History of Botnets 4
Contemporary Botnets 5
Kinds of Botnets 6
Some Examples of Botnets 7
Implementation of Botnets……………………………………….……………………………………………………….……………………………..11
Hijacking, Purchasing and Trading………………………………..……………………………………………………………………………………12
Distributed Denial of Service (DDOS) Attacks…………………………….………………………………………………………………………13
Anonymity while running Botnets…………………………………………………………………………………………………………………….13
Protection against Botnets…………………………………………………………………………….…………………………………………………15
Botnet is the name given to a grouping of computers executing a computer application directed and influenced just by the possessor or the source of software (Craig A. Schiller, 2007). The term is also used for a legal arrangement of a number of computers that share program processing between them.
The everyday meaning of the term, however, revolves around the illegitimate grouping of computers afflicted with some malicious robot software, known as the bot. It is a security hazard for the possessor of the computer. As the said software, also known as malware, is completely set-up in a computer, the latter is known as a zombie or drone. In other words it becomes a slave to the commands of the bot commander (Craig A. Schiller, 2007).
"Bot" is taken from the term "robot" and is an automatic procedure that interacts with further network services. Bots usually mechanize tasks and give information or services that would be carried out by a human being otherwise (Craig A. Schiller, 2007). A characteristic use of bots is to collect information, as web crawlers do, or interrelate mechanically with instant messenger (IM), Internet Relay Chat (IRC), or other web service interfaces. They may also be utilized to interrelate animatedly with websites.
They can be utilized for either beneficial or malicious intention. A malicious bot is self-replicating malware generated to afflict a host and join back to a central server or a group of servers that operate as a command and control center for the whole system of endangered devices, or "botnet." Using a botnet, attackers can initiate sophisticated, "automated," flood-type attacks against their victims. More than having a worm-like capability to self-replicate, bots can take in the capacity to log keystrokes, collect passwords, seize and scrutinize packets, collect monetary information, initiate DoS attacks, transmit spam, and start backdoors on the affected host. Bots contain all the benefits of worms, but are normally much more adaptable in their infectivity vector, and are often adapted within a short time of publication of a fresh use. Bots seldom broadcast their presence with increased scan rates, which harm network infrastructure; in its place they affect networks in a manner that obviates instant notice.
The size of the botnet varies according to the intricacy of the bots involved, ranging from around ten thousands zombies in case of a larger one, and only a thousand drones in case of a smaller one (Craig A. Schiller, 2007). Normally, the whole operation occurs without the knowledge r permission of the owners of the zombie or drone computers. The slave computers are usually controlled through Internet Relay Chat or IRC.
History of Botnets:
The phenomenon was popularized in the late 90s as a handy element of IRC (Seymour E. Goodman, 2007). The IRC refers to a large system of chat channels utilizing text, which allow users from around the world to have contact each other. Bots were utilized by operators because of their ease of implementation. This allowed the operators to script automatic responses to actions that were being carried on in IRC channels. These became effective tools in countering activities like flooding or spamming channels. These bots automatically kicked or banned users involved in inappropriate activities. Those who were affected by this kicking and banning activity started to think of ways to teach the channel operators a lesson. They started to generate programs that would harm the IRC server (Seymour E. Goodman, 2007).
These attacks were given the name of Denial of Service Attacks and Distributed Denial of Service attacks (DOS and DDOS) (Craig A. Schiller, 2007). These attacks used to be initiated from the very IRC servers. Soon others machines started to be recruited which could initiate the DDOS attacks as well. The inventors started to design their bots like worms, viruses and trojans. These bots were controlled in the very IRC (Craig A. Schiller, 2007).
Bots have become an everyday phenomenon for internet users. It is estimated that bots affect around 5 percent of all users who log on to the internet at a given time. Bots inflict users globally, making it a main threat to online users. Bots are usually written in C, C++, Delphi, and Perl (Champ Clark, 2007). Bots accessible for open download are normally written in C++ (Champ Clark, 2007). As it is a very common language of contemporary computer usage, it is not difficult to understand why bots have become a common occurrence.
