Professional Documents
Culture Documents
(Malaysia)
Botnet Technology
Rupal B. Jaiswal and Shivraj Bajgude
Abstract--Among all media of communications, Internet is These bots perform any type of destruction on receiving
most vulnerable to attacks owing to its public nature and virtually the commands from the bot master. These bot masters send
without centralized control. With the growing financial dealings the commands control all the bots, and then can attack a
and dependence of businesses on Internet, these attacks have even victim as a unit. Botnets are developing at very fast rate
more increased. Whereas previously hackers would satisfy making it difficult to detect and recover from their side
themselves by breaking into someone’s system, in today’s world effects. However, some of their types extensively deployed
hackers' work under an organized crime plan to obtain illicit can be classified to provide for their remedy [1, 2].
financial gains. Various attacks than include spamming, phishing,
click fraud, distributed denial of services, hosting illegal material,
key logging, etc. are being carried out by hackers using botnets.In II. FORMATION & EXPLOITATION
this paper a detailed study of botnets vis-à-vis their creation, To illustrate the formation and exploitation, a typical
propagation, command and control techniques is covered. The aim
formation of botnet can be described by the following steps
of this seminar is to gain an insight of security threats that users of
Internet are facing from hackers by the use of malicious botnets. [3] in figure 1.
Keywords-- Botnet, Bot, Internet Security, Spam, Phishing, i. The perpetrator of botnet sends out worms or viruses to
DDoS, Identity Theft, IRC etc. infect victims machines, whose payloads are bots.
ii. The bots on the infected hosts log into an IRC server
1. INTRODUCTION or other communications medium, forming a botnet.
information so easy that was never before. But on the other iv. Spammer sends commands to this botnet to order the
hand, it has worsened the security level. BOTNETS are bots to send out spam.
proving to be the most recent a disastrous threat to the field v. The infected hosts send the spam messages to various
of information iconology. The understanding of a layman mail servers in the Internet.
about Botnets is that it is a network facilitating the
malicious on which a software, 'bot', is automatically vi. Botnets can be exploited for criminally purposes or
installed without user intervention and are remotely just for fun, depending on the individuals. The next
controlled via command and control server". Despite of the section will go into the details of various exploitations.
fact that this network can be implied both for nefarious and
beneficial purposes, its extensive deployment in the
criminal and destructive purposes has made the title
'botnets' tantamount to malware attacks on the user
machines but technically speaking "Botnets are a collection
of computers. An active Botnet initializes its attack by first
exploiting vulnerabilities
in the user com puters. It then
downloads the malicious binary and executes it locally.
This program logs on to the Command and Control Server
(C & C) and notifies its Host, commonly known as 'Bot
master' or 'Bot herder', that the computer is now converted
to a 'Bot'. It can now be used to forward its affect to other
computers by repeating the same procedure. The major
difference between botnets and other security threats is that
a bot master communicates regularly with the bots either
via centralized communication channel or decentralized
network.
169
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
2.1. BOTNET LIFECYCLE- by flow analysis on detecting botnets. After filtering IRC
session out of the traffic, flow-based methods were applied
Life cycle contains following steps as shown in figure 2.
to discriminate malicious from benign IRC channels. The
methods proposed by combined both application and
a. Bot-herder configures initial bot parameters.
network layer analysis. Cooke et al. dealt with IRC
b. Registers a DDNS (DNS). activities at the application layer, using information coming
from the monitoring of network activities. Some authors
c. Register a static IP. had introduced machine learning techniques into botnet
d. Bot-herder starts infecting victim machines either detection since they led a better way to characterize botnets.
directly through network or
indirectly through user Currently, honey nets and Intrusion Detection System (IDS)
interaction. are two major techniques to prevent their attacks. Honey
nets can be deployed in both distributed and local context.
e. Bots spread. They are capable of providing botnet attacking information
f. Bot joins the Botnet through C&C server. but cannot tell the details such as whether the victim has a
certain worm . The IDS uses the signatures or behavior of
g. Bots are used for some activity (DDoS, Identity Theft existing botnets for reference to detect potential attacks.
etc.) Thus, to summarize the characteristics of botnets is
h. Bots are updated through their Bot operator which significant for secure networks. Before going to the
issues update commands [1]. discussion of botnet attacks and preventive measures, we
will introduce some relevant terms and classification of bots
[3].
