Modern Botnets: A Survey and Future Directions

Ertu˘ Karamatlı g Bogazici University, Turkey January 3, 2011

Botnets are becoming a real challenge. New botnets are discovered everyday that employs more sophisticated methods to spread, defend, and attack. This article explores the techniques used by traditional botnets, current botnets, and also emerging threats by future botnets. Current botnets incorporate distributed network architectures and cryptography increasingly. Moreover, we present new techniques such as the use of strong cryptography, scripting languages, anonymity networks, embedded systems, steganography, and IPv6 tunneling. Keywords: Botnets; P2P; Cryptography; Network Security; Information Security

Distributed Denial of Service (DDoS) attacks to sending spam e-mails. 3. Upgrade: Bots upgrades themself to gain new defence and attack capabilities. Botnets pose a considerable and rising threat against cyber-security. Therefore, it is a very popular research topic for both academia and security industry. There are many recent studies about its behavior [36, 6, 20], detection [13, 35, 11], protection [27, 6], and future [19, 18, 30]. We are going to discuss past, present, and future of botnets in three sections as Traditional Botnets, Current Characteristics, and Emerging Threats, respectively.




Traditional Botnets

Botnets are one of the most important threats to Internet infrastructure and information security. A study claims that about 40% of computers connected to the Internet are bots [1]. A botnet can be defined as a collection of software agents (or robots) that run autonomously [33]. A botnet is typically consists of bots (a group of compromised computers) and a botmaster (a human controller). Also, there is a Command & Control (C&C) channel which botmaster uses to send commands to bots. Botnets are classified by their C&C types such as IRCbased, HTTP-based, and P2P-based. A typical bot has three notable phases in its life-cycle [36]: 1. Infection: Computers are infected using one or more software or hardware vulnerabilities and become zombies. 2. Malicious Activities: Activities a bot may carry out depends on the purpose of botnet. It can range from launching 1

Traditional botnets have a central C&C server as shown in figure 1. They typically use Internet Relay Chat (IRC) channels as a C&C channel. Such IRC-based botnets may watch changes in room topics for commands [6]. They can also employ HTTP or IM servers. The major flaw of this approach is that it uses central C&C servers which means there is a single point of failure. Therefore, someone who have access to the server will also be able to control and take down the botnet. Common malicious activities of traditional botnets are DDoS, spamming, and information theft.


Current Characteristics

Botnets of today differs from traditional botnets in a number of ways. They generally use P2Pbased C&C channels rather than central C&C approach. Additionally, some of them use cryptography to secure communications.

many botnet authors do not use well designed and tested protocols such as Kademlia. The types of activities a bot may carry out listed as follows [33. it also presents new challenges [18].1 Distributed Network Archi. Using DNS tricks such as fast-flux. 3. For a P2P-based botnet. it brings a challenge: trust. Ev- . For example.2 Cryptography Most botnets do not use cryptography at all or tecture use home-grown ciphers that are prone to cryptanalysis. Implementing a P2P protocol is a difficult task. 22]: 1. 2. Advertisement fraud: It is used to display ads without the user’s permission or 2 Figure 2: P2P-based botnet architecture [27] Using a P2P approach will increase robustness of the system by eliminating single point of failure. after collecting credit card information. 3. Compromising new computers: Botmaster and bots always try to infect new hosts. For example.3 Malicious Activities Botnets are always designed and used to do some illegal activities. It is much harder to discover and destroy a P2P-based botnet when compared to a traditional botnet. Therefore. But there is a notable exception which uses Kademlia is Storm botnet [25]. 3. There is an increasing trend in peer-to-peer (P2P) communication as opposed to central command & control (C&C) servers. and credit card information can be collected by bots. 7. Rustock botnet uses RC4 encryption when communicating with its C&C through HTTP [9].3. Click fraud: It is used to create fake traffic to web sites for personal or financial gain. 6. it is significantly harder to track down the botmaster because the botmaster can be any node in the network. This problem can be addressed by using asymmetric cryptography [14].Figure 1: Traditional botnet architecture [6] ery node in the network can send or forward a command to another node. An attacker can join the network and send malicious commands to control or destroy the botnet. On the contrary. Information theft: Sensitive information such as passwords. botnets in the wild generally have some important flaws that allows taking control of them [8]. E-mail spam: An average of 84% of spam mail was found to be sent by bots [3]. While P2P technology brings many advantages to botnets. botmaster may then use it to do credit card fraud. commands can be authenticated with signing messages with a private key. A typical P2P-based botnet architecture is shown in figure 2. 4. Thus. identity information. Rustock botnet also used Transport Layer Security (TLS) to connect to SMTP servers and send spam emails. 5. Hopefully. Phishing: Bots are used to host phishing sites. A small fraction of known botnets use cryptography. DDoS: This kind of attack involves accessing a system in a legitimate way but too frequently that it becomes unresponsive.

