How To Build A Botnet


The mission is clear: infiltrate the target corporate network in order to obtain corporate data and perhaps even some intellectual property along the way. Tools on hand? Just you, a clean Internet-connected machine and 15 minutes of uninterrupted time.
With just a little knowledge, that’s plenty of time to get inside a supposedly unbreachable network—just by building your own botnet.

What’s A Botnet, Again?

Simply put, a botnet is a network of malware-infected computers that are remote-controlled by a command server. Whoever controls the botnet can make those zombie computers do bad stuff—launching distributed denial-of-service attacks is one favorite pastime—or just exploit them to harvest passwords and to access other private information within, say, a corporate network.
Botnets have been overshadowed recently by criminal phishing expeditions, nation-state hacks and zero-day attacks, but they represent a type of threat no one should dismiss lightly. Botnet zombies are already pervasive inside home and business networks—in part because ordinary security measures often don’t protect against them.
But it’s also true that setting up a botnet is ridiculously easy. Simon Mullis, systems engineer at the security vendor FireEye, recently walked me through the process of creating a malware package that would install and infect an end-user system on a target network, turning it into a zombie that would do our bidding.
The premise of the exercise was straightforward: Infect a target system that started off completely free of malware. Of course, Mullis wasn’t blasting a hapless PC with zombie malware; he just targeted a clean Window virtual machine he’d set up himself. To control the bot, he created his own command-and-control system by spinning up a LAMP server on Amazon Web Service’s EC2 platform. (He used EC2 simply for its convenience; he could just as easily have run the demonstration from a physical server right there in his office.)

How To Build A Botnet

Opening his browser, Mullis searched for a botnet builder tool for malware known as Ice IX. Google’s top response to his particular query—which I’m not going to reveal here—yielded a site that offered the tool for free. Ice IX is a nasty little piece of malware that injects a fake Facebook page into a victim’s browser that collects credit card information under false pretenses.
Any malware, though, would have done just as well. Using methods and tools that can be found online in minutes, a botnet creator can create a central command and control server and then use social engineering to inject malware onto the victim’s computer—by, say, emailing an innocuous looking but disguised file, or tricking a user into downloading the file from a compromised website.
After downloading and installing the Ice IX kit software, Mullis started up its bot builder kit and began to set up the parameters for the malware—specifying, for instance, how often the malware would communicate with the command server, what actions it would undertake and even how it would hide from anti-virus scans. Much of this work was simply a matter of filling in appropriate fields in the Ice IX builder kit’s straightforward Windows interface.
Some of the rest required editing the Ice IX kit’s powerful setup.txt script. Individual command lines in that script might direct the malware to take screenshots of pages that were visited by the zombie machine’s browser on a certain domain, such as a bank web site. Or have the malware tell the zombie machine’s browser to block sites (such as anti-virus updating sites) altogether. It can also redirect legitimate site URLs to malevolent sites intended to collect critical information—credit card numbers, Social Security numbers, passwords. You name it.
Once he’d set the malware’s specifications, including the location of its controlling command server, Mullis uploaded Ice IX-produced files to his LAMP server. And presto—he had a fully configured botnet command server.

Congratulations On Your New Botnet!

Constructing the bot and prepping the command server is the first half of the equation. Next up is the task of encrypting and packing the infected file that will deliver containing the bot-installation malware on the target machine. The file is usually a PDF or document file, as those are the ones many users will click without thinking when faced with a phishing email or a malicious website.

The malware delivery file is created with a ‘crypter and packer software, and is sent to the target for infection with the aforementioned social engineering practices. At this point, the zombied computer can now be under the author’s control.
After delivering the malware package to his Windows virtual machine, Mullis simulated a user double-clicking on the file, packaged to appear as a PDF document. The file suddenly vanished from the desktop of the virtual Windows PC; its malware package was already running invisibly in the background, installing the bot software and seizing control. An unsuspecting user could easily be completely unaware that her system had just been zombified.

The Bot Goes To Work

Suppose some unscrupulous individual had just zombified a corporate PC in the real world. What happens next?
If the goal is network infiltration, the zombie can now read email and monitor traffic and communications, enabling its overseer to work his way through the organization in hopes of sniffing out passwords, identifying specific databases containing engineering secrets, and fingering users with greater administrative powers. At every opportunity, the botmaster spreads more malware to other computers, bolstering the ranks of his zombie horde within the corporate network and improving the odds that he’ll stumble across something juicy.
And if he needs to grant his zombies new powers, all the botmaster has to do is upload new malware packages to the infected computers. This highlights one of the major dangers of botnets—they can be customized to perform just about any type of illicit activity the botmaster wants. It’s is a slower and less flashy method of attack than zero-day attacks that exploit known weaknesses in the software running on PCs and servers. But it can be every bit as effective.
Botnet infiltration works so well in part because most people will tend to trust files that appear to have originated with other employees inside the company’s network. People will almost always pass along files from sources they know. And that’s a very large problem: Mullis estimated that “around 95% of the organizations we work with has this type of malware somewhere on their networks.”
And while creating a botnet like this isn’t the sort of thing any person off the street could do, it’s uncomfortably close. You need some basic knowledge of how webservers are constructed—in particular, some familiarity with back-end databases like MySQL that have become ubiquitous for managing all the information stored on websites. If you’ve ever run a website, you could do this.
The website Mullis visited to download Ice IX kit in the first place listed the 14 steps for installing and using the software right on the download page. Step 14? “Profit.”

Welcome To The Big Leagues

Mullis’ point in running this demo was to underscore just how powerful malware-creation tools have become, how simple they are for relatively unsophisticated computer jockeys to use—and just how easy it is to find them. These tools are far beyond the level of sophistication the talented amateurs known as “script kiddies” once used: In just 13 minutes, anyone with a modicum of knowledge can use simplified point-and-click tools to build malware that can steal identities and corporate secrets alike without breaking a (metaphorical) sweat.

And that’s just what Mullis found with a few Google searches; one can only imagine what tools the big-league hackers have at their disposal. That, Mullis said, is the real problem: Malware creation is frightenly easy to create for nearly all levels of hackers, thanks to the easy availability of these malware builder kits. The really dangerous malware is light-years beyond what prepackaged tools like the Ice IX kit can produce.
Complicating this is the fact that anti-virus software is often unaware of this kind of malware. Zombie-type malware can only be detected if the anti-virus vendor has managed to get a signature for the malware in question. This is often difficult, since this malware takes active pains to avoid detection.
In the arms race between hackers and users, the hackers are winning. The sheer volume of available malware-building kits makes that clear. Eventually, defenders should be able to catch up, but for now, it’s open season for incautious users.


Comments