Botnet

A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.

Types of botnets

Legal botnets

The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. This is where the term is originally from, since the first illegal botnets were similar to legal botnets. A common bot used to set up botnets on IRC is eggdrop.

Illegal botnets

Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a "bot", is created when a computer is penetrated by software from a malware (malicious software) distribution. However, it could also be someone (or a spider) that hacks into a computer. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP).[1]

Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes.[2]

Recruitment

Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules. Many computer users are unaware that their computer is infected with bots.[3]

The first botnet was first acknowledged and exposed by Earthlink during a lawsuit with notorious spammer Khan C. Smith[4] in 2001 for the purpose of bulk spam accounting for nearly 25% of all spam at the time.

Organization

While botnets are often named after the malware that created them, multiple botnets typically use the same malware, but are operated by different entities.[5]

A botnet's originator (known as a "bot herder" or "bot master") can control the group remotely, usually through IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server. Though rare, more experienced botnet operators program command protocols from scratch. These protocols include a server program, a client program for operation, and the program that embeds the client on the victim's machine. These communicate over a network, using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator has compromised multiple systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnet servers are typically redundant, linked for greater redundancy so as to reduce the threat of a takedown. Actual botnet communities usually consist of one or several controllers that rarely have highly developed command hierarchies; they rely on individual peer-to-peer relationships.[6]

Botnet architecture evolved over time, and not all botnets exhibit the same topology for command and control. Advanced topology is more resilient to shutdown, enumeration or discovery. However, some topologies limit the marketability of the botnet to third parties.[7] Typical botnet topologies are star, multi-server, hierarchical and random.

To thwart detection, some botnets are scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers.[8]

Formation

This example illustrates how a botnet is created and used to send email spam.

How a botnet works
  1. A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the bot.
  2. The bot on the infected PC logs into a particular C&C server.
  3. A spammer purchases the services of the botnet from the operator.
  4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the control panel on the web server, causing them to send out spam messages.

Botnets can be exploited for various other purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, mining bitcoins, spamdexing, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.[9]

Types of attacks

Countermeasures

The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering. Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.[13]

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, finding one server with one botnet channel can often reveal the other servers, as well as their bots. A botnet server structure that lacks redundancy is vulnerable to at least the temporary disconnection of that server. However, recent IRC server software includes features to mask other connected servers and bots, eliminating that approach.

Computer and network security companies have released software to counter botnets. Norton AntiBot was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers. BotHunter is software, developed with support from the U.S. Army Research Office, that detects botnet activity within a network by analysing network traffic and comparing it to patterns characteristic of malicious processes.

Some newer botnets are almost entirely P2P. Command and control is embedded into the botnet rather than relying on external servers, thus avoiding any single point of failure and evading many countermeasures.[14] Commanders can be identified just through secure keys, and all data except the binary itself can be encrypted. For example, a spyware program may encrypt all suspected passwords with a public key that is hard-coded into it, or distributed with the bot software. Only with the private key (known only by the botnet operators) can the data captured by the bot be read.

Some botnets are capable of detecting and reacting to attempts to investigate them, reacting perhaps with a DDoS attack on the IP address of the investigator.

Researchers at Sandia National Laboratories are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them.[15]

