This action might not be possible to undo. Are you sure you want to continue?
FIFTH SEMESTER, MCA: 20092012
SCHOOL OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY
CHINMAYA INSTITUTE OF TECHNOLOGY KANNUR
SCHOOL OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY
I CHATHOTH JITHIN, fifth semester MCA, student of Chinmaya Institute of Technology, do hereby declare that the Seminar Report entitled BOTNET is the original work carried out by me under the supervision of Mr BIMAL V.O towards partial fulfillment of the requirement of MCA Degree.
Signature of the Student
CHINMAYA INSTITUTE OF TECHNOLOGY KANNUR
SCHOOL OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY
This is to certify that the Seminar Report titled BOTNET was prepared and presented by CHATHOTH JITHIN of the School of Computer Science and Information Technology, Chinmaya Institute of Technology in partial fulfillment of the requirement as a subject under the University of Kannur during the fifth Semester.
Faculty in Charge
. School of Computer Science & Information Technology.O. Words are inadequate to express my profound and deep sense of gratitude to all those who helped me in completing this seminar. I express my sincere thanks to my parents. I express my sincere thanks to Dr. With deep sense of gratitude. faculty members and my friends for their affectionate blessings and loving cooperation at all times.K. Chinmaya Institute of Technology for having given me an opportunity to conduct this seminar. With profound gratitude. Falgunan. K. Professor. I thank Mr BIMAL V. for his enthusiastic guidance and encouragement. Principal. Above all I thank God almighty for bestowing me with blessings for completion of this seminar successfully.ACKNOWLEDGEMENT The success of anything needs co operation and encouragement from different quarters.
exploits. propagation mechanisms. and we discusses implications for defense strategies based on our analysis. . One such approach is to develop a foundational understanding of the mechanisms em ployed by malicious software (malware) which is often readily available in source form on the Internet. It can be argued. While it is well known that large IT security companies main tain detailed databases of this information. Our thesis is that the reactive methods for network security that are predominant today are ultimately insufficient and that more proactive methods are required. however. delivery mechanisms. host control mechanisms. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks. obfuscation and deception mechanisms. thereby escalating the network security arms race. In this paper we begin the process of codifying the capabilities of malware by dissecting four widelyused Internet Relay Chat (IRC) botnet codebases. these are not openly available and we are not aware of any such open repository.ABSTRACT The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions . Our study reveals the complexity of botnet software. Each codebase is classified along seven key dimensions including botnet control mechanisms. that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community. to attacks and intrusions for financial gain.
.....................................................23 11)HONEYPOT...............................................................................................................................................................................................................................................................................................................4 4......................................................3)TYPES OF ATTACK.......................................17 8)STORM BOTNET...............................................................................................................................CONTENTS 1)INTRODUCTION.........................................................................25 12)CONCLUSION.......1 2)HISTORY .........10 5)TOPOLOGY......16 7)PREVENTIVE MEASURES............................................................................................................3 4)TYPES....................................................................................................................................................1)BOT TYPES...............2 3)SCOPE..14 6)CREATION OF A DEMO BOTNET ..............................................7 4................................................................................................................................................................................................................................................2)BOTNET TYPES.........28 ......................................................................................................................................................................................................................27 13)REFERENCES..........................................4 4............................................................................................20 10)BOTNET DETECTION AND MITIGATION.......................19 9)MAYDAY..............................................................................................................................
adding further value to the botnet. However. These computers communicate with other botnet machines via the Internet. The distributed design prevents the discovery of the controlling computers. Furthermore. Additionally. many counter DDoS strategies blacklist the IP addresses of attacking computers. single IP address. with the botnet operator giving instructions to only a small number of machines. botnets were found to be an effective resource for sending spam. and ISPs usually discontinue service to subscribers who send spam. Zombies that are not actively sending spam at any point in time can be configured to scrape the web looking for new email addresses to spam. the zombies in use of a botnet are compromised computers running the Microsoft Windows operating system that have been infected with some sort of malware. These machines then propagate the instructions to other compromised machines. many compromised computers contain address books of email addresses which can be incorporated into the list of addresses to send spam to. Originally. making this use of a botnet ineffective. Most botnets are distributeddesign systems. Botnets are effective in performing tasks that would be impossible given only a single computer. The anonymity that a botnet affords often helps the user avoid detection and possible prosecution.INTRODUCTION A botnet is a network of zombie computers controlled by a single entity. The term is a portmanteau of the phrase "Robot Network". 1 . As the spam market has become profitable. botnets were used for performing distributed denial of service attacks. Usually. usually via IRC. thus exposing the botnet's machines. or a single Internet connection. most modern webservers have developed strategies to combat such DDoS attacks.