A botmaster can take on role of a trusted certificate authority [26]. Also. Using asymmetric cryptography also facilitates renting of botnets. They are ranging from launching a DDoS attack to destroying itself. There will be endless possibilities with the help of a scripting language. It is relatively easy for an IRC-based botnet because botnet author can patch the IRC server in a way that it only allows the botmaster to send commands. of botnets. An important point on administration of a botnet is authenticity and integrity of commands [26]. bots constantly upgrades itself. Code armoring can be achieved by using packers. and Ruby have the ability to be embedded inside a C program. Then more advanced strong cryptography is found in Waledac botnet which utilizes AES and RSA with 128 and 1024-bit keys. Although. To rent a botnet. botnets will become so flexible and responsive that researchers may not be able to keep up to track their behavior. the botmaster can generate a public/private key pair and embed the public key in the bot’s source code. However. awareness. Therefore. Using RSA with a 2048 bit key will secure botnet from attackers throughout the foreseeable future. respectively. there are some weaknesses in design and implementation so it is relatively easy to analyze and modify the communications [8]. security and secrecy can be increased by implementing perfect forward secrecy 3 Another area that cryptography can be used is polymorphic delivery of botnet executables. only the botmaster could send valid commands to bots by signing them with his private key. Current malware including bots generally use some kind of code armoring. first notable use of strong cryptography could be Storm botnet which used RSA for encoding controller list packets [29]. Many scripting language such as Lua. Even if a private key is compromised the attacker can neither read previous messages nor future messages. it is harder for a P2P-based botnet. the botmaster creates another public/private key pair and defines the public key to all or a subset of bots as a valid botmaster maybe with some restrictions based on their agreement. Today many malware is using polymorphic engines to bypass signature detection mechanisms of anti-virus applications and also making it harder to disassembly the executable for analysis. New botnets will eventually start to use correct designs and implementations of these algorithms so that it will be nearly impossible to analyze their communications. A hostile party can send malicious commands to take down the botnet. and also it will contain many standard libraries. it is not easy for a botmaster to compile and distribute new binaries. 4. On the other hand. But what if we can send arbitrary source code to bots to execute? This leads us to the concept of commands as source code. For example. The method presented in [4] uses dynamically generated code based on a key derived from environment. For example. It is relatively easy to embed script languages inside bots. recent advancements on fully homomorphic encryption [16] can allow botnets to This section will introduce and discuss some of process data and commands without decryptthe possible threats that can be posed by future ing it first. Advanced malware usually employ custom packers based on XOR encryption [7]. 4 Emerging Threats Lastly. 28. Perl. it will be very easy to add new capabilities instantly to bots by just sending scripts as commands. Python. Maybe the most famous and popular packer is UPX [2].2 Code Armoring Botnets are started using strong cryptography over the last several years. It will contribute to overall secrecy botnets. This problem can be addressed by using asymmetric cryptography [18.1 Strong Cryptography 4. before releasing the bot into the wild. But. Furthermore. Using an existing interpreter will be easy. reliable. .3 Scripting Languages Bots normally receive and execute commands which are predefined in bot’s code. Utilizing cryptographic hash functions for anti-disassembly will make it nearly impossible to reverse engineer the bot’s code.[12]. 14]. 4.

