Botnets

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This Wiki entry deals with the topic botnets. It introduces the reader to the key terminology before discussing the various types of botnets, including architecture and infection methods. The explosion in recent years of IoT devices that lack the security standards of devices such as laptops and smartphones has created a new pool of potential hosts for botnets and exacerbated the problem of botnets. Criminals will always look to exploit new technology for illegal financial gains and more must be done on a global level to combat the threat of botnets. Countermeasures and prevention methods will be discussed.

Definition of Botnets

Botnet is a concept created by combining the terms network and robot. Like a robot, bots are programmed by the bot master for an automated task. [1] A botnet is defined as a compromised network that infects other devices on the same network by running malware.[2] Botnets are used in cyber crime. For example, it is used to send spam, launch DoS attacks, steal personal information such as bank credentials or email account. It is widely known that about 80% of emails and such messages are spam and sent via botnets. [3] A large percentage of botnets are also used to interrupt services in order to drive other players down (e.g. foreign states). Malicious botnets are a real threat to individuals using Internet infrastructures and to the entire Internet world in general. [4]

Components of Botnets

A botnet has three main components: several bots, a Command and Control (C&C) server, and a bot master. Bots are software used in many games, internet services. What we are talking about here are malicious worms codded by a bot master. These worms spread through the Internet. They settle into the system using security vulnerabilities in user devices. All user devices that have malicious bots in their system are also considered as bots. It is also called a zombie. A bot master is someone who codes bots and infects computers over the internet. The infected computers are an army of zombies under his command. They manage bots via a control and command structure. ”A command and control architecture is a structure that issues commands to a Botnet and receives reports back from the co-opted computers”. [5] It directives sending and receiving commands for the other nodes. We will focus on this theme in more detail on botnet’s architecture.

Life Cycle of a Bot

To better understand how a botnet is created, deployed and developed, it is important to understand the bot life cycle. We can divide the life cycle of a botnet into 5 phases. "These are Initial injection, Secondary injection, Connection phase, Command and Control Server and upgrading and maintenance phase. Bot master follows this cycle to create, infect and control the Bots." [6]

Initial Injection

Attackers should make numerous bots and spread them to victims who once infected will spread bots automatically. [7] They search for vulnerable hosts and infect them using various exploitation techniques like sending spam emails, phishing, creating back doors etc. [8]

Secondary Injection

A script known as shell code are executed by the infected hosts, in this phase. FTP, HTTP, or p2p protocol or from the specific location, the shell code fetches the image of the actual binary bot. [9] "After installation malware script infects machines become which than becomes real active bots." [10]

Connection

The connection phase is the most important part of the botnet life cycle. In this phase, a command and control server is established to control the bots, namely the zombie army, and the bots connect to the server via the command and control channel. The bot master sends a request and waits for a response from the bots. If the response comes, it means the connection has been established.

Command and Control Server

A botnet start actually working in this phase.Command and control server and channel enables the bot master to remotely control the motion huge number of bots to conduct numerous illicit activities including, data robbery, performing DDoS (Distributed Denial-of-service) assaults, spreading malware, spamming, phishing, identification robbery, manipulating video games and many others. [11]

Upgrading and Maintaining

This phase is necessary to control all network and is also a vulnerable phase to save the command and control (C\&C) server from detection by changing its location after some period of time. In this phase, bot master maintains an overall working of active bots and infect new host machines to increase the number of bots in botnet. [12]

Architecture Types of Botnets

Certain network architectures that we know are also used to set up a botnet. The oldest form of architecture, client-server architecture, also known as central architecture, comes first. It is followed by peer-to-peer, that is, decentralized architecture. Finally, a hybrid architecture, which is created by combining both architectures, can be used.

Centralized (Client-Server) Architecture

The old approach used by Botnet for their Command and control (C\&C) architecture was the centralized mechanism (hierarchical). In this approach, the Bot-master (attacker) distributes the command over the Botnet via various Bot-Controllers in order to hide attacker’s real identity. The uses of multiple Bot-Controllers prevent security professionals from shutting down C\&C channel shown in Figure 2. In Figure, the Bot-Controller retrieves the command from the Bot-master and then Bot-controller distributes these commands further to all the Bots in the Botnet. [13]

Decentralized (P2P) Architecture

There is no centrally managed server in the P2P botnet structure. All bots on the network are interconnected and work as both client and C&C server. Because the advantages over traditional centralized botnets, P2P botnets are more robust and difficult for security community to defend as the next generation of botnets in the future. [14] The client bots are attacked by the C\&C servers. Once a client is attacked, all the other clients that communicate with the infected client gets attacked. The infected bots communicate with other bots and send the malicious codes to them in the event of P2P communications shown in Figure 3 [15]

Hybrid

Components

Every botnet needs bots. These are the machines or IoT devices that are infected by an attacker and make up the network. IoT devices include light bulbs, fridges, sensors and health equipment. The bots are controlled by a command and control server which is in turn controlled by the Botmaster.

