Research Paper on Botnets

Introduction

The vast growth of the Internet has led to increased online attacks in our current era. Many people depend on the Internet to perform their business and even interact with other people around the world. Botnets have been introduced by online attackers and hackers that comprises of spyware, worms, viruses, and much more to do malicious attacks. The attackers usually control them remotely. They cause distributed denial of service (DDoS) attacks, spamming, sniffing, information stealing, and many other attacks. Malicious attackers usually sell them to the highest bidder in the black market. Cloud computing, a storage place for online application on servers, has faced the worst attacks from botnets due to access of cloud servers through the internet.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Background

Botnets have been viewed as a serious cyber threat especially in cloud computing in the present world. Botnet attacks are based on smartphones and computers. They affect these devices using malicious codes that enable the attackers to do sniffing, spamming, DDoS, phishing, fraud, and much more They continue to grow in size no matter how much researchers try to eliminate them. Due to this, ways have been developed to detect and check the future trends of botnets.

Botnets are a collection of devices called bots which are controlled by a Botmaster using commands from a command line or server. Stepping-stones are proxy machines that Botmasters can use to evade detections (Rodriguez-Gomez, Macia-Fernandez, & Garcia-Teodoro, 2013). These machines are infected using a malicious program called bot binary. Machines of the same botnet form a bot family. These botnets work together to carry out a malicious attack as controlled by the botmaster.

Malicious tools that created botnets were introduced in 1999; they included PrettyPark, Sub7, and trinoo (Dittrich, 2012). Botnets based on Internet Relay Chat (IRC) followed over the years such as SDBot, GTBot, Rbo, Spybot, and Agobot. The SDBot source code was widely made available. The first bot, PrettyPark was created to assist channel administrators to assign special privileges to specific users and prevent malicious users. The administrator could use IRC channels to remotely control many computers. The bot would act as a user and answer questions requested such as sharing files, hosting games, and many more.

Bots have been known to perform to cyber-attacks and cyber-crimes over the years. They are in a network full of computers that have been infected known as Botnets. They perform attacks using zombie computers called bots all over the Internet. They exploit vulnerabilities and backdoors from previous attacks. They launch using coordinated attacks as controlled by the Botmaster.

Command and Control Server

These are employed by the Botmasters to hide identity and commands as they indirectly communicate with their bots. There are three topologies in the C & C architecture: centralized, peer-to-peer, and unstructured (Michael, 2009). Centralized C&C Servers provide the Botmasters with simple, low-latency real-time communication, and anonymity (Wang, 2009). Most Botnet attacks use this architecture. They provide a central connection for the bots to send HTTP or IRC messages between users. Its low latency provides direct communication between C&C servers and bots. There is two weakness of this architecture. They include: There is no link between bots if the C&C servers go down and a defender can trigger a message to the C&C server since each bot directs a message to the same C & C server. Figure 1 shows an example of a centralized C&C Server.

Figure 1

Many users around the world use Peer-to-Pear (P2P) connection to share files such as movies. In 2002, the first Peer-to-peer based C&C Server was created and has been modified throughout the years. Each bot is privately created forming a list of seeds. One a bot in the list obtains a message; it sends it to the other bots in the private list of seeds hence revealing a few bots when one bot get captured. The Botmaster connects to one of the bots to send the message throughout the network. This makes the architecture stronger than the centralized C & C server. Its main disadvantage is its complexity in design since it requires a lot of bots to pass messages throughout the network. It has medium latency as messages get hopped from one bot to another across the network hence involving some bots.

Fig 2: P2P C&C Server

In Unstructured C&C Server, each bot scans the Internet to find the other bots. The Botmaster sends an encrypted message through one bot that scans the Internet for another bot to pass the message to. The next bot will do the same and scan and pass along the message. This architecture is secure in that discovery of one bot does not compromise the discovery of other bots. It is also simple. However, It has low latency due to the amount of time taken to scan and find bots through the Internet.

Trigger events

Some events can trigger a malware. The malware usually hides before its triggered hence harder to detected and hence making attack successful. There are some different triggers. One uses specific dates to launch themselves (Sue, 2009). An example is a message sent on Valentine's Day in the year 2009 through email stating "Falling in Love with you," with a link to a website and a romantic message. Users downloaded heart messages from the site which had malicious programs.

The second trigger is time specific for example 12 am every day and install a malicious program on computers while users are sleep. The third trigger is the use of keyloggers that saves keystrokes of specific windows application process. An example is a malware that logs and screenshots bank account details of a user in a bank system website.