Bots have gained popularity amid all age groups and all types of occupations. Seemingly, anyone who can program in the languages mentioned above can run a botnet. Bots are also available for open and free download and usage. Still, many of the openly released bots on hand have and are identified by antivirus software. Still old detectable bots can be reworked and maneuvered to make new bots, which then go unidentified by most antiviruses (Craig A. Schiller, 2007).
It is hard to precisely guess the number of botnets that are at present running on the web, owing to the impracticable character of unearthing every botnet on the globe. A greater part of botnet operators try to run their botnets incognito and concealed. IRC servers are characteristically installed and run on hacked computers. The capability to adapt bots has been an important factor in their popularity (Champ Clark, 2007). A lot of users who enter the hacking society start developing bots because they are comparatively easy to generate and grow. Several of the causes that hackers have shifted to bots as an alternative to other types of malware is for monetary gain, information collection, and the usability of bots.
There are many kinds of malicious bots that have by now infected many machines and are still infecting the web. Some have their specific transmitters - the script that allows them to infect other machines - at the same time as some less important kinds of bots do not have such abilities.
Kinds of Bots
There are many kinds of bots but the most popular are AgoBot, SDBot, Spybot, and GT Bot (Champ Clark, 2007). These happen to be some of the most widespread bots encountered across the web. Most of the bots that are seen on the internet are tailored or fusions of the original designs. Bots characteristically vary from 1000 lines of code to 25000 lines of code (Champ Clark, 2007). The bigger the program is in code, the greater is the chance of it being detected and the more difficult it is to implement on a machine.
The Agobot was created in early 2000. Soon after its release a new adaptation of it was used more than the original. That tailored version is known as Phatbot (Champ Clark, 2007). Phatbot is amongst one of the best, well written source coded bots currently in service. Its original creation is around 23,000 lines of code (Champ Clark, 2007). This bot was created in C and C++. The usability of the bot depends on what the creator of the bot desires. Characteristic functions comprise multiple abilities to perform DOS attacks, the capability to harvest Paypal passwords, devices such as back doors, disabling access to anti-virus sites, and the capability to disband artifacts such as Softice and Ollydbg (Champ Clark, 2007).
The SDbot was also created in early 2000. It is an uncomplicated bot and varies normally from 1,500 to 3,000 lines of code. This bot is characteristically found to be written in C. SDBot mainly acts as a command and control arrangement. It can be simply updated and is mainly used for scanning, DOS attacks, and sniffing. This bot can also be customized, with the capability to be updated and adapted by an IRC channel (Champ Clark, 2007).
The SpyBot appeared on the scene in 2003. It characteristically varies from 2,500 to 3,500 lines of code (Champ Clark, 2007). This bot is probably an adaptation of the SDBot as it shares much of the same essential functions. One of the first adaptations of SpyBot had manifold exploits in association with NetBIOS and KaZaa (Champ Clark, 2007). It also had the capability to scan and carry out flood attacks. On the other hand it doesn’t have the capability to be adapted as some of the other bots have usability to do so.
The GT Bot was created in the late 90s. At that time the GT Bot was among the most common and most popular of bots. Chiefly, it was one of the only bots used at the time. There were many adapted GT Bots found across the web in the late 90s (Champ Clark, 2007). It was inadequate in its scripting capabilities and had fundamental usability for command and control. It was quite simple to adapt and change as it often came with coaching on how to adapt. Characteristic functions of the bot comprised port scanning, DOS attacks, and exploits for RPC and NetBIOS services (Champ Clark, 2007).
All the above-mentioned bots paved the way for the new generation bots encountered in present times. Present day bots can be adapted and effortlessly updated. It is dependent on what the operator of the bot desires in terms of usability. An operator can strip a bot of surplus functions and add functions to control it size. As for an example, a bot operator may only desire a bot for DDOS attacks. The bot operator will strip away all needless functions and keep the capabilities to carry out a DDOS attack.