Being very image. factories. Anonymity network clients can be embedded in botnet programs to hide and secure communications of botnets [32]. DOCX. hard to detect. they are becoming a target of botnet authors [5]. it can also be used to cover malicious activities. hospitals. However. or public mes2. it is not studied in detail. if a bot uses Tor (an implementation of onion routing). Researchers other files. apart from the sender and intended recipient. steganography is the art and science of writing hidden messages in such a way that no one. Also. etc.A) that contain possible to track the botmaster or other bots it Lua interpreter in its executable [15]. classified advertisements fices. Insecurity: There is a wide range of known sages in social networks such as Facebook security vulnerabilities. Nazario [23] found a botnet 3. User generated content: Web sites that characteristics of embedded systems [5]: include user generated content can be used as a C&C channel. XLSX. communicates. Firewall. There is an significant and growing effort to migrate to IPv6. For example. it drawing attention. there is a study of creating actually ZIP archives that contains many a botnet of mobile phones [17]. anonymity networks encourages freedom of expression and increase privacy.7 IPv6 Tunneling Anonymity networks allow users to hide information about their location and identity. According to Wikipedia [34]. There are three 1.5 Anonymity Networks 4. It steals user to post commands to public sites without information and sends it to a website. However. videogame consoles. automobiles. This can be used phones is SYMBOS YXES [21]. steganography but obfuscation. it will be nearly im4 IPv6 is an Internet protocol designed to address the shortcomings in current protocol IPv4. It is easy to hide extra demonstrated the ease of spreading a botnet to information in these files. suspects the existence of the message. and printers.There is a bot (OSX/Krowi. ofden in blog posts. can be seen same or similar to each other Another notable botnet that exploits mobile but have different code. We may see an increasing trend in using scripting languages in the near future. mobile phones. I2P and GNUnet. it is not using they are always connected to the network. however. it also tries to gain access to 3. and also implementation errors in IPv6. . Unicode Homoglyphs Encoding: In other devices in the network without any limiunicode. there are many characters that tation of time because it is always on. as small networked computers with advanced operating systems emerge. sends spam SMS to user’s contacts by getting 4.6 Steganography 4. Although. that uses Twitter. Ubiquity: They are everywhere: homes. 2. 8000 iPhones and Android smartphones in an experimental mobile botnet project. routers.4 Embedded Systems Current focus of botnet research is on PCs. Devices that have risk to be a part of a botnet includes multimedia devices. Some popular anonymity networks are Tor. such as ads in Craigslist. many software and hardware is not properly configured for IPv6 so it has many vulnerabilities [31]. Microsoft Office 2007/2010 documents: message content from a website. and Twitter. However. Availability: As implied in their purpose. Botnets may exploit these vulnerabilities to cover their communications. 4. and PPTX formats are Additionally. Commands can be hid1. Least Significant Bit Encoding: First known router based botnet we could find Generally uses a lossless image file is Psyb0t which targets 55 different home-based format to hide arbitrary data inside an routers and DSL/cable modems [24]. routers. Steganographic techniques can be employed to obscure C&C channel of botnets [10]: 4. Some of the vulnerabilities can be originated from misconfigured Intrusion Detection System (IDS).

IPv6 tunneling. Therefore. botnets. Inc. MLI_2010_08_August_Final_EN. 1992. K. //www. Diffie. 2007. Look at Botnets. vices. formation theft. steganogsteganographic-command-and-control. Diel. [2] UPX Packer. Fingerprinting Custom Botnet Protocol Stacks. 27(3):171–191.1007/s11416-006-0011-3.messagelabs. Available from: http://www. A.htm. employed in future botnets such as the use of irongeek. Feily. Nevertheless. . The article explored the tradi[5] K. [12] W. 2010.1007/s11416-006-0011-3. cious activities. A. Dumbots : Unexpected threats that might be posed by botnets in the Botnets through Networked Embedded Defuture. Codes and Cryptography. they are prone to attacks [6] A. For example. 2007. Available from: http://www. good! 2009 4th International ConferWe can try to foresee oncoming threats by inence on Malicious and Unwanted Software vestigating recent botnets and transposing ideas (MALWARE). in other malware studies. PractiAnti-disassembly using Cryptographic cal Cryptography. and M. Bratus. therefore. S. Crenshaw. C. Available from: http: ence on Emerging Security Information.pdf. Davis. Some of important activities are DDoS attacks.php?page=security/ code armoring. Dibenedetto. Authentication and authenticated 2008-03-16-computer-botnets_N. E-mail spamming. A Survey of Botnet and Botnet Detec[3] MESSAGELABS INTELLIGENCE AUtion. and S. ally notice these possibilities and apply them to In First workshop on hot topics in undertheir bots. pages 61–66. Its effects on the Internet and threats to privacy is a rising concern.. another example can be the standing Systems and Technologies. Jacobson. and M. and in[8] J. Khattab. It can be a [10] A. PapadopouReferences los. Schneier. Calvet. It is nearly im5. C. Also. R. D. Sinclair. In The 7th International ConferSuch distributed network architecture allow botence on Informatics and Systems. Designs. June Baek. Wiley Publishing. 2010. Available from: http://www. and P. com/tech/news/computersecurity/ Wiener. and C. Oorschot.5 Conclusion Botnets are a significant threat. These activities may result in Malware authors don’t learn. J. A Comparative due to single point of failure. A Case Study in botnets. Ramadass. S. pages 268–273. pages 88–97. 2(1):79–85. Chiang and L. pages 1– nets to be resilient and robust. 2(2):107–125. Massey. use of scripting languages. 2009 Third International ConferGUST 2010. doi:10. Also. Barford and V. Steganographic Command and Control: Building a communicasign of future botnets with interpreters. Available from: http://upx.springerlink. [1] Botnet scams are exploding. possible to shut down a well designed P2P-based [7] P. bot authors may eventuof the Rustock Rootkit and Spam Bot. Barakat and S. sourceforge. Smith. [11] S. index/10. raphy. there Study of Traditional Botnets versus Superis an increasing trend in P2P-based botnets. Bureau. Lloyd. Yegneswaran. 2010. there are studies about utilizing strong cryptography [9] K. Journal in Computer 2003. key exchanges. 5 Virology. Ferguson and B. Steiner. and that’s catastrophic losses and damages. Shahrestani. R. May 2006. Advances in Information Bots are always designed to carry out maliSecurity. tion channel that withstands hostile There are also other techniques that can be scrutiny. presented new S. W. An Inside botnet entirely. and tional and current botnets. [13] M. [14] N. [4] J. The traditional botnets use centralized C&C servers.-h. anonymity networks.usatoday. There is a bot in the wild that contain a Lua interpreter. Hash Functions. Gadkari. N. Oct.-M. 2007. Aycock.