Botnets have become a significant part of the Internet. were then used to steal passwords. or newly formed "bots". a few worms which exploited vulnerabilities in IRC clients began to appear. Sometimes a controller will hide an IRC server installation on an educational or corporate site where highspeed connections can support a large number of other bots. controllers must now find their own servers. Infected computers. Botnets were used for both recognition and financial gain indeed. the more ‘kudos’ the person ('bot herder') orchestrating the botnet could claim in underground online communities. Often. It has been estimated that botnets control up to 15% of computers worldwide that are connected to the internet. However. Due to most conventional IRC networks taking measures and blocking access to previouslyhosted botnets. 2 .In July 2010.Several botnets have been found and removed from the Internet. Due to the large numbers of compromised machines within the botnet. albeit increasingly hidden.5 million node botnet and the Norwegian ISP Telenor disbanded a 10. log keystrokes. The bot herder can also ‘rent out’ the services of the botnet to third parties. in recent times. Conficker is one of the largest known botnets. Exploitation of this method of using a bot to host other bots has proliferated only recently. The Dutch police found a 1. huge volumes of traffic (either email or denial of service) can be generated. Large coordinated international efforts to shut down botnets have also been initiated.000node botnet. usually for sending out spam messages or performing a denial of service attack against a remote target. the volume of spam originating from a single compromised host has dropped in order to thwart antispam detection algorithms– a larger number of compromised hosts send a smaller number of messages in order to evade detection by antispam techniques. a botnet will include a variety of connections and network types. Soon after the release of the first IRC bot. It attempts to sell fake antivirus software to its victims. with an estimated 1 million to 10 million infected machines. the larger the botnet. and act as a proxy server to conceal the attackers identity. they were originally developed as a virtual individual that could sit in an IRC channel and perform tasks while the user was too occupied to do so.HISTORY Bots originated as a useful tool without any significant malicious overtone. the FBI arrested a 23year old Slovenian said to have integrated an estimated 12 million computers into a botnet.
the botnet’s author uses various commands to make the compromised computer do what he wants it to do.The establishment of a botnet involves the following: Exploitation Typical ways of exploitation are through social engineering. collect passwords. It is generally a collection of compromised computers (called zombie computers) running programs under a common command and control infrastructure. a bot uses Trivial File Transfer Protocol (TFTP). key logging. Infection After successful exploitation. for various purposes. Other uses may also be criminally motivated (eg. There are also warrantless surveillance by such organizations as the NSA. Spreading Bots can automatically scan their environment and propagate themselves using vulnerabilities. A botnet’s originator can control the group remotely. They are used widely by law enforcement agencies armed with search warrants. Denial of service attack. buffer overflow and instant messaging scams are common among infecting a user’s computer. Actions such as phishing. SCOPE A botnet is nothing more than a tool.) or for monetary purposes (click fraud). disabling security applications. etc. packet sniffing. usually through means such as IRC. email. Therefore. Control After successful infection. can monitor computer use. each bot that is created can infect other computers on the network by scanning IP rangeor port scanning. HyperText Transfer Protocol (HTTP) or IRC channel to transfer itself to the compromised host. Packet sniffing is monitoring of data traffic into and out of a computer or network. 3 .The term “botnet” is used to refer to any group of bots. There are many different motives for using them. File Transfer Protocol (FTP). It is used in computer surveillance. A surveillance program installed on a computer can search the contents of the hard drive for suspicious data. and even report back to its operator through the Internet connection.
a young German man who was arrested in May 2004 for computer crime. . nor the implementation as sophisticated.TYPES OF BOTS Agobot/Phatbot/Forbot/XtremBot This is probably the best known bot.Furthermore. SoftICE and OllyDbg) and virtual machines (e. 4 . Agobot uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. since there are so many different versions of them that it is hard to get an overview of all forks. The latest available versions of Agobot are written in tidy C++ and show a really high abstract design. although the command set is not as large. UrXBot. The bot is structured in a very modular way.g. Currently. and probably many more. UrBot. It offers similar features to Agobot. It is the father of RBot. Agobot is the only bot that utilized a control protocol other than IRC. the Linux version is able to detect the Linux distribution used on the compromised host and sets up acorrectinitscript. and it is very often used in the wild. the AV vendor Sophos lists more than 500 known different versions of Agobot (Sophos virus analyses) and this number is steadily increasing..g. GT is an abbreviation for Global Threat and this is the common name used for all mIRCscripted bots. A fork using the distributed organized WASTE chat network is available. mIRC itself is a popular IRC client for Windows. The source code of this bot is not very well designed or written. Agobot was written by Ago alias Wonk. Nevertheless. In addition. mIRCbasedBotsGTBots We subsume all mIRCbased bots as GTbots. VMWare and Virtual PC). reverse engineering this malware is harder since it includes functions to detect debuggers (e. attackers like it. SDBot is written in very poor C and also published under the GPL. The bot itself is written in C++ with crossplatform capabilities and the source code is put under the GPL. RxBot. and it is very easy to add commands or scanners for other vulnerabilities: Simply extend the CCommandHandler or CScanner class and add your feature. JrBot. Agobot can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it's own presenceonacompromisedhost. Furthermore. SDBot/RBot/UrBot/UrXBot/ This family of malware is at the moment the most active one: Sophos lists currently seven derivatives on the "Latest 10 virus alerts".