Communication Protocol

The commonly used communication protocol by bots is the IRC protocol. These protocols are used by bots to communicate with each other. It hides in web traffic and also bypasses the firewall rules using the Hypertext Transfer Protocol (HTTP). Smaller bot network use P2P and Instant Messaging (IM) protocols. The bots on the IRC protocol join together on a private channel that is password protected. Bots on the private channel interpret the messages from the Botmaster and do as instructed for example an attack on the network.

There are many ways to block and count IRC traffic. One way is to use an Intrusion Detection System (IDS). It discovers the IRC requests in the network through two ways: outbound and inbound IRC requests. An infected computer on the network, infected by a bot, is used as a C&C server in Outbound IRC request. C&C servers add new computers from a specific network to work as bots in Inbound IRC request.

Another way to block IRC traffic is the use of Firewalls although bots use HTTP protocols to bypass firewall rules since the firewall usually does not block port 80 for HTTP protocols. Another way is the use of encrypted P2P protocols to transfer files and do communication between trusted individuals.

Rallying Mechanisms

There are different ways that botnets use to rally new bots to retrieve information from the botmaster. They include Distributed DNS Service, Dynamic DNS Domain name, and hard-coded IP address. Dynamic DNS Domain Name uses a dynamic DNS provider to assign domain names. Botmasters uses the domain names to relocate their botnets. Once a connection fails from a precise C&C Server, the bot requests for a new domain name on a new C&C server hence it does not depend on one C&C server.

In Distributed DNS Service, bots have their DNS server in different locations that are not bound by any laws. The bot gets the C&C server's IP address through its own DNS Server. Distributed DNS Service is hard to detect and destroy since they use high ports to send messages.

In Hard-coded IP, bots communicated through an IP address hard-coded in the C&C server in the botnet's binary. This has one disadvantage in that once a bot is captured, the C&C server can be located, and shutdown since its IP address will be found. This will make the bots not receive messages from the botmasters.

Botnet Attacks

Botmasters use different attacks using bots that are either invisible to users or slows down a system and causes it to crash. Some of those attacks include email spamming, DDoS attacks, sniffing, phishing, and click fraud that usually comes with clicking an advertisement.

Behavior Analysis

Botnets have three types of behavioral analysis. This includes global correlated, host-based, and network-based.

Global correlated behavior analysis of botnets provides an efficient way to detect them. For example, when a C&C Server shuts down, bots tend to request for another C&C server leading to a rise in DNS traffic in the network which intrusion detection tools can detect and stop.

Host-based behavior analysis is triggered by the infected host. The bot disrupts software activities within the infected machine. Some of the ways to detect this intrusion are by checking how software is updating. If the software has trouble updating, for example, an antivirus, then you can detect a bot intrusion.

Network-based behavior analysis checks on network traffic. Botmasters use the network to communicate with the bots (Rodriguez-Gomez, Macia-Fernandez, & Garcia-Teodoro, 2013). They use either IRC or HTTP protocols to communicate. Ways to block this is by banning IRC traffic because high traffic in the IRC port shows a high presence of bots. Another way is by checking the DNS traffic to find hosts in the network that keep changing DNS name server since bots alter DNS server to stop revealing of C&C Server. Name that DNS server uses can be another way employed to detect bots.

Bot Analysis

The following shows three types of bots that are popular on the Internet. They include Zeus, Koobface, and Torpic. Zeus is the most popular bot known on the Internet worldwide. It compromises and infects 3.6 million host computers. Its source code is written in C++ programming language. It uses a configuration file that is encrypted with a unique key. The bot's set-up stores the unique key making the configuration file difficult to decrypt. The botnet self-destructs once it is through with its task. This may also cause the operating system to crash since the self-destruction overwrites the memory with zeros and ones. The distribution of the Zeus bot is spreading worldwide both the commercial and free version. When a computer infected by Zeus, it takes over its functionality and controls it. It adds new scripts to the computer, changes its password, accesses the system information, and much more depending on the botmasters request. The figure below shows Zeus bot.

Figure 3

Koobface is second after Zeus compromising 2.9 million computers in the US only. It usually spreads through social sites such facebook, twitter, MySpace, and much more. Social networks are used to share information, do advertisements and also communicate with people worldwide. Facebook, for instance, shares user's confidential information to allow others to advertise. Koobface has different malware each with different functions. One malware is the KOOBFACE downloader present on YouTube. Users are prompted to install a codec that is usually infected to view a video (Alomari, Manickam, B. Gupta, Karuppayah, & Alfaris, 2012). When the infected codec is installed, it infects the computer and checks cookies related to social media sites. It accesses the security cookie to the social site and creates a link to the user profile so that user's friend can follow the link. The infected computer is used as relay or proxy server that sends KOOBFACE components across the Internet. These components are used to write stuff on user's profile, send spam emails with fake lin...