CC7178 Cyber Security Management

Botnets and their threats to Cyber Security

50% Group Coursework

Host and Network Analysis for Botnet detection.

2018-19 Autumn 

Student Name: Suyog Nepal

London Met ID:16033216
College ID:np01ms7s200023
Assignment Due Date:5th of May
Assignment Submission Date:5th of May
Word Count (Where Required):2872

I confirm that I understand my coursework needs to be submitted online via Google Classroom under
the relevant module page before the deadline in order for my assignment to be accepted and marked.
I am fully aware that late submissions will be treated as non-submission and a marks of zero will be
awarded.
 Abstract
Botnets have always been a major threat to cyber security and the existence of peer
to peer and server-client models makes it a very dangerous attack as compared to
all other malware attacks. Cyber Criminals uses botnets to perform various malicious
actions. Botnets are mainly used for DDOS attacks. Furthermore, it is also used for
spamming, keylogging and mass identity theft. As the topic indicates, this report
provides an overview of botnets, its architecture and some of the techniques that can
be used to detect botnets.

Table of Content
 s
1. Introduction..............................................................................................................................4
1. General Information.............................................................................................................4
1.2 Background Problem...............................................................................................................4
1.3 Current Scenario.....................................................................................................................4
2. Literature review......................................................................................................................5
2.1 Botnets Overview...................................................................................................................5
2.2 Botnet Control & Communication Architecture......................................................................5
2.2.1 Centralized architecture...................................................................................................6
2.2.2 Peer to Peer Botnets........................................................................................................7
2.3 Botnet Detection Techniques..................................................................................................7
2.3.1 Botnet Detection at the Host Side....................................................................................7
2.3.2 Network-Based Botnet Detection.....................................................................................7
3. Critical Analysis.........................................................................................................................9
3.1 Case Study 1: Mirai Botnet – 2016..........................................................................................9
3.1.1 Background......................................................................................................................9
3.1.2 Installation and Infection Process.....................................................................................9
3.1.3 Detection Using Network Analysis...................................................................................9
3.1.4 Detection Using Host Analysis..........................................................................................9
3.1.5 Case Study Summary......................................................................................................10
3.2 Case Study 2: 3ve Botnet (2013-2018)...................................................................................10
3.2.1 Background....................................................................................................................10
3.2.2 Installation and Infection Process...................................................................................10
3.2.3 Detection Using Network Analysis.................................................................................10
3.2.4 Detection Using Host Analysis........................................................................................10
3.2.5 Case Study Summary......................................................................................................11
4. 4. Conclusions.........................................................................................................................12
5. References..............................................................................................................................13
 1.Introduction

1. General Information
Botnet is a network of compromised hosts controlled by a hacker. The typical botnet consists
of a bot server and one or more bot-clients also known as zombies. The attacker who owns
the bot is called botmaster. They take control of the machine and use it for various malicious
activities. The botnet master uses a mechanism called Command and Control server (C&C) to
communicate with these bots and exchange commands through the botnet. Bots has the
capabilities to launch dangerous attacks such as Distributed Denial of Service (DDOS), Data
stealing, Spamming, Cryptocurrency mining and Click fraud. A survey from Kaspersky
shows that DDOS botnet attacked 79 countries' online resources in the first quarter of
2018(Secure list, 2018). The goal of botnet activities is mostly to gain financial benefit. For
example, a botnet can steal sensitive information like credit card details, personal bank
details, from the compromised machines and send this information back to the C&C server.
The botnet master can sell this information in the underground market or dark web to an
unauthorized person. 
1.2 Background Problem
Firewalls in organizations allow authentic traffic such as HTTP, P2P and DNS. An attacker
takes this as an advantage to pass the organization firewall and download the malware into
the users’ computers. In this process a large number of packets and data are exchanged in the
network which make it very hard for system and network administrators to monitor the
network for any suspicious botnet activity. One major hurdle in effective detection of botnets
is, botnet masters are employing and developing hiding techniques by various ways such as
imitating the legitimate network traffic and process injection. Another problem which makes
it harder to trace botnets is, botnets make use of different protocols such as Internet Relay
Chat (IRC), Hypertext Transfer Protocol (HTTP) and Peer to Peer (P2P) to transfer command
to a compromised host. One of the solutions to this problem is implementation of botnet
detection on host and network level by monitoring network traffic, file system and registry
modification.
1.3 Current Scenario
As botnets continue to gain motion in the form of various malicious activities. It is proving to
be a challenge to detect and defend against these intrusive autonomous programs. Some of
the techniques used by Antivirus (Avast) and IDS(Snort) to detect botnets are anomaly based,
signature based and DNS based. Although these techniques are widely used in many
collaborations, they are still insufficient. Botnet masters are also evolving and upgrading their
bots making it harder and harder to detect bots by changing signatures and encrypting
payloads.
 2. Literature review
2.1 Botnets Overview
The term robot is a term for automated programs that execute tasks without user intervention.
Bots are used in video games for example, in FPS (first person shooters) video games,
soldiers that are not controlled by humans are the part of the game called bots.  The bots in
the game have predefined directive to stay alive and kill opposing forces. Another trending
use of bots can be seen in Internet Relay Chat (IRC) channel administration. The bot
described in this report are called botnets. Botnet is a network of compromised systems
which are coordinated remotely by an attacker to fulfil a malicious command. The main
characteristic that distinguishes botnets from other malware is the coordination between
infected machines. 