Kaiten offers an easy remote shell. there are also other bots that we see more seldom. It implements all common features of a bot: Dynamic updating via HTTPdownloads. One binary you will never miss is a HideWindow executable used to make the mIRC instance unseen by the user. SYNflood and UDPflood). An attacker can easily write scanners and spreaders as plugins and extend the bot's features. and is also written for Unix/Linux systems.mrc". execution of arbitrary commands. Besides these three types of bots which we find on a nearly daily basis. spreaders are missing. The mIRCscripts. The weak user authentication makes it very easy to hijack a botnet running with kaiten. portscaninterface or hidden HTTPserver are available. various DDoSattacks (e. Again. and compile it on a vulnerable box using a script. • kaiten This bot lacks a spreader too. • Q8Bots Q8bot is a very small bot. The other binaries are mainly Dynamic Link Libraries (DLLs) linked to mIRC that add some new features the mIRC scripts can use.These bots launch an instance of the mIRC chatclient with a set of scripts and other binaries. often having the extension ". Furthermore. The bot itself consists of just one file. Some of these bots offer "nice" features and are worth mentioning here: • DSNXBots The Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. But presumably versions of this bot exist which also include spreaders. so checking for further vulnerabilities to gain privileged access can be done via IRC. In the version we have captured. GTBots spread by exploiting weaknesses on remote computers and uploading themselves to compromised hosts (filesize > 1 MB). Thus it is very easy to fetch the source code using wget. plugins that offer services like DDoSattacks. and many more. are used to control the bot.g. And it has one additional noteworthiness: It's written for Unix/Linux systems. But plugins are available to overcome this gap. They can access the scanners in the DLLs and take care of further spreading. the code is published under the GPL. 5 . This bot has one major disadvantage: the default version does not come with any spreaders. consisting of only 926 lines of Ccode.
These bots are very small and contain in most cases only a few hundred lines of code.• Perlbasedbots There are many different version of very simple based on the programming language Perl. They offer only a rudimentary set of commands (most often DDoSattacks) and are used on Unix based systems 6 .
and uses botnet architecture the protocols used to control bots as a basis. The C&C waits for new bots to connect. and any command received by a bot from one of its neighbors will be sent on to 7 . However. Commands are transferred from bot to bot: each bot has a list of several 'neighbors'. All zombie computers in the botnet are visible to the C&C. bots connect to several infected machines on a bot network rather than to a command and control center. since the entire zombie network is neutralized if the C&C is put out of commission. The zombie network owner needs access to the command and control center to be able to manage a centralized botnet. Figure Centralized topology (C&C) Centralized botnets are the most widespread type of zombie network. Decentralized or P2P (peer-to-peer) botnets In a decentralized botnet. Centralized botnets In this type of botnet. registers them in its database. Classification of botnets according to architecture There are currently only two known types of botnet architecture. tracks their status and sends them commands selected by the botnet owner from a list of bot commands. Such botnets are easier to create. easier to manage and they respond to commands faster. all computers are connected to a single command-and-control center or C&C.BOTNET TYPES Today's botnet classification is relatively simple. it is also easier to combat centralized botnets.
botnets can be classified based on the network protocols used. Combating decentralized botnets is a much more difficult task than that of combating centralized networks as an active P2P botnet has no control center. Classification of botnets according to network protocols For a botnet owner to be able to send commands to a bot. It is much easier to direct a bot to a central server first. and only then switch it to P2P connections. it is essential that a network connection be established between the zombie machine and the computer transmitting commands to it. IM-oriented This type of botnet is not particularly common. Botnets can be divided into the following classes when classified according to network protocols: IRC-oriented This is one of the very first types of botnet: bots were controlled via IRC (Internet Relay Chat) channels. Decentralized topology (P2P) In practice. although at a certain stage the bots will use a C&C. This mixed topology is also categorized as P2P. Therefore. building decentralized botnets is not an easy task. a cybercriminal needs to have access to at least one computer on the zombie network to be able to control the entire botnet. where it will receive a list of 'neighbor' bots. In this case. Each infected computer connected to the IRC server indicated in the body of the bot program.the others. ` Figure 2. further distributing it across the zombie network. It differs from IRC-oriented botnets only in that it 8 . All network connections are based on protocols that define rules for the interaction between computers on the network. and waited for commands from its master on a certain channel. since each newly infected computer needs to be provided with a list of bots to which it will connect on the zombie network.