Some examples of Botnets
Trojans are executable programs. This indicates that when we open the file, it will carry out some action. In Windows, executable programs possess file extensions like "exe", "vbs", "com", "bat", etc. A number of real Trojan filenames include: "dmsetup.exe" and "LOVE-LETTER-FOR-YOU.TXT.vbs" (Harold F. Tipton, 2008). Trojans can multiply in the appearance of factually anything people find attractive, such as a free game, movie, song, etc. Sufferers characteristically downloaded the trojan from a WWW or FTP files, got it via peer-to-peer file exchange using IRC/instant messaging (Harold F. Tipton, 2008), or just sloppily opened some email attachment. Trojans frequently do their injure mutely. The first symbol of problem is often when others tell us that we are assailing them or trying to infect them.
The most dangerous type of Trojans is the backdoors (Harold F. Tipton, 2008). This is also the most frequently encountered type. These are distant management devices that open affected machines to outside control through a LAN or the web. They work in the same manner as legitimate distant management programs often used by system operators, hence the difficulty in detecting them.
The mere distinction between a legitimate control device and a backdoor is that backdoors are installed and initiated without the information or permission of the user of the victim device. Once the backdoor is initiated, it watches the local system without the user's information; frequently the backdoor is not visible in the log of active programs.
Backdoor activities can comprise of sending or receiving, launching or deleting, executing files, data deletion and automatic rebooting of the victim’s device. In fact backdoors are utilized by virus writers to identify and download secret information, implement malicious code or to waste data. Backdoors possess one particularly dangerous sub-category: alternatives that can spread like worms.
Another important sub-category of Trojans is the PSW Trojans (Harold F. Tipton, 2008). The PSW Trojans appropriate passwords, usually system passwords from prey devices. They look for system files which have secret information like passwords and Web access numbers and then pass this information to an email address which is coded in the very Trojan. It is subsequently recovered by the operator of the illegitimate program.
The kind of information stolen by PSW Trojans is system information like disk size, memory and other details, IP address, and passwords for different utilities in use of the owner of the prey device.
Another important sub-category is the Trojan clickers. This class of Trojans forwards prey machines to specific websites or other Web resources. Clickers send the essential commands to the browser or substitute system files wherever normal Internet URLs are kept in memory. Clickers usually increase the probability of clicking of a particular site for advertisement. They also muster up DOS attacks on a particular site (Harold F. Tipton, 2008). They also redirect the prey machines to some particular location where there’s more probability of an attack.
Another important sub-category is Trojan downloaders. This category of Trojans downloads and sets up new malware or adware on the prey device. It subsequently either initiates the new malware or records it to allow autorun along with the local operating system prerequisites. This is all done with no information or permission of the user.
RBot symbolizes the big family of backdoors - hacker's remote access instruments. These instruments permit to control sufferer’s computers distantly by sending specific commands using IRC channels. In addition these backdoors can pinch data, extend to local network and to computers susceptible to exploits (Harold F. Tipton, 2008).
It, in fact, has outshined all other malwares countered by Microsoft to date. More than 4 million computers have been cleansed of the Rbot by its Malicious Software Removal Tool (MSRT) ever since January 2005 (Security, 2006). Microsoft has declared that 2,000 modifications of Rbot make it to the list very month. In fact Rbot presents a major threat in Information security in present times (Security, 2006).
Bobax is also a semi-automatic dispersion trojan. Alike in concept to bots like Agobot, the trojan can multiply unattended, but only when furnished the command to do so by its creator. Its main function appears to be to generate a huge automated spamming complex (Harold F. Tipton, 2008). Dissimilar to proxy trojans which necessitate the spammer to connect and send each individual piece of mail, Bobax sends the mail utilizing a pattern and a list of email addresses (Harold F. Tipton, 2008). This has the advantage of shedding almost all the bandwidth obligations of spamming onto the trojaned machines, permitting the spammer to operate with least cost.
A trojan proxy, Bobax when commanded to scan it scans haphazard IP addresses for susceptible computers. When Bobax affects a prey, it utilizes HTTP to get the executable from a webserver for download, which snoops on a certain port on the attacker host. The data is stored into a dropper file known as 'svc.exe' (Harold F. Tipton, 2008). The dropper sends a DLL to the provisional directory with a haphazard name. The DLL is initiated by sending it to Explorer with a method known as DLL Injection. Since the code runs as a thread in Explorer it's not noticeable as a distinct process.