Figure 1: Simple Overview of botnet

As seen in the figure above, the compromised machines serve as the attacker’s bot. The
network of infected hosts together functions as intended by the attacker. The C&C servers
serve as the interface between the compromised hosts and the attacker. C&C servers play a
vital role in controlling botnets without them a botnet degenerates into an uncoordinated
group of independent malware-compromised machines.

2.2 Botnet Control & Communication Architecture

The control and communication architecture of botnets is a major area to dive into in order to
detect and disable botnets (wang, 2007). The architecture of botnets is determined by how
commands and important information are disseminated to the bots. Based on these
mechanism botnets are classified into:
  Centralized Architecture 
 Peer to Peer Botnets

2.2.1 Centralized architecture 

Figure 2: Command and control architecture of Botnet

In this structure the botnet is organized with a central C&C (command and control) location.
This means all the compromised hosts connect to a centralized node where commands are
issued. Commands are disseminated either by push or pull method. In push style centralized
C&C structure, bots are connected to the C&C server and they wait for a command from the
botmaster. This is true for IRC based C&C, where compromised are logged in an IRC
(Internet Chat Relay) waiting for botmasters to issue commands. However, in pull style
centralized C&C structure, the bots pull information from the C&C. In this method the bots
establish connection to the C&C server and check for the presence of new commands. The
command is posted to the server by botmaster as a file or information. Even though this
structure is scalable and easy for botmaster to issue commands to his entire network of
infected computers. It has a major limitation. Detection or failure of few of these C&C
servers can result in botmasters losing control of all the computers connected through those
servers (Usenix,2007). 
2.2.2 Peer to Peer Botnets

Figure 3: Command and control architecture of the P2P botnet

To overcome the problem that came with C&C architecture, botmaster utilized a peer to peer
architectural approach also known as P2P. The problem of single point failure was solved
making more than command and control servers. In P2P, each host can work completely
independent of each other, thus even if one of the servers is down there is little to no effect on
the overall functionality of the botnet. In this design servers are also not aware of all the
computers in the botnet, each server is aware of only a subset of the total number of infected
computers (Markatoks, 2007). Due to this reason this kind of botnet is very hard to detect. In
addition to adoption of P2P protocol to increase the resilience of botnets to single point of
failure. Botmasters are upgrading botnets by combining smaller botnets and this seems to be
the trend towards which the botnet architecture is moving (Ryan, 2006).
2.3 Botnet Detection Techniques
Researchers have come up with many botnet detection techniques based on these two
detection techniques which are as follows: 

2.3.1 Botnet Detection at the Host Side

Botnet detection at the host level plays a vital role in detection of malware infection. Botnet
masters are upgrading their botnets making them more elusive.  Antivirus software and
firewalls alone are not enough to prevent its infection by botnet malware. The behavior of the
machine is observed for any type of abnormality. Hosts are monitored for any suspicious
entry in the registry, abnormal changes in the file systems and changes in the host network
traffic. Zeng, proposed a pre-process level containment technique for each host in the
monitored network. This method makes use of a behavior analysis and containment model.
The behavior analysis component consists of various models and suspicion-processes.
Processes are monitored in the runtime behavior at the operating system level in registry, file
system and network stack (Zeng, 2013).