they only use transport-layer protocols such as TCP. Such zombie networks are popular because they are relatively easy to create.. 9 . ICMP and UDP. which limits the number of bots that can be online at any one time. As a result.e. Web-oriented This is a relatively new and rapidly evolving type of botnet designed to controlling zombie networks over the World Wide Web. come online at predefined times.uses communication channels provided by IM (instant messaging) services such as AOL. owners of IMoriented botnets only have a limited number of registered IM accounts at their disposal. but this is inefficient: it takes such networks too long to respond to their masters' commands. receives commands from it and transfers data to it in response. each bot needs its own IM account. send data to the owner's number and wait for a reply for a limited period of time. there is no shortage of web servers on the Internet and a web interface can be used for easy management. IM services try hard to prevent any kind of automatic account registration. i. ICQ etc. they can arrange for different bots to share the same account. The reason for the relatively low popularity of such botnets lies in the difficulty of creating individual IM accounts for each bot. Since most IM services do not permit logging on to the system from more than one computer at a time while using the same account. MSN. there are other types of botnets that communicate via their own protocol that is only based on the TCP/IP stack. However. Other In addition to the botnet types listed above. Of course. A bot connects to a predefined web server. Bots should be connected to the network and remain online all the time.
Based on the data we captured. typically the loss of networkconnectivityandservicesbyconsuming the bandwidth of the victim network or overloading the computational resources of the victim system. there are as many different motives for using them as there are people.offline when they ran a paid DDoS attack to take a competitor's website down. the resources on the path are exhausted if the DDoS-attack causes many packets per second (pps). virtually any service available on the Internet can be the target of such an attack. And since a botnet is nothing more then a tool. the possibilities to use botnets can be categorized as listed below. A DDoS attack is an attack on a computer system or network that causes a loss of service to users.a generic proxy protocol for 10 . 2004 on multiple charges of conspiracy and causing damage to protected computers. He worked closely together with EMP who ran a botnet to send bulk mail and also carried out DDoS attacks against the spam blacklist servers. there are most likely other potential uses that we have not listed.a global on-demand computing platform . This is also called spidering. Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Note that DDoS attacks are not limited to web servers. they took Speedera . In addition. monetary) or for destructive purposes. DistributedDenial-of-ServiceAttacks Often botnets are used for Distributed Denial-of-Service (DDoS) attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem. Each bot we have analyzed so far includes several different possibilities to carry out a DDoS attack against other hosts. In addition.TYPES OF ATTACKS A botnet is nothing more then a tool.Further research showed that botnets are even used to run commercial DDoS attacks against competing corporations: Operation Cyberslam documents the story of Jay R.The most common uses were criminallymotivated (i. such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Echouafni was indicted on August 25. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks. Echouafni and Joshua Schichtel alias EMP. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way.e. Spamming Some bots offer the possibility to open a SOCKS v4/v5 proxy .
Often that spam you are receiving was sent from. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. which attacked the ICQ protocol parsing implementation in Internet Security Systems (ISS) products is suspected to have been initially launched by a botnet due to the fact that the attacking hosts were not running any ISS services.on a compromised machine.com'") further helps in stealing secret data. Spreading new malware In most cases. this can of course also be used to send phishing-mails since phishing is a special case of spam. the packet sniffing allows to gather the key information of the other botnet. If a machine is compromised more than once and also a member of more than one botnet. botnets are used to spread new bots. grandma's old Windows computer sitting at home. A botnet with 10. an attacker is able to send massive amounts of bulk email (spam).g. But most bots also offer features to help in this situation. With the help of a botnet and thousands of bots. HTTPS or POP3S). 11 . SniffingTraffic Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. And if you imagine that this keylogger runs on thousands of compromised machines in parallel you can imagine how quickly PayPal accounts are harvested. too. Some bots also implement a special function to harvest email-addresses. Thus it is possible to "steal" another botnet. In addition. The Witty worm. With the help of a keylogger it is very easy for an attacker to retrieve sensitive information. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP. then just sniffing the network packets on the victim's computer is useless since the appropriate key to decrypt the packets is missing. An implemented filtering mechanism (e.g. or proxied through. Keylogging If the compromised machine uses encrypted communication channels (e. But the sniffed data can also contain other interesting information. this machine can then be used for nefarious tasks such as spamming. But spreading an email virus using a botnet is a very nice idea. After having enabled the SOCKS proxy.000 hosts which acts as the start base for the mail virus allows very fast spreading and thus causes more harm.TCP/IP-based networking applications (RFC 1928) . "I am only interested in key sequences near the keyword 'paypal.
