Botnets are elaborate command-and-control systems used by criminals for sending spam, stealing personal information or launching denial-of-service attacks through hijacked computers. But their underlying malware code structures share common ways to evade detection, and even mimic some commercial code practices, such as digital methods to prevent copying and reverse engineering, says one researcher.
People don't understand why their machines are infected as they've beenrunning antivirus continuously," says Gunter Ollmann, vice president of research at Damballa, a security start-up specializing in botnet detection. "They're stumped."
The answer, he says, is that botnet code designed to infect computers typically makes use of evasion techniques such as "noise insertion" and "chaffing," generating redundant strings of code that does nothing but make it harder for antivirus or other detection methods to find it, because it "will stop a string-inspection system from seeing them," says Ollmann, who has 20 years experience in the malware-analysis arena, including as chief security researcher at IBM.
Botnet code is often hidden using "crypters," specialized tools such as the "God of War Crypter," to hide malware through encryption. These are all just components that could be used in a botnet. And over the past year or so, botnet fabrication has turned to "protectors" to prevent anyone from using debugging and analysis techniques to reverse engineer botnet code, Ollmann says.
One protector popular with cybercriminals is Themida, a tool from Oreans Technologies, mainly used in gaming software to prevent reverse engineering. "Most of the hacker sites will contain PDF guides on how to use these," Ollmann says. "Botmasters have built up almost a production line of systems."
Do-it-yourself (DIY) malware construction kits are sometimes offered free as source code, though binary fully featured DIY kits carry a payment charge.
"By offering the free version of the source code, they're showing there's something new and establish their credentials," Ollmann says. "Forums get very interesting. It's like watching a kid's show, with competitors pirating each other tools, very scrappy."
It's a fast-paced code development environment, and if botnet code has been out for more than about three months, "you can probably pick it up for free because it's been pirated," Ollmann says. The country-specific sites are international in scope, most use English as the shared language, but some are in Russian, too.
One of the more troubling aspects of all this, Ollmann says, revolves around sites in The Netherlands for trading and selling malware code where it's evident that a number of the participants don't appear to be professional cybercriminals but simply misguided young people who "think security is cool fun" and want to build up a reputation by demonstrating they can develop malware and attack tools.
In most countries, development and dissemination of malware tools isn't illegal, expect perhaps in France, which is known to have some of the strictest laws in this regard, Ollmann says.
But when it comes to making use of these tools to construct botnets, it appears the professional criminals that go against the enterprise with botnets "aren't necessarily more advanced" than anyone else and "it's clear they haven't developed the tools themselves," Ollmann contends. Their particular talent is "they're very well-organized in how to hide and how to move about."