2.3.2 Network-Based Botnet Detection

Network based detection is technique based on monitoring and analyses of the network
traffic. This method is very helpful in identifying the presence of botnets in the networks. In
this method network and communication data is continuously monitored. Network traffic
flow during constant time intervals can be analyzed to form a statistical relationship in the
network traffic flow (Huang, 2013). There are other several botnet detection techniques
developed based on network traffic analysis such as Signature based detection, Anomaly
based detection, DNS based detection, Mining based detection. A very good example of an
Intrusion detection system that is based on signature-based detection is Snort (P. Sharma et
al, 2014).  To detect P2P botnet network traffic is captured and mined for information. In this
approach network traffic is analyzed and monitored using three data mining algorithms: j48,
Bayesian networks and Bayes (Hung & Shung, 2018). In an approach proposed by Hung and
Sun based on machine learning flow-based features are selected and extracted from the
network traffic. Then a machine learning algorithm is used to train the model and that model
is used to detect the abnormalities in the network.
 
 3.Critical Analysis
3.1 Case Study 1: Mirai Botnet – 2016

3.1.1 Background

Mirai botnet was used for the largest DDOS attack ever recorded. It targeted Brian Kerbs’
security website provider in September 2016 and later also attacked OVH (Brian, 2016). It
was capable of sending 1.1 Tbps of traffic every second. It is estimated that around 1.5
million devices were used in this massive DDOS attack. Mirai malware hijacked networked
busy box devices that ran ARC processors and turns them into a botnet. These processers are
capable of running Linux operating system mainly used in cameras, home routers and IOT
(Internet of Things) devices.

3.1.2 Installation and Infection Process

Mirai botnet scan the internet to find for internet connected IOT (Internet of Things) devices.
Attacker used a rapid scanning technique sending TCP SYN probes to pseudo-random IPV4
address (Zefiman, 2016). IOT devices usually allows to establish a Telnet connection and
most of the logins are default provided by IOT vendors. Once the attacker identified
vulnerable device using a table of 60 common factory default usernames and passwords. If
the IoT device allows the Telnet access, the victim’s IP and the set of credentials are sent to a
collection server. After that, it logs in and it infect them with the Mirai malware. There was
no change in normal functionality of the devices, expect for occasional stutter and sudden rise
in the use of bandwidth (Zefiman, 2016). The device will remain infected until a reboot and
even after the reboot if the username and password were not changed it would again get
infected. After the infection it would block remote administration ports.

3.1.3 Detection Using Network Analysis

Mirai botnet relies on finding vulnerable devices connected to the internet and brute forcing.
Once logged in, for full functionality it needs to download and execute additional
components. In this process lots of network packets are exchanged. Also, the malware
communicates to the C&C server after it successfully brute forces the login to send the
victims IP and set of credentials. Monitoring of network traffic can clearly show the increase
of bandwidth usage on the network. Network packets can be further segregated and analyzed
to trace back the C&C server. Furthermore, Network traffic flow of certain time intervals can
be analyzed to develop a statistical relationship comparing network flow in infected and non-
infected systems for effective classification.

3.1.4 Detection Using Host Analysis

As mentioned earlier, Mirai bot downloads and executes additional components to infect with
Mirai malware after successful login. When the bot executes additional components, it
triggers several processes which cause the slanginess of the device and also blocks the
administrative ports. All these events could have been logged in if good SIEM technology
were in place which would easily raise the alarm. Furthermore, the memory of the IOT
devices could also be scanned looking for specific signatures of the malware.

3.1.5 Case Study Summary 

This case study is much more technical in its nature and focuses intensively on the tools and
techniques used by bot masters to infect and take over a system. This case study strictly
implies the necessity of network-based and host-based analysis for detecting botnets.
3.2 Case Study 2: 3ve Botnet (2013-2018)

3.2.1 Background

3ve botnet was first discovered in 2016 which operated between 2013 and 2018. 3ve was
used for ad fraud around thirty million dollars was stolen over the time when this botnet was
active. It is estimated at its peak the botnet controlled more than 1 million PCs were infected
across Europe and North America (Goodin, 2018). It would be used to generate fake clicks
on online advertisements. The clicks were used to fake websites, with over ten thousand fake
websites it took in ad revenue from more than 50,000 digital advertising accounts (Godin,
2018). 3ve botnet was able to mimic desktop and mobile traffic to evade detection later on it
evolved its statics and grew over time.

 3.2.2 Installation and Infection Process

The infection can happen through E-mail attachments or drive by download. Once the
malware gets in the victim’s computer and gets executed. It would make use of two other
botnets, the Boaxxe botnet and the Kovter botnet (Ronan, 2018). The kovter botnet ran in a
hidden browser in victim’s system. Attackers would then use their C&C server to direct
traffic from the hidden browsers to their ads. Kovter botnet served as the proxy for fraudulent
ad requests which swere sent from a data center in Germany controlled by the botmaster.