Currently we are aware of bots being used that way. The company earns money due to clicks on these ads. Google adsense abuse A similar abuse is also possible with Google's AdSense program: AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. With the help of a botnet. every vote will have the same credibility as a vote cast by a real person. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter. Mass identity theft Often the combination of different functionality described above can be used for large scale identity theft.Installing Advertisement Addons and Browser Helper Objects (BHOs) Botnets can also be used to gain financial advantages. these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups. In this way. the victim IRC network is brought down . the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by service request from thousands of bots or thousands of channel-joins by these cloned bots.similar to a DDoS attack. but not a bad idea from an attacker's perspective. This kind of usage for botnets is relatively uncommon. These fake emails are generated and sent by bots via 12 . Manipulating online polls/games Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the "clicks" are executed each time the victim uses the browser.000 clicks in one month. Popular among attackers is especially the so called "clone attack": In this kind of attack. Attacking IRC ChatNetworks Botnets are also used for attacks against Internet Relay Chat (IRC) networks. Online games can be manipulated in a similar way. one of the fastest growing crimes on the Internet. for example per 10. and there is a chance that this will get more important in the future. Bogus emails ("phishing mails") that pretend to be legitimate (such as fake PayPal or banking emails) ask their intended victims to go online and submit their private information. Since every bot has a distinct IP address. This works by setting up a fake website with some advertisements: The operator of this website negotiates a deal with some hosting companies that pay for clicks on ads.
keylogging and sniffing of traffic can also be used for identity theft. and harvest personal information. In addition.their spamming mechanism. Just as quickly as one of these fake sites is shut down. another one can pop up. or a bank. These same bots can also host multiple fake websites pretending to be Ebay. PayPal. 13 .
The architecture of botnets has evolved over time. and usually for nefarious purposes. All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network. such as IRC bots. A bot typically runs hidden and uses a covert channel to communicate with its C&C server. Generally. they rely on individual friendtofriend relationships. Generally. Actual botnet communities usually consist of one or several controllers that rarely have highlydeveloped command hierarchies between themselves. there are typically multiple botnets in operation using the same malicious software families. Individual programs manifest as IRC "bots". TOPOLOGY While botnets are often named after their malicious software name. more experienced botnet operators program their own command protocols from scratch. and the program that embeds itself on the victim's machine (bot). Often the commandandcontrol takes place via an IRC server or a specific channel on a public IRC network. the perpetrator of the botnet has compromised a series of systems using various tools . the more valuable it becomes to a botnet controller community." Botnet servers will often liaise with other botnet servers. A botnet's originator (aka "bot herder" or "bot master") can control the group remotely. such that a group may contain 20 or more individual cracked highspeed connected machines as servers. but operated by different criminal entities. the more vulnerabilities a bot can scan and propagate through. and not all botnets exhibit the same topology for 14 . Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Though rare. a client program for operation. usually through a means such as IRC. this word is generally used to refer to a collection of computers (called zombie computers) which have been recruited by running malicious software. While the term "botnet" can be used to refer to any group of bots. linked together for purposes of greater redundancy. The constituents of these protocols include a server program. This server is known as the commandandcontrol server ("C&C"). The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping.
command and control. some of these topologies limit the saleability and rental potential of the botnet to other thirdparty operators.Typical botnet topologies are: • STAR • MULTISERVER • HIERARCHICAL • RANDOM 15 . Depending upon the topology implemented by the botnet. or command and control location discovery. it may make it more resilient to shutdown. However. enumeration.
in some cases a web server).CREATION OF A DEMO BOTNET This example illustrates how a botnet is created and used to send email spam. the highest overall bandwidth. who instructs the compromised machines via the IRC server. 4. creation or misuse of SMTP mail relays for spam (see Spambot). and the most "highquality" infected machines. but. The bot on the infected PC logs into a particular C&C server (often an IRC server. infecting ordinary users' computers. whose payload is a malicious application—the bot. 2. including denialofservice attacks. spamdexing and the theft of application serial numbers. Botnets are exploited for various purposes. corporate. like university. causing them to send out spam messages. click fraud. and financial information such as credit card numbers. A botnet operator sends out viruses or worms. The spammer provides the spam messages to the operator. How a botnet works 1. login IDs. The botnet controller community features a constant and continuous struggle over who has the most bots. 16 . 3. and even government machines. A spammer purchases the services of the botnet from the operator.