and bh-usa-08/Stewart/BH_US_08_Stewart_ C. [23] J. Kirda. K. Cable virusinfo/virus. A Sur9854ad3cab48983f7c2c5a2258e27717. and J. 2010 Secdent Management and IT Forensics. Jiang. Kaemarungsi. Y. In 4th International Conference [19] G.yp.darkreading.A Virus Detail. ysis Tool for Limited Resource Computer Emergency Response App Builds A Mobile Botnet. Wu. Information and Control (ICICIC). Im. and E. ing in IPv6. Available from: [26] G. Punithavalli. pages 1184–1187. pages 34–40. Yang. 2009. Jacobson. Vogt. IPv6Malware-Tunneling. J. Defenses and signed-malware-coming-to-a-phone-near-you/. Hu. Zou. Available from: http://www. http://www. Nazario. on Security and Privacy in Communication Research of an Innovative P2P-Based BotNetworks.trendmicro. ing Workshop. from: http://www.A botnet protocol based on Kademlia. Available from: 404374754. mand Channel. In European Conference on Computer Network De. pages 33–40.wikipedia. Shin and Saidi. Satyavathy.blackhat.html. Available from: http: //asert. Available from: http: //www. Botnet: Survey and Case Study.[32] R. [33] Wikipedia. Halevi. Zheng. In In Proceedings of national Conference on Innovative [34] Wikipedia. Holz. Available from: https: [20] K. Available a-survey-on-botnets-with-cryptography-1396636. Liu. Higgins.pdf. [25] P. pages ond Cybercrime and Trustworthy Comput27–40. 161941/nasty_new_worm_targets_home_ routers_cable_modems. W. Signed Malware ComMalware Tunneling To A Phone Near You? Available [31] US-CERT. 2007. Steganography. The ternational Conference on IT Security InciNew Architecture of P2P-Botnet. [17] K. phic Encryption. 2009. Available from: from: http://blog. J. www. phy. and X. Nasty New Worm Targets Home php?title=Steganography&oldid= Routers. [16] C. Ferrer.pcworld. X. and V. puting. Hund.[28] G. fense. Stewart. [24] I. Army of Botnets. html.-h. Gentry and S. J. Aycock. Botnet. [21] J. Yoskamtorn. Botnet Statistical AnalProtocols_of_the_Storm. and Z. Tority. S.arbornetworks. and T.-g. Starnberger. Smartphone Weather articlesbase. Li. tocols and Encryption of the Storm Botnet. 2008. http://en. Hamann. 2009 Fourth Inter. H. A Survey of Botnet index. 2010 International Conference on Machine Vision and Human-machine Inter. Luangingkasut.wikipedia. Twitter-based Botnet Comphp?title=Botnet&oldid=404983408. pages 214–218. 2010. Overbot . In Joint Workshop on Information Secu[18] R. Ramakrishna. rawannakool. Available from: http://en. and M. 2008. Sanglerdsinlapachai. OSX/Krowi. Paul. wards Next-Generation Botnets. K. July 2010. pages 111–123. Inside the Storm : Proface. 2009. Available from: twitter-based-botnet-command-channel/. 2008. Jian. [22] C. vey on Botnets with Cryptograpdf. Leopando.aspx?id=77490. insider-threat/167801100/security/ application-security/223200001/ [27] Y.[29] J. 2009 Fifth In[30] D. Ji//www. C. N. M. 2009. W. Kruegel. 2010.[15] M. Porras. net. A Working A Multiperspective Analysis of the Storm Implementation of Fully Homomor(Peacomm) and M. : Consequences. 6 . N.

Z. In 3rd IEEE International Conference on Computer Science and Information Technology.[35] H. Ieee. Zadeh. Botnet Research Survey. [36] Z. Zeidanloo. Zhu. and M. Chen. J. M. A Taxonomy of Botnet Detection Techniques. 2010. R. Fu. G. July 2008. Lu. In 2008 32nd Annual IEEE International Computer Software and Applications Conference. P. Roberts. pages 158– 162. J. Safari. pages 967–972. Han. M. Y. Zamani. 7 . and K.

Sign up to vote on this title
UsefulNot useful