Bobax utilizes a certain vulnerability in a Windows security component called as the Local Security Authority Subsystem Service. The LSASS fault is there in all new versions of Windows, but Bobax is programmed to aim only at the XP operating system. Once installed on a system, Bobax makes contact with a Web site and seeks instructions on how to go about subsequently, like sending spam or executing other programs (Harold F. Tipton, 2008).
A rootkit is a set of instruments that allow administrator root entrance into a computer or computer network (Biegelman, 2009). It normally comprises of a backdoor, keylogger, and other malicious software that can be accumulated within a bot. Rootkits are characteristically installed and accumulated along with a bot program. Rootkits can also hide files, services and processes. A pertinent example is a private rootkit hiding the bot.exe process from the Windows XP task manager (Biegelman, 2009).
Rootkits are a vital function of bots. Rootkits permit the attacker to return into a user’s system later and enter it without being detected. An example of an attacker’s action is installing an adapted version into a user’s computer. This would characteristically run on a different port, than that of the default port but it would still have the same usablilty. The difference between the original and the adapted version is that the attacker would have back door access to the computer (Biegelman, 2009).
Rootkits connected with bots are classified as public and private (Biegelman, 2009). Public rootkits are those which have been detected and marked as viruses by antivirus companies. These rootkits are ineffective to bot operators as their bots become detected and removed by antivirus and antispyware software. Private rootkits are those which have not been released openly. Many bot controllers have the capability to script and generate their own. These rootkits do not become open and detected unless a major infection of bots takes place.
Implementation of Botnets
Bots are implemented by various ways. Characteristic ways of implementation are by social engineering. Things like phishing, email, and instant messaging scams are frequent among infecting a user’s computer (Lance James, 2006). Other means of infection come through a lapse in security on a personal user’s computer. Other more frequently used ways is by software vulnerabilities and exploitation.
The simplest way for a bot to infect a machine is by social engineering. Tricking the user, so that they kick off a download or click on a link, permits for the hacker to simply sit back and relax. Scanning a variety of IP addresses is another means of implementing bots. This may be better in discovering exploits that the bot owner is looking for (Biegelman, 2009). This tactic leaves the operator open to risk.
Phishing / Spam
Phishing has its origin in the word fish, as somebody puts out tempt and a fish comes along and takes it. Phishing refers to imitating a person or major organization (Lance James, 2006). The phisher is manipulating the phishee into characteristically giving them some sort of personal information. Information such as credit card numbers, usernames, passwords, and social security numbers are instances of personal information that is divulged during the act of phishing (Lance James, 2006).
An additional kind of use for botnets is to send out a huge amount of spam. Using the user’s link to send out spyware, phishing scams, and viruses is widespread. Many reports in media have exhibited that botnet operators are caught by becoming paid by spyware operators. The money track leads back to both the botnet and spyware operator. Earnings from spamming is another motivation why oprators have enhanced the number of bots they control (Lance James, 2006).
Every phishing scam utilized comprises some type of social engineering. Social engineering refers to the procedure of making people to fulfill what somebody wants through exploitation (Lance James, 2006). Another example would be a phishing scam where the phisher asks the user for private data and bank account information. This mission of exploitation has to be very credible in order for the person to fill out the required information.
The identical kind of attack occurs through instant messaging. An attacker can get instant message profile names through chat rooms and by member search directories. To start a bot program from an instant messenger window is not hard. The bot program would send out a particular message to any open IM windows on the infected machine. An invader would have a link to a website that would kick off a download to the user’s machine. The second method would be to start a direct download to the user’s machine from a server hosting the file (Lance James, 2006).
Hijacking, Purchasing, and Trading
In the subversive world of IRC there is a steady war going on to commandeer and take over other botnets (Lance James, 2006). The botnet operators who are just entering into the scene do not have as much knowledge as those who have been in the scene for quite some time. The propensity and chance is there for an experienced bot manager to take control of other botnets. This can be achieved by using packet sniffer functions included in most bot malware. Botnet command and control communications are apt to be unencrypted, and as it’s not unusual for multiple bot infections to be present on the same system, attackers usually instruct their bots to sniff network traffic looking for competing botnet communications (Lance James, 2006). A knowledgeable botnet operator can set up a machine as a honeypot and repossess new bots this way. Entering in a botnet’s channel and assuming command of the botnet would not be hard for one who knows how botnets operate.