170
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
according to its own will. The IRC bot is an assembly of bot master. The more number of times, same client connects
programmed codes that behave as a client in an IRC to the same server after same interval of time, depicts
channel. But unlike the traditional clients providing greater probability of a client being a bot and server being a
interactive access, it performs self-propelled functions [1]. bot master. More work on several other techniques is
underway to timely detect the modern HTTP botnet
3.1.2 P2P Botnets attacks[1].
Preliminary botnet architecture was based upon centralized
IV. COMMAND & COTROLE
architecture but that was much prone to detection; as the
entire botnet can be apprehended just by tracking down a A second core problem for botnet attackers is how to
single central command. To overcome this drawback, a communicate with each bot instance. Most attackers would
rather new technology in the field of Botnets is peer-to-peer like the ability to rapidly send instructions to bots but also
Botnets; where a peer (host) can act as both client and do not want that communication to be detected or the
server alternatively. To enter the network a peer can source of the those commands to be revealed. To explore
connect to any other peer of the network using its IP the implications of various bot communication methods, we
address that was already present in its database. Finally identify three possible topologies and investigate their
when this peer is part of the network; it continually updates associated benefits and weaknesses [2].
its database by interacting with other peers. Using this
approach when any peer tries to send commands to the
botnet, it sends a library call to its database to get the
addresses of other bots; thus acting as commander and
controller of the P2P botnet. This Commander and
Controller now send orders that are to be followed by the
remaining peers of the network. To track down a peer-to-
peer network, initially the simplest possible solution was for
the hacker to enter the botnet by pretending to be a new bot.
This newly entered bot will now be able to connect to any
other peer of the network and thus be able to track down its
activities. The biggest disadvantage of this approach is that
the intruder can monitor the activity and thus track down
only a single peer; the entire botnet activity can neither be
monitored nor can be tracked down immediately. The entire
Botnet tracking is obviously a time consuming operation
[1].
Fig. 3 Command and control architecture of a C&C botnet [6].
3.1.3 HTTP Botnets
The most recent Botnet till date is HTTP botnet. It works by 4.1 Centralized
exchanging web requests using port 80. It sets up its A centralized topology is characterized by a central point
communication with certain URL's using internet with an that forwards messages between clients. Messages sent in a
HTTP message. This HTTP message contains unique centralized system tend to have low latency as they only
identifiers for the bots. The server under consideration will need to transit a few well-known hops. From the
reply to these HTTP messages with further investigation perspective of an attacker, centralized systems have two
commands (e.g. GET). This interrogating command major weaknesses: they can be easier to detect since many
ultimately becomes the reason of downloading the infecting clients connect the same point, and the discovery of the
malicious commands. Again it uses the centralized central location can compromise the whole system [2].
command and control channel as IRC botnet uses but a few
advantages compared to IRC exists[3,4]:
• H ere the 4.2 P2P
command and control server is web server as compared to Peer-to-peer (P2P) botnet communication has several
IRC botnets where IRC serves as the C&C.
• In IR C bot important advantages over centralized networks. First, a
once connected to C&C doesn't disconnect but here the bots P2P communication system is much harder to disrupt. This
regularly connects with the server after regular intervals of means that the compromise of a single bot does not
time; which is set by the web server. The traffic of the necessarily mean the loss of the entire botnet. However, the
HTTP botnets flows with the regular traffic. However, the designs of P2P systems are more complex and there are
bot packets are different from normal packets making the typically no guarantees on message delivery or latency [2].
detection procedure easy Discusses the most commonly
deployed detection technique for HTTP botnets. Here a
degree of periodic repeatability (DPR) is employed. This
parameter represents the repeated reconnection of bots with
bot master after regular interval that is configured by the
171
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
172
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
173
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
potential attack by a scanner or worm . However, this main servers after a botnet attack identified [3].
mechanism may not work if the IRC commands have been
encoded [3]. 7.2 Countermeasures for Public
Personal or corporation security inevitably depends on
6.4 DNS Tracking-
the communication partners. Building a good relationship
Since bots usually send DNS queries in order to access with those partners is essential. Firstly, one should
the C2 servers, if we can intercept their domain names, the continuously request the service supplier for security
botnet traffic is able to be captured by blacklisting the packages, such as firewall, anti- virus tool-kit, intrusion
domain names . Actually, it also provides an important detection utility, and so forth. Once something goes wrong,
secondary avenue to take down botnets by disabling their there should be a corresponding contact number to call.
propagation capability Choi et al. have discussed the Secondly, one should also pay much attention on network
features of botnet DNS. According to their analysis, botnets' traffic. There is a DDoS attack. ISP can help blocking those
DNS queries can be easily distinguished from legitimate malicious IP addresses. Thirdly, it is better to establish
ones. First of all, only bots will send DNS queries to the accountability on its system, together with a law
domain of C2 servers, a legitimate one never do this. enforcement authority. More specifically, scholars and
Secondly, botnet’s members act and migrate together industries have proposed some strategies for both home
simultaneously, as well as their DNS queries. Whereas the users and system administrators, to prevent, detect and
legitimate one occurs continuously, varying from botnet. respond botnet attacks Here we summarize their
Third, legitimate hosts will not use DDNS very often while suggestions[3].
