Blog Post View

What is a Botnet?

The most recent news of huge cyber-attacks using “Zombies” and “Bots” will not be alarming. This will not create this enthusiast think, even for a second, that the digital world has been taken by the living dead creatures or yet alien armies. But one thing will come to realize the "Botnets".

There are many definitions of botnets. According to google definition, it is a huge collection of internet interconnected communicating programs with other kinds of similar programs to perform various tasks. The Botnet term is derived from "ro-bot". Bot is a general term used to describe a set of scripts or a script created to perform a predefined function in an automated way. Because of the organization coordination, network-based and controlled nature, Botnet is currently one of the dangerous category of attacks that are roaming the internet. Considering botnets’ power both in access capabilities and cumulative bandwidth. Botnets may cause many network outrages through huge DDoS (Distributed Denial of Service) attacks. Due to propagating, self-organizing, distributed architecture and autonomous framework which is under C&C or C2 (Command and Control) infrastructure, botnet are different from many other types of network malicious software. These malware can propagate over billions of computers and networks with the same characteristics as worms do.

Client-server model

vA network created on the client-server model, where separate clients demand resources and services from central servers. The primary botnets on the internet used a client-server model to achieve their expected tasks. Classically, these botnets function through domains, Internet Relay Chat networks, or websites. Diseased clients access a prearranged location and expect incoming instructions from the server. The bot owner directs commands to the server, which communicates them to the clients. Clients perform the commands and report their consequences back to the botnet owner. In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for Control & Command by the botnet owner. The botnet owner sends commands to the channel via the IRC server. Each client saves the commands and performs them. Clients direct communications back to the IRC channel with the results of their activities.

Peer-to-peer

A peer-to-peer grid in which prepared nodes ("peers") segment resources among others without the use of a central managerial system. In reply to efforts to decapitate and detect IRC botnets, botnets owners have started organizing malware on peer-to-peer networks. These botnets could use numerical signatures therefore, that only somebody with admission to the private key can regulate the botnet. For instances Zero Access and Gameover ZeuS botnet. Fresher botnets completely operate over peer-to-peer networks. Rather than connect with a central server, peer-to-peer botnets achieve as both a client and command distribution server which obtains commands. This evades having any sole point of disappointment, which is an issue for central botnets. To find other diseased machines, the botnet faintly probes random Internet Protocol addresses until it links another infected machine. The communicated botnet replies with data such as its list of known botnets and software version. If one of the botnets' version is lesser than the other, they will recruit a file transmission to update. Each botnet produces its list of updates and infected machines itself by occasionally interactive to all known botnets.

Botnet make more dangerous is that unlike network zombie nodes, worms in a single robot net could work in time be managed and at the same time co-operation from a single "hive-like" approach. Due to above reason, botnets may not be classified into any standard category of threats like security engineers do other types malware. Control and Command server/architecture is used to propagate and exploit. The threat agent of the botnet needs a high level of coordination, deep technical skills, and planning. A functional and better botnet could be characterized as a more professionally built tool and designed intended to be sold or re-entered any person with a huge set of novice skills. Somehow the fundamentals used for the subsequent hijacking and the infection of a PC into a botnet are only three:

  1. Using the collection data harvested from victims.
  2. Using to permits the cybercriminals to deliver instruction for the infected personal computers’ trojans.
  3. Using to poison the PCs by tricking people into open a ".exe" (executable) file. This could be done in a variety of types such malicious PDFs (Portable Document Format), infected USB (Universal Serial Bus) sticks and drive-by infections.

Apart from a normal set of attacks malware spreading, identity fraud, spamming, click fraud and sensitive information leakage, those techniques are very valuable gadgets which can carry out APT (Advanced Persistent Threats) for very critical companies. The most famous threats posed by the use of Denial of Services attacks are very dangerous for many organizations. It could be even created more severe by confirming that the targeted company's bandwidth of the network is consumed from any range of IP addresses. For an instance DDoS where the victim’s network administrator will not be able to separate source IP addresses used in exploits. These IP addresses cannot add to the blacklist because it seems these come from regular user.