One impetus for botnet operators is profit. A botnet operator may install multiple nets to manage diverse usability. A user may endanger around 400 machines and utlilize those machines to scan and contaminate another 400. Those 400 would then be adapted for spamming functions. The operator may generate another 1000 bot botnet so as to make money to sell usernames and passwords that are used for paypal (Biegelman, 2009). The probabilities are never-ending as any type of data stored on a computer has the prospect of profit. Some of the articles usually traded off for bots comprise physical goods, such as computers, jewelry, and batches of credit card information, shell accounts on servers, or even other botnets.
Distributed Denial of Service (DDOS) Attacks
A DDOS attack refers to sending a big number of packets to a single machine in a bid to make it unbalanced and resulting in crashing the machine. This becomes a helpful instrument for botnets because they can be great in numbers. If one musters up a botnet of 200,000 machines it would not be hard to overthrow a small company’s server (Biegelman, 2009). Overthrowing IRC servers are also very trendy. When secretive groups go to ‘war’ against each other there can be enormous flooding in opposition to each others’ servers.
Anonymity while running bots
The gateway that is used to relay a certain Web session to another one is known as a proxy. In fact it’s a server that actually acts as a go-between among a terminal and the internet. Forwarding all traffic via this device can ensure anonymity to a user at the time of being in the Web traffic. Several users that utilize bots can go by way of many different proxy servers. This permits their IP address to be imperceptible to any type of site that a user logs on to.
Proxy use of the web is the wish for confidentiality and anonymity whilst using an internet browser. A proxy server is a device that permits individuals to log on to it. The server gets on to the internet. Basically, a user gets to a proxy server and the user requests a certain page. The proxy server interrupts the request and redirects the request to view the page. This removes the user from openly getting the sought information.
An instance of a program that permits for anonymity to surf the internet is software known as Tor. It is a complex of virtual tunnels that permit people and groups to enhance their privacy and security on the Web. Tor also allows users to log on through manifold hosts before it logs on to its last destination. This permits websites sites to not analyze information such as IP addresses, browser information, and cookie data of the user. The greater the nodes or hosts a user logs on through, the more difficult it is to hunt down the user. Tor is comparable to a proxy, it utilizes other devices to convey data, but as a substitute of going via just one host, it makes use of numerous hosts at a time.
Although there can be results of using a proxy. A proxy server acts much in the manner of a main in the center attack. A man in the center attack is when an invader is capable to read, insert, and adapt at will, communications between the two parties. The party that is sending data would have no knowledge that the link between the user and the Web has been endangered. Whilst logged on to a proxy server, every detail of data that we request is stored in the server. If a user sends in credit card data via a proxy, the credit card data is first cached in the server. The proxy requests for the user’s page and forwards the credit card information to the requested Web site. The person who is operating the server is then in charge of any type of data that is cached in the proxy. This assumes the position of a security hazard, if we are using proxies for any type of data transmission either to and or from the server.
There are a variety of means to spot botnets. Many trendy techniques include to catch bots are to install a Honeynet. Honeynet is a system that is put in place with deliberate security vulnerabilities. This has assumed quite some popularity in detecting bots. Honeynets tempt attack with a system that is not updated and not patched. This gives experts the room to set up the honeynet to allow all incoming transmissions and limit any type of data from leaving (Craig A. Schiller, 2007). By this method the experts can study the botnets fond on the web.
The information requisite to connect to a botnet system is a DNS, IP, address, and a port number of the IRC server (Biegelman, 2009). A password is needed to connect to the IRC server, a moniker of a bot to copy, and the name of an IRC channel. Catching bots and reverse engineering permits us to get all of this information from an endangered machine.
