Department of Computer
Athanasios College for Advanced Studies Thiruvalla, Pathanamthitta, Kerala,
A botnet is a
network of compromised hosts that fulfills the malicious intents of an
attacker. Once installed, a bot is typically used to steal sensitive
information, send SPAM, perform DDoS attacks, and other illegal activities in
favor of the attacker. Its detection is quite difficult. Research in botnet
detection has been quite prolific in the past years, producing detection
mechanisms that focus on specific command and control structures, or on the
correlation between the activities of the bots and the communication patterns
shared by multiple infected machines. Many botnets have been shut down but
still much is active. Researches are being done in this area to take away bots.
are networks of malware infected machines, capable of being controlled by
remote adversary. There are both legal and illegal botnets.
1.1. Legal botnets
term botnet is widely used when several IRC bots have been linked and may
possibly set channel modes on other bots and users while keeping IRC channels
unwanted users. This is where the term is originally from, since the first
illegal botnets were similar to legal botnets. A common bot used to set up
botnets on IRC is eggdrop.
1.2. Illegal botnets
sometimes compromise computers whose security defenses have been breached and
control ceded to a third party. Each such compromised device, known as bot, is
created when a computer is penetrated by software from a malware
The controller of a botnet is able to direct the activities of these
compromised computers through communication channels formed by standards-based
network protocols such as IRC and Hypertext Transfer Protocol (HTTP).
They are malware infected machines.IRC bots usually have a way to remotely
upgrade victims with new payloads to stay ahead of security efforts. Botmaster
(aka bot herder): The attacker who controls the network.
Command and Control (C&C) channel: It is
the communication channel over which the botmaster communicates with and issues
commands to the bots. They’re able to send commands and receive outputs of
machines part of a botnet. Anytime attackers who wish to launch a DDoS attack
can send special commands to their botnet’s C&C servers with instructions
to perform an attack on a particular target, and any infected machines
communicating with the contacted C&C server will comply by launching a
C&C servers often exist in one of four structures each with pros and cons:
star, multiserver, hierarchical, and random. Star topology botnets rely on one
central C&C server, which sends commands to every bot in the botnet. This
configuration allows for reliable, low-latency communication, but renders the
botnet fairly easy to disable, as there is only one C&C server to take
offline before the botnet is inoperable.
Multi-server topology botnets are very similar
to star topology botnets, except that the central server consists of a series
of interconnected servers that allow for redundancy (preventing the single
point of failure problem of star topology botnets); however, setting up
multiple connected C&C servers may require more planning and overall be
more difficult than just using a single server.
topology botnets allow for botnet owners to more easily divide their botnet up
into separate chunks for re-sale or renting, as well as prevent researchers
from enumerating the location of all other C&C servers and bots within a
network with only a few captured C&C servers due to the restricted
visibility of the entire botnet from lower hierarchy certain servers.
Additionally, commands that have to travel through a large hierarchy of C&C
servers in order to reach bots may add to latency. Random topology botnets do
not rely on any C&C servers; rather, all botnet commands are sent directly
from one bot to another if they are deemed to be signed by some special means
indicating that they have originated from the botnet owner or another
authorized user. Such botnets have very high latency, and will often allow for
many bots within a botnet to be enumerated by a researcher with only one
captured bot. Many times special forms of encrypted bot to bot communication
over public peer-to-peer networks is used in conjunction with a more complex
C&C server topology (such as in the TDL-4 botnet) in order to render such
botnets that are particularly difficult to dismantle.
client: It is a particular malware on which the bot is based. The following are
examples of bot clients.
Agobot / Phatbot / Forbot / Xtrembot: They are
written in C++ and its source is in GPL. They are in modular structure which
allows expansion of commands and scanning abilities. They can use C&C
protocol other than IRC.
/ RBot / UrBot / URXBot: They’re
currently most active. They’re written in poor C and are popular with
Bots: It is used for Linux and UNIX. They use very little code in C. 1.6.4.
Kaiten It is used for Linux and UNIX. It uses weak authentication and so it is
easy to hijack. Internet Relay Chat: It
is an open protocol used for internet text messaging or synchronous
conferencing. It is designed for group communication but it allows one –to-one
communication via private message as well as chat and data transfer including
file sharing. IRC servers are freely available ,easy to manage and easy to
subvert. The malware may be a virus, worm, Trojan horse, spyware, rootkit, or
any other malicious or unwelcome software.
Botnet and Network Security
botnet operator sends out viruses or worms infecting ordinary users’ computers,
whose payload is a malicious application—the bot The bot on the infected PC
logs into a particular C server. A spammer purchases the services of the
botnet from the operator. The spammer provides the spam messages to the
operator, who instructs the compromised machines via the control panel on the
web server, causing them to send out spam messages.
users are getting infected by bots. Many times corporate and end users are
trapped in botnet attacks. Today 16-25% of the computers connected to the
internet are members of a botnet. In this network bots are located in various
locations. It will become difficult to track illegal activities. This behavior
makes botnet an attractive tool for intruders and increase threat against
network security. Pirated material is a common attack vector for the delivery
professional botnet services can cost thousands of dollars per month to
operate, but these specialized installations often include ready access to a
network of infected computers. There are a wide variety of crime services today
that are willing to facilitate entrepreneurial aspirations. Consulting service
charges for botnet setup range $350-$400. There are affiliate networks known as
Pay-Per-Installation (PPI) networks that exist to infect computers online and
create a botnet. They require only the number of infected systems wanted and
the botnet software and the affiliate network will take care of the rest. Only
nominal charges i.e. $100 per 1000 installations are to be remitted. Typical
costs associated with botnet rental charges range from $2-$535.
masters can earn thousands of dollars through the denial of services attack. A
small website may need hundreds of zombies to take the site offline while a
large website may need thousands of zombies. By customizing the number of
zombies maximum financial gain can be obtained. Selling personal information is
also a source of revenue and the income depends on the location of the account
and it ranges from $5-$15. Spammers buy bulk lists of email addresses and the
income may range from $20-$100 for a million email addresses. Pay-per-Click
fraud is another way of money harvesting. A Microsoft Research study estimates
that a full one-quarter of all online ad clicks are fraudulent. Bit coin mining
is a way to continually harvest additional revenue.