Removing such services can cripple an entire botnet. rather than as a single system. some botnets implement custom versions of wellknown protocols. The botnet community refers to such efforts as "nullrouting". Similarly. Bringing down the MegaD's SMTP server disables the entire pool of bots that rely upon the same SMTP server. For example.org. and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. If a botnet server structure lacks redundancy. The implementation differences can be used for fingerprintbased detection of botnets. Recently. so that a discovery of one channel will not lead to disruption of 17 . NIDS monitors a network. few choices exist. if one was to find one server with one botnet channel. as well as other bots themselves. it becomes difficult to identify a pattern of offending machines. While these free DNS services do not themselves host attacks.org to point a subdomain towards an IRC server that will harbor the bots. the disconnection of one server will cause the entire botnet to collapse. often all other servers. they provide reference points (often hardcoded into the botnet executable). and get most of its results by network packet analysis. more recent IRC server software includes features to mask other connected servers and bots. NoIP.com. The botnet server structure mentioned above has inherent vulnerabilities and problems. Some botnets use free DNS hosting services such as DynDns. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. However. MegaD features a slightly modified SMTP protocol implementation for testing the spam capability. these companies have undertaken efforts to purge their domains of these subdomains. PREVENTIVE MEASURES If a machine receives a denialofservice attack from a botnet. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. because the DNS hosting services usually redirect the offending subdomains to an inaccessible IP address. The most serious preventive measures utilize ratebased intrusion prevention systems implemented with specialized hardware. at least until the controller(s) decide on a new hosting space. Given the general geographic dispersal of botnets. and Afraid. will be revealed. it sees protected hosts in terms of the external interfaces to the rest of the network. For example.
Several security companies such as Afferent Security Labs. Only with the private key. shutting down C&C servers. like Norton AntiBot (discontinued). 18 . nullrouting DNS entries. Networkbased approaches tend to use the techniques described above. which only the commander has. By being dynamically updateable and variable they can evade having any single point of failure. are aimed at consumers. Umbra Data and Damballa have announced offerings to stop botnets. can the data that the bot has captured be read. Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. The hostbased techniques use heuristics to try to identify bot behavior that has bypassed conventional antivirus software. Trend Micro. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. with commandandcontrol embedded into the botnet itself.the botnet. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet. Symantec. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. most are aimed to protect enterprises and/or ISPs. or completely shutting down IRC servers. FireEye. Newer botnets are almost entirely P2P. While some.
The botnet is reportedly powerful enough as of September 2007 to force entire countries off the Internet. who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon. Other sources have placed the size of the botnet to be around 250. Some reports as of late 2007 indicated the Storm botnet to be in decline. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it. with the Storm worm at one point accounting for 8% of all malware on Microsoft Windows computers. in possible plans to sell portions of the Storm botnet to other operators. It's quite worrying. However. one network security analyst claims to have developed software that has crawled the botnet and estimates that it controls 160. and other cybercrimes. Bradley Anstis. The botnet has specifically attacked the online operations of some security vendors and researchers who attempted to investigate the botnet. which is a TCL script that is not malicious) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm. according to security analyst James Turner. Its controllers and the authors of the Storm Worm have not yet been identified. STORM BOTNET The Storm botnet or Storm worm botnet (not to be confused with StormBot. "The more worrying thing is bandwidth. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries— means they can deliver very effective distributed attacks against hosts. but many security experts reported that they expect the botnet to remain a major security risk online. Security expert Joe Stewart revealed that in late 2007.000 infected computers. 19 . a Trojan horse spread through email spam. More conservatively. of the United Kingdom security firm Marshal. it is not a completely accurate comparison.000 to 1 million compromised systems. and the United States Federal Bureau of Investigation considers the botnet a major risk to increased bank fraud. The Storm botnet was first identified around January 2007. Some have estimated that by September 2007 the Storm botnet was running on anywhere from 1 million to 50 million computer systems. That's a lot of bandwidth. said. identity theft. The Storm botnet has been used in a variety of criminal activities. the operators of the botnet began to further decentralize their operations. and is estimated to be capable of executing more instructions per second than some of the world's top supercomputers. Just calculate four million times a standard ADSL connection.