Even if the evidence discloses that most typical applied by botnets are SYN TCP (Synchronization Transmission Control Protocol) and UDP (User Datagram Protocol) flooding attacks. The brand-new botnets are implemented in many ways to create eliminating and discovering the source of control (C&C) more difficult. Now IRC server such as server-centric model is said to utilize the P2P (Peer to Peer) protocols that have been created popularized on the internet by various file sharing apps on many different platforms. Using this P2P platform, it is no longer essential to deliver commands from an actual (physical) server location. The IP (Internet Protocol) is constantly changing. The advantage of this is much difficult to trace back to the original source. In 2008 new type of botnet implemented using encryption that was based on the “eDonkey” protocol. It is originally called Nuwar/W32 but lately named as the “Storm worm”. This worm had nearly 200 peers hardcoded into hash values, which can decrypt malware and used to check for newer files to download. This made even more interesting, was that all transactions were properly encrypted. Only the malicious software itself can act upon the answers and decrypt. These replies normally lead to Uniform Resource Locator (URLs) which downloaded other types of binaries. Storm worm is responsible for huge types of worms during 2008-2009 until it was taken down by the authorities.

Typically, botnets have run exclusively on many versions of Windows platforms. Very recently localized versions also have emerged. Using scripting languages like Perl, threat agents created many versions that run on several types of Linux and Unix. Because of the 'open' format, the boom in packages and Android applications have been injected to the use of many botnets. The new Android market has many restrictions when it comes to registering and product developer, which has developed to encourage application implementers to adopt the new platform. This creates easier for cyber-criminals to publish their trojanized code parts or malware applications. Bring Your Own Device (BYOD) is implemented in different “blue chip” companies have permitted the instructions of different mobile devices that can run Android OS (Operating System). The attack platforms have been drastically incrementing. The many attack vectors have been created greater as mobiles are meeker to get infected through various infected media.

Zombie computer

A zombie computer is a computer linked to the Internet that has been compromised by a threat agent, trojan horse or computer virus and could be used to achieve malicious tasks of one sort or another under distant direction. Botnets of zombie computers are often used to blowout e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are uninformed that their system has been used in this malicious way. Because the owner tends to be unaware, these computers are symbolically compared to zombies. A coordinated Denial DoS attack by numerous botnet machines also resembles a zombie crowd attack. Many personal computer users are unaware that their PC is infected with large bots. The process of theft computing resources because of a system being combined to a "botnet" is sometimes mentioned to as "scrumping".

The recent trends in cybersecurity, it will not be very long where robot networks will be rented or purchased on the black market. It can be even worse be taken over by wicked holders and redirect to the more malicious targets. Many people know those things occur frequently, therefore, it will be naïve to not assume that state-owned companies or national states companies around the world have involved to taken off these botnets offensively.

Countermeasures

The physical dispersion of botnets means that each beginner must be individually corralled/repaired/ identified and limits the assistance of filtering. Network security authorities have flourished in subverting or destroying malware C&C (command and control) networks, by, among other means, getting those cut off from the Internet or seizing servers, repudiating access to domains that were due to be used by malware to contact its command and control infrastructure, and, in some cases, breaking into the command and control network itself. In response to this, command and control operators have resorted to using techniques such as overlaying their command and control networks on other existing benign infrastructure such as IRC or Tor (onion protocol), using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network. One thing that is becoming extra apparent is the fact that sensing automated botnet attacks is becoming more difficult every day as fresher and more urbane generations of botnets are getting threw by attackers. For instance, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The impression is to overpower sites with twenty of thousands of requests from different Internet Protocols all over the globe, but with each botnet only submitting a single request every 9 minutes or so, which could result in more than 8 million tries per day. In these cases, numerous tools try to leverage volumetric discoveries, but automated botnet attacks now have ways of circumventing activates of volumetric detection. One of the methods for detecting these botnet attacks is what is known as "signature-based systems" in which the software will try to detect patterns in the request packet. But attacks are constantly evolving, so this may not be a viable option when patterns can not be discerned from thousands of requests. There's also the behavioral approach to thwarting bots, which ultimately is trying distinguishing bots from humans. By classifying non-human performance and identifying known botnet behavior, this process can be applied at the user, browser, and network levels.

Cyber-attacks are increasing exponentially with help of newly form attack vectors. Security engineers must be proactive and attempt to think out of the box. It could be noted that time-tested policies like “defense in depth”, "Layering of Technologies", etc. it will not be enough to stop this threat. Equally, these may give increase to the possible criminal having more attack vectors to perpetrate the crime. The finest approach is a relaxed one. It just to guarantee that own interest does not take to places where PCs will rather not go. Or else it may just be the motive why botnets are able to raise at such a frightening rate.

Share this post

Comments (0)

    No comment

Leave a comment

Login To Post Comment