Botnets are one of the most serious security
threats to the Internet and its end users.
A botnet consists of compromised computers that are remotely coordinated by a botmaster under a Command and Control (C&C) infrastructure.
Driven by financial incentives, botmaster leverage botnets to conduct various cybercrimes such as spamming, phishing, identity theft and Distributed-Denial-of-Service (DDoS) attacks.
Abstract
Botnets constitute one of the biggest current
threats to the Internet as well as to individual computers and are growing at an alarming rate.
The world’s usage and dependency on computers is growing at a very high rate and there is the potential for businesses can lose millions of pounds when their systems are affected.
Bots have been around since the late 90’s and they were originally created to perform automated repetitive tasks.
Search engines, such as Google, also use bots to find new and updated websites making it possible to find the most up-to-date information easily.
Introduction
It has only been in the last few years that bots have become a tool used by criminals for malicious purposes such as to extract credit card, banking and other information for financial gain.
A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”).
Botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.
First existence of botnet started in August
1988 when IRC invented at University of Oulu, Finland.
1989 - First bot - “GM”
assist user to manage their own IRC Connections
May 1999 – Pretty park
Reported in June 1999 in Central Europe
Internet Worm – a password stealing trojan
2000 – GTbot (Global Threat)
New capabilities - port scanning, flooding and cloning
Support UDP and TCP socket connections
Support IRC Server to run malicious script
Historical Background
2002 – SDbot
Written by Russian Programmer by the name ‘SD’
40Kb – C++ Code
First to publish the code for hackers via website
Provided e-mail and chat for support
2003 – Spybot or Milkit
Derived from SDbot
Come with spyware capabilities
Spread via file sharing applications and e-mail
September 2011 – Duqu
Duqu is a computer worm discovered on 1st September, 2011
New trend – new worm and new botnet.
To understand botnets, we first need to know
more about 'bots'. The term 'bot' or 'robot' program refers to a program that:
• Performs repetitive tasks OR • Acts as an 'agent' or user interface for controlling other programs
Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems.
What is a Botnet?
Bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.
The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.
These malicious bots can arrive on a victim machine in many ways.
The most common method involves dropping the bot in the payload of a Trojan or a similar malware.
Other methods include infecting the computer via a drive-by download, or distributing the bot via spam e-mail messages with infected attachments.
Once installed, the bot can take control of the system.
Remote attackers can then give commands to the infected computer via the bot and force it to perform malicious actions.
In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine
When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker.
This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'
The main objective is to make people aware of
Botnet.
How it attacks the computer system and take full control over it.
Botnets were used for performing distributed denial of service attacks.
Botnets were found to be an effective resource for sending spam.
Other botnet objectives include website advertisement clicking, web browser toolbar installations, keylogging, and social bookmarking poll manipulation.
Objective
IRC Based – C&C using IRC Server
Botnet Classification
P2P Based – C&C on peer-to-peer
protocol
Botnet Classification
HTTP Based – C&C using Web Server
In http-based botnets, bots and C&C centre communicate each other by using http protocol in an encrypted communication channel.
Due to prevalence of HTTP usage it is harder to track a botnet that uses HTTP Protocols
Using HTTP can allow a botnet to skirt the firewall restrictions that hamper IRC botnets
Detecting HTTP botnets is harder but not impossible since the header fields and the payload do not match usual transmissions
Botnet Classification
Honeypots and Honeynets
Signature Based – able to detect only known bots
Anomaly Based – detect bots based traffic anomalies
DNS Based – detect based DNS information
Mining Based – detect based machine learning, classification and clustering
Botnet Detection
Using anti-virus and anti-spyware software
and keeping it up to date.
Setting your operating system software to download and install security patches automatically.
Being cautious about opening any attachments or downloading files from emails you receive.
Using a firewall to protect your computer system from hacking attacks while it is connected to the Internet.
Downloading free software only from sites you know and trust.
Taking action immediately if your computer is infected.
Prevention
DDoS
Spam
Sniffing Traffic
Keylogging
Installing Advertisement Addons
Manipulating online polls/games
Mass ID theft
Botnet Uses
Today's cybercriminals can use botnets to get
unauthorized access to hundreds and thousands of computers.
Botnets have a direct influence on the number of cybercrimes committed, and have resulted in a huge increase in credit card theft.
DDoS attacks have become an everyday reality, and can be conducted by anyone with the help of a botnet.
Conclusion
Botnets are effectively the lifeblood of cybercrime, ensuring a continuous flow of funds between cybercriminals, and the continued evolution of cybercrime.
The future of the Internet to a great extent depends on exactly how botnets evolve in the future
[1] Google Search
http://www.intechopen.com/books/advances-in-data- mining-knowledge-discovery-and-applications/botnet- detection-enhancing-analysis-by-using-data-mining-techniques.pdf
[2] Google Search
http://www.apan.net/meetings/ChiangMai2012/Session /NetworkSecurity/
[3] Google Search
http://www.fsecure.com/en/web/labs_global/articles/a bout_botnets
[4] Google Search
http://www.findthatpdf.com/search-78831584- hPDF/download-documents-botnet_alan.pdf.htm
[5] Google Search
http://www.securelist.com/en/analysis/204792095/The_ botnet_ecosystem?print_mode=1
References
Thank You…