Historical list of botnets

Date created Date dismantled Name Estimated no. of bots Spam capacity (bn/day) Aliases
2004 (Early) Bagle 230,000[16] 5.7 Beagle, Mitglieder, Lodeight
Marina Botnet 6,215,000[16] 92 Damon Briant, BOB.dc, Cotmonger, Hacktool.Spammer, Kraken
Torpig 180,000[17] Sinowal, Anserin
Storm 160,000[18] 3 Nuwar, Peacomm, Zhelatin
2006 (Around) 2011 (March) Rustock 150,000[19] 30 RKRustok, Costrat
Donbot 125,000[20] 0.8 Buzus, Bachsoy
2007 (Around) Cutwail 1,500,000[21] 74 Pandex, Mutant (related to: Wigon, Pushdo)
2007 Akbot 1,300,000[22]
2007 (March) 2008 (November) Srizbi 450,000[23] 60 Cbeplay, Exchanger
Lethic 260,000[16] 2 none
2007 (September) dBot 10,000+ (Europe) dentaoBot, d-net, SDBOT
Xarvester 10,000[16] 0.15 Rlsloup, Pixoliz
2008 (Around) Sality 1,000,000[24] Sector, Kuku
2008 (around) 2009-Dec Mariposa 12,000,000[25]
2008 (November) Conficker 10,500,000+[26] 10 DownUp, DownAndUp, DownAdUp, Kido
2008 (November) 2010 (March) Waledac 80,000[27] 1.5 Waled, Waledpak
Maazben 50,000[16] 0.5 None
Onewordsub 40,000[28] 1.8
Gheg 30,000[16] 0.24 Tofsee, Mondera
20,000[28] 5 Loosky, Locksky
Wopla 20,000[28] 0.6 Pokier, Slogger, Cryptic
2008 (Around) Asprox 15,000[29] Danmec, Hydraflux
Spamthru 12,000[28] 0.35 Spam-DComServ, Covesmer, Xmiler
2008 (Around) Gumblar
2009 (May) November 2010 (not complete) BredoLab 30,000,000[30] 3.6 Oficla
2009 (Around) 2012-07-19 Grum 560,000[31] 39.9 Tedroo
Mega-D 509,000[32] 10 Ozdok
Kraken 495,000[33] 9 Kracken
2009 (August) Festi 2.25 Spamnost
2010 (January) LowSec 11,000+[16] 0.5 LowSecurity, FreeMoney, Ring0.Tools
2010 (around) TDL4 4,500,000[34] TDSS, Alureon
Zeus 3,600,000 (US only)[35] Zbot, PRG, Wsnpoem, Gorhax, Kneber
2010 (Several: 2011, 2012) Kelihos 300,000+ 4 Hlux
2011 or earlier 2015-02 Ramnit 3,000,000[36]
2012 (Around) Chameleon 120,000[37] None
2013 Boatnet 500+ server computers 0.01 YOLOBotnet
2013 2013 Zer0n3t 200+ server computers 4 FiberOptck, OptckFiber, Fib3rl0g1c
2014 Semalt 300,000+ Soundfrost