registers itself in the server database and receives a list of all bots on the infected computer network (in the case of the Storm Worm. First of all. After launching. a bot connects to the web server specified in the program's body.Mayday was first detected by Kaspersky Lab in late November 2007. Backdoor. the Netherlands and Germany) which bots connected to when creating the botnet. Then the bot establishes peertopeer connections with other bots in the zombie network. Network size is not the only criterion in which Mayday is inferior to its 'big brother' Storm: the Mayday botnet uses a nonencrypted network communication protocol. However. and since then just over 20 different variants of the malicious program have made it into our collection. As regards new technologies. By early March 2008. the malicious code has not been tweaked to hinder analysis by antivirus software and. Wikipedia gives the following definition of ICMP: “The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. only one server was still operational. with about 3.Mayday) and the zombie network it creates bear this name as it the word was part of a domain name used by one variant of the malicious program. for instance. the US.” 20 . We found six different servers around the world (in the UK. The bot (Kaspersky Lab classifies it as Backdoor.Win32. new bot variants are not released with anything nearing the frequency we saw with new variants of the Storm Worm.Win32. It is chiefly used by networked computers' operating systems to send error messages— indicating.000 bots registered on it (compare this to the Storm botnet. that a requested service is not available or that a host or router could not be reached. Mayday is a botnet based on P2P architecture. Most users are familiar with ICMP (Internet Control Message Protocol) because it is used by the PING utility to check whether a network host is accessible. the Mayday network uses peertopeer (P2P) communication based on ICMP messages with a 32byte payload. each bot received only a partial list). it is worth noting two nonstandard approaches implemented in the botnet.MAYDAY Mayday is another interesting botnet and it technically differs slightly from its forerunners. which at the most conservative estimates included tens of thousands of infected computers). most importantly. the protocol offers a much more extensive range of functions than this.
In cooperation with lawenforcement agencies. but it needs an interpreter (script engine) to output the results of its operation.Figure shows a screenshot of a packet sniffer program that has registered the transmission of ICMP packets from a Mayday bot. once launched they modify the Windows firewall rules in order to receive ICMP packets. A CGI script works in a similar way. The second and perhaps most important thing that is different about a Mayday botnet is its command and control center. web server technology allows for the use of executable files as an implementation of CGI. The serverside software of Mayday is a 1. Later. we managed to obtain a copy of the program used in a Mayday C&C. By design. None of the bots previously known to us used ICMP to transmit data. a variety of script engines appeared as well. Figure ICMP packets sent by a Mayday bot ICMP is used to check bot accessibility on an infected computer network and for bot identification. A CGI application generates the content of a web page requested by a user in real time. command and control centers for weboriented botnets are based on script engines. ensuring execution of the program and displaying the results of its operation instead of static data from the web server. As a rule.2 megabyte standalone ELF file (the 21 . Command and control centers of weboriented botnets use a mechanism known as CGI (Common Gateway Interface). Since Mayday bots are designed to work under Windows XP SP2.
developing software both for Windows and for Linux. 22 . It does not require the system to have a script engine. while monolithic CGI executables are developed only when it is absolutely necessary to optimize everything down to the smallest detail.Linux executable file equivalent to Windows EXE files) without any modules. there is nothing strange about the fact that authors of Mayday developed a CGI application instead of a CGI script. Moreover. Yahoo! etc. reconfigure and resell a command and control center. because it requires special effort to make the code stable and reliable. It is far more difficult to develop a CGI application than it is to write a CGI script. For example. monolithic CGI programs are used in such web systems as eBay. As a rule. 99% of web development uses script engines. Currently. our analysis of the structure of server software used by the Mayday botnet shows that this was a serious development project (the code is tidy. Whatever the case. this approach is taken by large corporations when developing projects that have to be able to function under huge loads. Paypal. to create software for the Mayday botnet. However. cybercriminals must have had to work on two projects rather than one. Perhaps the malicious program's authors have taken a timeout and the Mayday botnet will resurface in the near future. a universal system of classes was devised for the application) that required a wellorganized developer team. it does raise a number of questions. Kaspersky Lab did not detect any new variants of the Mayday bot in spring 2008. At first glance. But why was it necessary to create a monolithic executable file for the Mayday botnet? One possible reason is that the developers wished to make it harder for 'outsiders' to edit.
and signaturebased techniques do not effectively mitigate botnets that dynamically and rapidly modify the exploit code and control channel. For instance. Traditional packet filtering. suspicious activity and policy violations can 23 . no single technology can provide protection against them. Cisco NetFlow is often used by service providers and enterprises to identify commandandcontrol traffic for compromised workstations or servers that have been subverted and are being remotely controlled as members of botnets used to launch DDoS attacks. Many of them analyze traffic flow data reported by routers. building a baseline of a network or system under "normal" conditions and using it to flag abnormal traffic patterns that might indicate a DDoS attack. Anomaly detection can be effectively used on the network as well as on endpoints (such as servers and laptops). They characterize what normal traffic is like. anomaly detection (or behavioral approaches) try to do the opposite. The goal of a phishing attack is to lure users to a spoofed Website and get them to reveal personal data. such as Cisco® NetFlow. On endpoints. and other forms of illicit activity. portbased. The goal of malware can range from collecting personal data on an infected PC to showing ads on it or sending spam from it. for example. and shuffle the use of zombie hosts. resort to "port hopping" (or using standard HTTP/S ports such as 80 and 443). and then look for deviations. perform keystroke logging. A variety of open source and commercial tools are currently used for botnet detection. the goal of a DDoS attack is to cripple a server. Others use behavioral techniques. Any burst of scanning activity on the network from zombie machines can be detected and blocked. Anomaly detection: While signaturebased approaches try to have a signature for every vulnerability. but these technique are not always scalable.BOTNET DETECTION AND MITIGATION Botnets use multiple attack vectors. DNS log analysis and "honeypots" are also used to detect botnets. The most common detection and mitigation techniques include: Flow data monitoring: This technique uses flowbased protocols to get summary network and transportlayer information from network devices. A defenseindepth approach is essential to detect and mitigate the effects of botnets.