Honeynets permit us to study information such as a channel password and name so as to monitor botnets. We can gather binaries of bots and take out the sensitive information in a semi automated manner. After securing entry into one of these IRC servers, we can get the information that the invader is sending to and from the bot. We will monitor the command and control method from a bot operator. Observing this information can help us in finding current bot trends, attack methods, and approaches. An automatic methodology to seize information about botnets and a method to efficiently track botnets can even help to struggle against botnets. This can greatly help us in tracking down the operator (Biegelman, 2009).
Protection against Botnets
Antivirus software is one of the primary initiatives to secure our computers from botnets. This is not the only initiative we have to take to protect our personal computer. Many botnets that have afflicted thousands of people across the web are not noticeable with antivirus software. Antivirus company’s databases are made of viruses that influence a vast majority of people on the web. If botnet operators are smart, they will only dispatch their bots to a restricted number of people.
In the times to come, operators of Botnets would be increasingly using encryption to hide the Botnets. One of the techniques used to sense bots is that they utilize ports identified with well recognized programs such as IRC (Biegelman, 2009). Users need to use safe passwords, maintain antivirus programs updated, and keep Antispyware programs updated. Computer users ought to set their machines to scan for viruses and spyware. They need to keep their operating system completely patched and updated.
Users need to stop applications that connect to the internet that they do not usually use. Users need to be in touch with current trends, exploits, software vulnerabilities, and intrusion methods. The user should be conscious of social engineering attacks. For instance, if a user obtains an email about bank account information demanding to be corrected, they should actually call their bank to confirm the email. Users need not click on any links in emails or instant messenger. They must by hand open the browser and visit the link specifically only if it is from a trusted source (Biegelman, 2009).
Users should handle browsing, email, and instant messenger with heed. If the users possess a third party firewall they must shut off the default IRC port. If a user receives a huge volume of traffic, the network is slow, and there is activity in unused ports, users should be worried. Users who are logged on to the internet for long spans of time and are not at their computer should shutdown their systems when they are not actually using them.
Users can also utilize specific antitrojan which are usually available for download. Antirootkit softwares are also available to aim at these types of malware. Users must also not store any type of private information on their computer. Private information such as credit card, usernames, passwords, and social security numbers are all susceptible information. Users need to have a machine that is not connected to the internet, so as to complete and undergo business transactions. If a user possesses a computer purchased fresh from a maker they should update the computer right away. A defenseless machine can be infected very soon.
Botnets are the novel and imminent danger among malware. We have to understand and find out what the rationale of this new threat is. We ought to understand how to control it and impede its incidence. We need to appreciate the method and execution of the botnet in order to refrain it from harming the private user’s machine, and more prominently securing bigger company based systems.
The knowledge regarding botnets is growing in direct proportion to the innovation in the type of botnets. This fresh danger is in the hands of anybody who has way in to the web and knows the fundamentals of a programming language. The subversive cultures that encase the topic of botnets furnish a tough infrastructure for knowing how to command, control, and be hidden from those that are trying to halt them.
In this report we have discussed the dynamics of bots and botnets and ho this phenomenon is affecting us today. The driving factor for this industry is money with focus on private information such as a user’s identity, credit card numbers, spam, and the threat of DDOS attacks. The elasticity of botnets allows an attacker to generate a bot based on his/her personal desires. If a botnet operator keeps his/her net small they have a very minute possibility of being caught.
The foremost protection against the botnet danger is the private user. It can be done by setting up a firewall, having updated software, and maintaining an operating system in a malware-free condition. Mainstream media has the responsibility to rendering this threat so as to inform the web user and protect his/her computers.
Biegelman, M. T. (2009). Identity Theft Handbook: Detection, Prevention, and Security. John Wiley and Sons.
Champ Clark, I. L. (2007). Infosecurity 2008 Threat Analysis. Syngress.
Craig A. Schiller, J. B. (2007). Botnets: the killer web app. Syngress.
Harold F. Tipton, M. K. (2008). Information security management handbook. CRC Press.
Lance James, J. S. (2006). Phishing exposed. Syngress.
Security, C. F. (2006, June ). Rampant Rbot Trojans dominate MS clean-up job. Computer Fraud & Security , 2-3.
Seymour E. Goodman, N. R. (2007). Toward a safer and more secure cyberspace. National Academies Press.