3.2.3 Detection Using Network Analysis

Similar to Mirai botnet, 3ve botnet relied on botmaster to issue commands from the C&C
server which would cause an increase in network traffic flow which could have been used to
identify the presence of 3ve botnet in the system. If network and network-based
communication were observed the proxy hosted by using Kovter botnet would have been
revealed. Furthermore, the 3ve botnet carries out DNS queries for over 10,00 fake websites
that were hosted by DDNS (Dynamic DNS) provider. So, Monitoring of Network for DNS
traffic could also have detected the 3ve botnet.

3.2.4 Detection Using Host Analysis

As mentioned above, 3ve botnet would run a web browser for generating clicks on the
website. Furthermore, the botnet opens many ports in order to connect to its C&C server and
act as a proxy. Process monitoring could have been implemented in the host to detect any
suspicious process. Furthermore, if proper implementation of SIEM or IDS system was in
place victims would have been warned about the open ports in their computer.
3.2.5 Case Study Summary

The importance of Host and Network based can be seen during the case study. If these
detection techniques were implemented then the botnet could be detected before it performs
any secondary infection. The lack of proper security controls such as SIEM and IDS is
strongly felt as the aforementioned can detect the intrusion in the early phases and prevent
subsequent damages.
 4.Conclusions
Since the botnets have become of the dangerous malware in recent times, there is a general
need for the information security community to implement adequate measures for botnet
detection and to build an understanding of the botnet architecture and communication
mechanism used by botnet master during the course of an attack. The critical analysis of the
two case studies indicates that the initial compromise does not completely take over a system.
While case study focuses more on the technical aspects and identifies different methods used
by botnet to propagate leading to a full system takeover. Case study 2 revealed how the initial
compromise occurred by exploiting the Human aspect. Also, during the analysis of Case
study 2, it can be clearly seen how a botnet makes use of the network to communicate to its
peers or C&C. Host based and network-based analysis has been introduced to identify the
botnet. In conclusion, it is important for organizations to implement monitoring of host and
network infrastructure to detect and potentially stop botnets in its initial stage to minimize
and restrict further damage.
 5. References
Antonatos S., & Markatos. (2007). Honey@home: A new approach to LargeScale threat
monitoring. ACM, Worm'07

DDoS attacks in Q1, 2018, https://securelist.com/ddos-report-in-q1-2018/85373/. 

C.-Y. Huang, “Effective bot host detection based on network

Failure models,” Computer Networks, vol. 57, no. 2, pp. 514–525, 2013.

Y. Zeng, X. Hu, H. Wang, G. Shin, and A. Bose, “Containment

of network worms via per-process rate-limiting,” in Proceedings of the 4th International
Conference on Security and Privacy in Communication Networks, pp. 1–10, Istanbul, Turkey,

G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics,”
Computers & Electrical Engineering

W. H. Liao and C. C. Chang, “Peer to peer botnet detection using data mining scheme,” in
Proceedings of the International Conference on Internet Technology and Applications.
C. Hung and H. Sun, “A botnet detection system based on machine-learning using flow-based
features,” in Proceedings of the SECURWARE 2018: @e Twelfth International Conference
on Emerging Security Information, Italy, September 2018
The Sans Institute
http://www.itu.int/osg/csd/newslog/The+SANS+Institutes+Top+Ten+Cyber+Security
Menaces+For+2008.aspx
Genki., & Markatos. (2015). Honey@home: A new approach to LargeScale threat
monitoring. ACM, Worm'07(November 02)
Antonatos and E. S. Pilli, Understanding botnet on Internet, in Computational Intelligence
and Computing Research (ICCIC), 2014 IEEE International Conference on, 2014.
Krebs, Brian (September 21, 2016). "KrebsOnSecurity Hit With Record DDoS".
Zeifman, Igal; Bekerman, Dima; Herzberg, Ben (October 10, 2016). "Breaking Down Mirai:
An IoT DDoS Botnet Analysis"
Goodin, Dan (21 December 2018). "How 3ve's BGP hijackers eluded the Internet—and made
$29M". Ars Technica
Shields, Ronan. "White Ops Launched a PSA to Increase Public Awareness About Ad
Fraud". www.adweek.com.