botnet usually use DDNS for C2 servers . Based on the
above features, they developed an algorithm to identify 7.3 Home Users
botnet DNS queries. The main idea is to compute the
similarity for group activities and then distinguish the To prevent attacks from a botnet, home users can follow
botnet from them based on the similarity value. The the rules described. They are classified into three
similarity value is defined as 0.5 (C/A+C/B), where A and categories:
B stand for the sizes of two requested IP lists which have 1. Personal Habits
2.R outine
3.O ptionalO perations.
some common IP addresses and the same domain name,
and C stands for the size of duplicated IP addresses. If the As personal habits, people should pay attention when
value approximated zero, such common domain will be downloading, especially for those programs coming from
suspected [3, 5]. unscrupulous sites. Besides, try to avoid installing useless
things on personal computer, which will minimize the
VII. PREVENTIVE MEASURES possibility of bots infection. If necessary, read the License
Agreement and the notes carefully before click the button
It takes only a couple of hours for on the web site. As a routine, use antivirus software and
conventional worms to circle the globe since its release anti-trojan utilities while system is on. Scan and update
from a single host. If worms using botnet appear from system regularly, especially for Windows. When leaving
multiple hosts simultaneously, they are able to infect the the PC, shutdown the system or it may be remotely
majority of vulnerable hosts worldwide in minutes. Some controlled by hackers. As the optional operations, home
botnets have been discussed in previous sections. users are recommended to backup system regularly, to keep
Nevertheless, there are still plenty of them that are all software up-to-date and to deploy personal firewall by
unknown to us. We also discuss a topic of how to minimize all means. By doing so, home PCs are shielded from
the risk caused by botnets in the future in this section [3]. unauthorized accesses, and thus bots cannot compromise
them. To detect an abnormal behavior, taking Windows
7.1 Countermeasures on Botnet Attacks operating system as an instance, a home user can check the
IRC port range from 6000 to 7000 (typically6667) by
Unfortunately, few solutions have been in existence for a
command "C:�Windows�netstat-an" . The result can
host to against a botnet DDoS attack so far Albeit it is hard
reveal the connection of current IRC client. However, bots
to find the patterns of malicious hosts, network
may use some other TCP ports. If unusual behavior occurs
administrators can still identify botnet attacks based on
on a home PC, such as slow network response, unknown
passive operating system fingerprinting extracted from the
ports being used, and something like that, there is possibly a
latest firewall equipment The lifecycle of botnets tells us
bot attack. Also, home users can use anti- virus software or
that bots often utilize free DNS hosting services to redirect
online services to detect attacks Once the computer has
a sub- domain to an inaccessible IP address. Thus,
been compromised, there are strategies to recover it [3].
removing those services may take down such a botnet. At
present, many security companies focus on offerings to stop
7.4 System Administrator-
botnets. Some of them protect consumers, whereas most
others are designed for ISPs or enterprises . The individual Similarly, there are corresponding rules for system
products try to identify bot behavior by anti-virus software. administrators to prevent, detect, and respond botnet attacks
The enterprise products have no better solutions than null . For a prevention method, administrators should follow
routing DNS entries or shutting down the IRC and other vendor guidelines for updating the system and applications.
174
3rd International Conference on Emerging Trends in Computer and Image Processing (ICETCIP'2013) January 8-9, 2013 Kuala Lumpur (Malaysia)
IX. CONCLUSION
Increasing number of Internet users and its commercial
character naturally bring in proportionate number of
criminal minded people to the scene who pose potential
threats to legitimate users, Internet infrastructure and
timeliness of services offered by it. Detecting and tracking
compromised hosts in a botnet will continue to be a
challenging task. Traffic fingerprinting is useful for
identifying botnets. There are also some other interesting
open issues that need to be considered. To the best, DDoS
attack derived from botnets cannot be avoided. Even if the
attacking has been detected, there is no effective way to
trace back or fight against it. Instead, one can only shut
down the compromised hosts or disconnect with the
network, waiting for further command such as scanning
virus or reinstalling the operating system.
REFERENCE
[1] Banday, M.T., Qadri, J.A., Shah, N.A. 2009). "Study of Botnets and
Their Threats to Internet Security,” Sprouts: Working Papers on
Information Systems, 9(24).
[2] Jing Liu,’’Botnet: Classification, Attacks,
D etection, T racing and
Preventive Measures”, July 2009.
[3] Michael Bailey, “A Survey of Botnet Technology& defense”, August
2008.
[4] Fatima Naseem,”A survey of Botnet Technology and Detection”,
proceedings of
International Journal of video and Image processing
and Network Security 2008.
[5] Ping Wang,” An Advanced Hybrid Peer To Peer Botnet”, .August
2007.
[6] Salvatore Salmone,”Botnet Exposed: Stopping Next –Generation
Attacks”,
A ugust2009.
[7] Matthew West,” Threats That Computer Botnets Pose to International
Businesses” December 3, 2008.
175