Botnet

Botnets are one of the most serious security

threats to the Internet and its end users.

A botnet consists of compromised computers that are remotely coordinated by a botmaster under a Command and Control (C&C) infrastructure.

Driven by financial incentives, botmaster leverage botnets to conduct various cybercrimes such as spamming, phishing, identity theft and Distributed-Denial-of-Service (DDoS) attacks.

Abstract

Botnets constitute one of the biggest current

threats to the Internet as well as to individual computers and are growing at an alarming rate.

The world’s usage and dependency on computers is growing at a very high rate and there is the potential for businesses can lose millions of pounds when their systems are affected.

Bots have been around since the late 90’s and they were originally created to perform automated repetitive tasks.

Search engines, such as Google, also use bots to find new and updated websites making it possible to find the most up-to-date information easily.

Introduction

It has only been in the last few years that bots have become a tool used by criminals for malicious purposes such as to extract credit card, banking and other information for financial gain.

A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”).

Botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.

First existence of botnet started in August

1988 when IRC invented at University of Oulu, Finland.

1989 - First bot - “GM”

assist user to manage their own IRC Connections

May 1999 – Pretty park

Reported in June 1999 in Central Europe

Internet Worm – a password stealing trojan

2000 – GTbot (Global Threat)

New capabilities - port scanning, flooding and cloning

Support UDP and TCP socket connections

Support IRC Server to run malicious script

Historical Background

2002 – SDbot

Written by Russian Programmer by the name ‘SD’

40Kb – C++ Code

First to publish the code for hackers via website

Provided e-mail and chat for support

2003 – Spybot or Milkit

Derived from SDbot

Come with spyware capabilities

Spread via file sharing applications and e-mail

September 2011 – Duqu

Duqu is a computer worm discovered on 1st September, 2011

New trend – new worm and new botnet.

To understand botnets, we first need to know

more about 'bots'. The term 'bot' or 'robot' program refers to a program that:

   •  Performs repetitive tasks OR   •  Acts as an 'agent' or user interface for controlling other programs 

Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems. 

What is a Botnet?

Bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.

The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.

These malicious bots can arrive on a victim machine in many ways.

The most common method involves dropping the bot in the payload of a Trojan or a similar malware.

Other methods include infecting the computer via a drive-by download, or distributing the bot via spam e-mail messages with infected attachments. 

Once installed, the bot can take control of the system.

Remote attackers can then give commands to the infected computer via the bot and force it to perform malicious actions.

In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine

When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker.

This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'

The main objective is to make people aware of

Botnet.

How it attacks the computer system and take full control over it.

Botnets were used for performing distributed denial of service attacks.

Botnets were found to be an effective resource for sending spam.

Other botnet objectives include website advertisement clicking, web browser toolbar installations, keylogging, and social bookmarking poll manipulation.

Objective

IRC Based – C&C using IRC Server

Botnet Classification

P2P Based – C&C on peer-to-peer

protocol

Botnet Classification

HTTP Based – C&C using Web Server

In http-based botnets, bots and C&C centre communicate each other by using http protocol in an encrypted communication channel.

Due to prevalence of HTTP usage it is harder to track a botnet that uses HTTP Protocols

Using HTTP can allow a botnet to skirt the firewall restrictions that hamper IRC botnets

Detecting HTTP botnets is harder but not impossible since the header fields and the payload do not match usual transmissions

Botnet Classification

Honeypots and Honeynets

Signature Based – able to detect only known bots

Anomaly Based – detect bots based traffic anomalies

DNS Based – detect based DNS information

Mining Based – detect based machine learning, classification and clustering

Botnet Detection

Using anti-virus and anti-spyware software

and keeping it up to date.

Setting your operating system software to download and install security patches automatically.

Being cautious about opening any attachments or downloading files from emails you receive.

Using a firewall to protect your computer system from hacking attacks while it is connected to the Internet.

Downloading free software only from sites you know and trust.

Taking action immediately if your computer is infected.

Prevention

DDoS

Spam

Sniffing Traffic

Keylogging

Installing Advertisement Addons

Manipulating online polls/games

Mass ID theft

Botnet Uses

Today's cybercriminals can use botnets to get

unauthorized access to hundreds and thousands of computers.

Botnets have a direct influence on the number of cybercrimes committed, and have resulted in a huge increase in credit card theft.

DDoS attacks have become an everyday reality, and can be conducted by anyone with the help of a botnet.

Conclusion

Botnets are effectively the lifeblood of cybercrime, ensuring a continuous flow of funds between cybercriminals, and the continued evolution of cybercrime.

The future of the Internet to a great extent depends on exactly how botnets evolve in the future

[1] Google Search

http://www.intechopen.com/books/advances-in-data- mining-knowledge-discovery-and-applications/botnet- detection-enhancing-analysis-by-using-data-mining-techniques.pdf

[2] Google Search

http://www.apan.net/meetings/ChiangMai2012/Session /NetworkSecurity/

[3] Google Search

http://www.fsecure.com/en/web/labs_global/articles/a bout_botnets

[4] Google Search

http://www.findthatpdf.com/search-78831584- hPDF/download-documents-botnet_alan.pdf.htm

[5] Google Search

http://www.securelist.com/en/analysis/204792095/The_ botnet_ecosystem?print_mode=1

References

Thank You…