be identified and infections prevented. resource. it is also the hardest to implement since it requires cooperation from thirdparty hosting providers and name registrars. the value of honeypots on largescale networks is rather limited. While this technique is effective. the entire botnet can be crippled by the DNS server administrator by directing offending subdomains to a dead IP address (a technique known as "nullrouting"). Its primary goal is to lure and detect malicious attacks and intrusions. or service. Due to the difficulty in setup and the active analysis required. DNS log analysis: Botnets often rely on free DNS hosting services to point a subdomain to IRC servers that have been hijacked by the botmaster. Effective more as a surveillance and early warning system. If such services are identified. 24 . it can also help security researchers understand emerging threats. and monitored area. and that host the bots and associated exploits. which can be spotted by any DNS log analysis tool. secure. Honeypots: A honeypot is a trap that mimics a legitimate network. Botnet code often contains hardcoded references to a DNS server. but is in fact a self contained.
On the other hand. but they are useful to gather information at a higher level. A highinteraction honeypot can be compromised completely.. A virtual honeypot is simulated by another machine that responds to network traffic sent to the virtual honeypot. learn about network probes or worm activity. For example. A lowinteraction honeypots simulates only some parts. see Section. we can log the key strokes of an interactive session even if encryption is used to protect the network traffic. To detect malicious behavior. or compromised. Lowinteraction honeypots are more limited. A good example is measuring the activity of HTTP based worms. forensic analysis of data collected from honeypots is less likely to lead to false positives than data collected by NIDS. Honeypots can run any operating system and any number of services. A physical honeypot is a real machine on the network with its own IP address. For example. attacked. When gathering information about network attacks or probes. A high interaction honeypot simulates all aspects of an operating system. In contrast. Because a honeypot has no production value. Consequently. We also differentiate between physical and virtual honeypots. lowinteraction honeypots simulate only services that cannot be exploited to get complete access to the honeypot. We can identify these worms only after they complete a TCP handshake and 25 . allowing an adversary to gain full access to the system and use it to launch further network attacks. we can detect compromise by observing network traffic leaving the honeypot even if the means of the exploit has never been seen before. They can also be used to analyze spammers or for active countermeasures against worms.g. The configured services determine the vectors available to an adversary for compromising or probing the system. NIDS require signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. The value of a honeypot is determined by the information that we can obtain from it. any attempt to contact it is suspicious. Monitoring the data that enters and leaves a honeypot lets us gather information that is not available to NIDS. for example the network stack. e. the number of deployed honeypots influences the amount and accuracy of the collected data. honeypots can detect vulnerabilities that are not yet understood.HONEYPOT A honeypot is a closely monitored computing resource that we intend to be probed.
In that case.send their payload. Physical honeypots are often highinteraction. A honeypot can capture the worm payload by configuring it to function as a web server. they are expensive to install and maintain. For large address spaces. Figure of a honeypot system 26 . so allowing the system to be compromised completely. we need to deploy virtual honeypots. However. The more honeypots we deploy the more likely one of them is contacted by a worm. most of their connection requests will go unanswered because they contact randomly chosen IP addresses. it is impractical or impossible to deploy a physical honeypot for each IP address.
targeted removal was an effective response to scalefree botnets. 27 . Our analysis suggested that by removing command and control nodes. CONCLUSION Botnets present signiﬁcant new challenges for researchers. Our analysis also showed that targeted removals on scale free botnets offer the best response. Such formationsresist both random and targeted responses. We measured theimpact of such responses in simulations. O u r a n a ly s i s s h ow s t h a t r a n d o m n e t w o r k m o d e l s ( e i t h e r d i r e c t E r d ¨ o s R ´ e n y i m o d els or structured P2P systems) give botnets considerable resilience. we presented a taxonomy of botnets based on topological structure. and using a real botnet. To assist in this effort. The ﬂuid nature of thisproblem requires researchers anticipate future botnet strategies and design effectiveresponse techniques.We have demonstrated the utility of this taxonomyby selecting a class of botnetsto remediate.
wikipedia.techtarget.webopedia.html 28 .com/TERM/B/botnet.com/definition/botnet http://en.wikipedia.REFERENCES http://en.org/wiki/Storm_botnet http://www.org/wiki/Botnet http://searchsecurity.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.