A special case of resource usage is when your server is commanded by the botmaster to start scanning for new potential members, exploit the found vulnerabilities, infect the target, and register in the bot army. Wow! Your server is not only part of a botnet but also part of organized cybercrime.

How does BitNinja protect servers in the Expansion Phase?

By analyzing the outgoing traffic of your server you can find patterns and requests according to the malicious activity of botnet expansion. Also, if there are 2 BitNinja enabled servers, and one is attacking the other, they can share this information with each other and find the malicious script and command and control IP. We are still working on this solution.

Related BitNinja modules:

botnet lifecycle

As we go down on the botnet expansion funnel, getting rid of the attacker and the infection is getting harder and harder. Here, at BitNinja, we are working hard to implement a multi-layered system to cover all the steps of the infection cycle and protect your server and users against all kinds of cyberattacks. This is how we would like to make the Internet a safer place.


A successful botnet attack can have very serious consequences, and of course, nobody wants to see their servers down because of such attempts. Cybersecurity is not optional anymore. It is a must! If you haven’t tried BitNinja yet, don’t forget to register for the 7-day free trial! No credit card needed!

Free Trial

We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.io, or you can even reach us on the Dashboard chat!

Let’s make the internet a safer place together!