Communication and Propagation
botnets use the following methods to communicate with each others:
:Easy for attacker to blend in as networks can be made hidden in the rest of
the internet traffic. Administrators cannot forbid complete traffic of http as
it is the most commonly used protocol.
IRC: It is harder to hide since IRC is much
less used than HTTP. It is easy to manage and subvert. It is freely available.
Custom: It makes use of application protocols or the
bot master designs a new protocol for them using a server program, a client
program and a program to embed client on victim’s machine. It uses encryption
propagation is enabled by the methods described below:
Visiting a malicious site with a PC that has not been updated with security
patches and antivirus may download and execute malware on the user’s PC.
Botnet infection may occur due to the email with malicious content opened by
the user. Such mails may be even from contacts the user trusts. This occurs
because those contacts may also be infected by the botnet.
Software: Malware developers hide malicious
content inside a software download which then installs itself on a victim’s
machine when the user opens the executable.
Botnet Detection and Prevention
detection is based on two approaches-setting up of honeynets and the passive
is a trap set to detect, deflect, or in some manner counteract attempts at
unauthorized use of information systems. Generally it consists of a computer,
data, or a network site that appears to be part of a network, but is actually
isolated and monitored, and which seems to contain information or a resource of
value to attackers.
needs DNS/IP address of IRC server and port number password to connect to IRC
server. It has a channel to join and a channel password. Passive traffic
monitoring is based on signature, anomaly, DNS and mining. Signature based
traffic monitoring is the detection of known botnets. Anomaly based monitoring
involves the following anomalies-high network latency, high volume of traffic,
traffic on unusual port and unusual system behavior. DNS traffic generated by
botnets is analyzed in DNS based traffic monitoring. In mining based traffic
monitoring botnet C&C traffic is difficult to detect. Anomaly based
techniques are not useful. Classification and clustering are the data mining
techniques used. IRC generated traffics are not as diverse as those generated
by the humans. Determining the source of attack of a botnet is quite
challenging. In traditional approach, every zombie is considered as an
attacker. Botnets can exist in a benign state for an arbitrary amount of time
before they’re used for a specific attack. New trend of approach is the peer to
peer (P2P) networks in which there is no centralized server is there. Bot to
bot communication is done using more complex C server topology.
advanced botnets use Domain Generation Algorithms (DGA) and fast flux to ensure
the bot is always able to communicate with its C server: DGA is a method
whereby the malware generates the C server addresses. Using a proprietary
algorithm, the malware can determine when to connect to what appears to be a
random address online. All a bot master needs to do is ensure they have
registered that random domain name a day or two ahead of the connection time
and created the appropriate DNS records to point that address to their C
server. Fast flux is a somewhat different in its implementation, but the
general idea is similar: Through modified DNS records, the bot master points
many IP addresses to the domain names the bot attempts to contact. By changing
those records regularly, the bot master ensures they can stay a step ahead of
any potential actions to shut down the C server. Bot masters often
incorporate both of these methods into their botnets in the hopes that their
zombies will find some way to call home.
typical symptoms of infection include system running slower than usual, hard
drive LED is flashing wildly even though it’s in idle mode, files and folders
have suddenly disappeared or have been changed in some fashion., a friend or
colleague has informed the user that they have received a spam email from their
email account, a firewall on the computer informs the user that a program on
the PC is trying to connect to the internet, a launch icon from a program
downloaded from the internet suddenly disappears, more error messages than
usual are popping up, an online bank is suddenly asking for personal
information it’s never required before.
The prevention of infection includes: installing
an antivirus software package and keeping it up-to-date. Set up regular
complete system scans. Stick to one antivirus program, as running more than one
can cause system irregularities. Use a personal firewall program and enable
alerting whenever a program attempts to connect to the internet.
pose a significant and growing threat against cyber security. It provides a key
platform for many cyber crimes (DDoS).As network security has become integral
part of our life and botnets have become the most serious threat to it. It is
very important to detect botnet attack . Botnet operators are difficult to
find, hard to shut down and even harder to prosecute. The anonymous nature of
the Internet and the difficulty in reaching across international borders makes
the risk to cybercriminals low and thus keeps the rewards very high. It will
take a much greater global effort and the ability for security organizations
and nations to work quickly and in collaboration in order to deal with these
botnets and their creators.
7.ieeexplore.ieee.org › … › Cybercrime and
Le Martelot and Chris Hankin, “Anatomy of malicious contents”, Int. J. of Web Based
Oleena Thomas, working currently as Assistant Professor
MCA in Mar Athanasios College for Advanced Studies Thiruvalla, Pathanamthitta, has
pursued her M. Tech in CSE from Amal Jyothi College of Engineering Kottayam and
B. Tech from College of Engineering Kottarakkara. She has published papers
named “Literature Analysis on Reputation Models for Feedback in E-commerce”,
“Automated Social Media Mining System in Health Care” and “Data Mining Approach
to Wind Data Preprocessing” in IJARCCE.