See also

References

  1. Ramneek, Puri (2003-08-08). "Bots &; Botnet: An Overview" (PDF). SANS Institute. Retrieved 12 November 2013.
  2. Danchev, Dancho (11 October 2013). "Novice cyberciminals offer commercial access to five mini botnets". Retrieved 28 June 2015.
  3. Teresa Dixon Murray. "Banks can't prevent cyber attacks like those hitting PNC, Key, U.S. Bank this week". Cleveland.com. Retrieved 2 September 2014.
  4. Credeur, Mary. "Atlanta Business Chronicle, Staff Writer". bizjournals.com. Retrieved 22 July 2002.
  5. Many-to-Many Botnet Relationships, Damballa, 8 June 2009.
  6. "what is a Botnet trojan?". DSL Reports. Retrieved 7 April 2011.
  7. Botnet Communication Topologies, Damballa, 10 June 2009.
  8. "Hackers Strengthen Malicious Botnets by Shrinking Them" (PDF). Computer; News Briefs (IEEE Computer Society). April 2006. doi:10.1109/MC.2006.136. Retrieved 12 November 2013. The size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark Sunner, chief technology officer at MessageLabs.The average botnet size is now about 20,000 computers, he said.
  9. "Trojan horse, and Virus FAQ". DSLReports. Retrieved 7 April 2011.
  10. "Operation Aurora — The Command Structure". Damballa.com. Archived from the original on 11 June 2010. Retrieved 30 July 2010.
  11. Larkin, Erik (2009-02-10). "Fake Infection Warnings Can Be Real Trouble". PCWorld. Retrieved 10 November 2011.
  12. 8 Jul 2010 (2010-07-08). "Korean Poker Hackers Arrested". Poker.gamingsupermarket.com. Retrieved 10 November 2011.
  13. C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols, 2010 ACM Conference on Computer and Communications Security.
  14. Wang, Ping et al. (2010). "Peer-to-peer botnets". In Stamp, Mark & Stavroulakis, Peter. Handbook of Information and Communication Security. Springer. ISBN 9783642041174.
  15. "Researchers Boot Million Linux Kernels to Help Botnet Research". IT Security & Network Security News. 2009-08-12. Retrieved 23 April 2011.
  16. 1 2 3 4 5 6 7 "Symantec.cloud | Email Security, Web Security, Endpoint Protection, Archiving, Continuity, Instant Messaging Security" (PDF). Messagelabs.com. Retrieved 2014-01-30.
  17. Chuck Miller (2009-05-05). "Researchers hijack control of Torpig botnet". SC Magazine US. Retrieved 10 November 2011.
  18. "Storm Worm network shrinks to about one-tenth of its former size". Tech.Blorge.Com. 2007-10-21. Retrieved 30 July 2010.
  19. Chuck Miller (2008-07-25). "The Rustock botnet spams again". SC Magazine US. Retrieved 30 July 2010.
  20. "Spam Botnets to Watch in 2009 | Dell SecureWorks". Secureworks.com. Retrieved 16 January 2012.
  21. "Pushdo Botnet — New DDOS attacks on major web sites — Harry Waldron — IT Security". Msmvps.com. 2010-02-02. Retrieved 30 July 2010.
  22. "New Zealand teenager accused of controlling botnet of 1.3 million computers". The H security. 2007-11-30. Retrieved 12 November 2011.
  23. "Technology | Spam on rise after brief reprieve". BBC News. 2008-11-26. Retrieved 24 April 2010.
  24. "Sality: Story of a Peer-to-Peer Viral Network" (PDF). Symantec. 2011-08-03. Retrieved 12 January 2012.
  25. "How FBI, police busted massive botnet". theregister.co.uk. Retrieved 3 March 2010.
  26. "Calculating the Size of the Downadup Outbreak — F-Secure Weblog : News from the Lab". F-secure.com. 2009-01-16. Retrieved 24 April 2010.
  27. "Waledac botnet 'decimated' by MS takedown". The Register. 2010-03-16. Retrieved 23 April 2011.
  28. 1 2 3 4 Gregg Keizer (2008-04-09). "Top botnets control 1M hijacked computers". Computerworld. Retrieved 23 April 2011.
  29. "Botnet sics zombie soldiers on gimpy websites". The Register. 2008-05-14. Retrieved 23 April 2011.
  30. "Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com". .canada.com. Retrieved 10 November 2011.
  31. "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. Retrieved 30 July 2010.
  32. Warner, Gary (2010-12-02). "Oleg Nikolaenko, Mega-D Botmaster to Stand Trial". CyberCrime & Doing Time. Retrieved 6 December 2010.
  33. "New Massive Botnet Twice the Size of Storm — Security/Perimeter". DarkReading. Retrieved 30 July 2010.
  34. "Cómo detectar y borrar el rootkit TDL4 (TDSS/Alureon)". kasperskytienda.es. 2011-07-03. Retrieved 11 July 2011.
  35. "America's 10 most wanted botnets". Networkworld.com. 2009-07-22. Retrieved 10 November 2011.
  36. http://phys.org/news/2015-02-eu-police-malicious-network.html
  37. "Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month". Spider.io. 2013-03-19. Retrieved 21 March 2013.
  38. Espiner, Tom (2011-03-08). "Botnet size may be exaggerated, says Enisa | Security Threats | ZDNet UK". Zdnet.com. Retrieved 10 November 2011.

External links

This article is issued from Wikipedia - version of the Thursday, January 21, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.