Purpose

Botnets can be used for various purposes including DDOS attacks, stealing info from the infected machine (bot), bitcoin mining, spam, phishing, identity theft and keylogging.[16] A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.[17] According to [18], a DDoS service can be hired for as little as $10 per hour, $30-70 per day, $150 per week or $1,200 per month. A list of uses for botnets from [18] is as follows:

  • Attack ISPs, sometimes resulting in denial-of-service to legitimate traffic
  • Send spam email
  • Launch DDoS attacks and bring down websites and APIs
  • Perform click fraud
  • Solve weak CAPTCHA challenges on websites in order to imitate human behaviour during logins
  • Steal credit card information
  • Hold companies to ransom with threats of DDoS attacks

The aim is to make money out of the victims or increase the size of the botnet to in turn make more money.

Prevention

[19] gives a comprehensive list of actions necessary to protect and prevent botnets. These include:

  • Ingress and egress filtering
  • Legacy devices that cannot be secured should be located, removed and replaced these with secure devices
  • Devices should be kept up to date
  • DDoS mitigation services that are on and off premise should deployed – Cloudflare, Project Shield (Google), AWS Shield, Microsoft Azure
  • Enterprise traffic should be monitored
  • Market incentives that align with security practice

Further actions from [19] are:

  • Using industry-led inclusive processes, establish internationally applicable IoT capability baselines supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards
  • Internet service providers should expand current information sharing to achieve timelier and effective sharing of actionable threat information both domestically and globally
  • Home IT and IoT products should be easy to understand and simple to use securely

Conclusion

In conclusion, botnets will continue to pose a threat to enterprises and home users until global standards can be reached to better secure devices, especially IoT devices. Whilst having an infected IoT device or computer might not be recognisable to the average user as the device will continue to function normally, albeit at a slightly reduced capacity, outages to DNS servers and for example a loss of access to services such as Netflix will or when sensitive data such as a credit card or banking details are stolen from an infected machine. There needs to be globally concerted action to improve standards to make sure the onus does not lie on the consumer. Criminals will always look to exploit weaknesses to make financial gains and to disrupt services. It should not be made easy for them by offering unsecured IoT devices on a platter to be infected.

Courses

References

  1. Himanshi Dhayal and Jitender Kumar. Botnet and p2p botnet detection strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082, 2018.
  2. M. Thangapandiyan and P. M. Rubesh Anand. An efficient botnet detection system for p2p botnet. In 2016 International Conference on Wireless Com- munications, Signal Processing and Networking (WiSPNET), pages 1217– 1221, 2016.
  3. Nazrul Hoque, Dhruba K. Bhattacharyya, and Jugal K. Kalita. Botnet in ddos attacks: Trends and challenges. IEEE Communications Surveys Tutorials, 17(4):2242–2270, 2015.
  4. Gernot Vormayr, Tanja Zseby, and Joachim Fabini. Botnet communication patterns. IEEE Communications Surveys Tutorials, 19(4):2768–2796, 2017.
  5. Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey on botnet: Classification, detection and defense. In 2015 International Electronics Symposium (IES), pages 233–238, 2015.
  6. Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  7. Wei Wan and Jun Li. Investigation of state division in botnet detection model. In 16th International Conference on Advanced Communication Technology, pages 265–268, 2014.
  8. Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  9. Syeda Farjana Shetu, Mohd. Saifuzzaman, Nazmun Nessa Moon, and Fer- naz Narin Nur. A survey of botnet in cyber security. In 2019 2nd In- ternational Conference on Intelligent Communication and Computational Techniques (ICCT), pages 174–177, 2019.
  10. Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  11. Syeda Farjana Shetu, Mohd. Saifuzzaman, Nazmun Nessa Moon, and Fer- naz Narin Nur. A survey of botnet in cyber security. In 2019 2nd In- ternational Conference on Intelligent Communication and Computational Techniques (ICCT), pages 174–177, 2019.
  12. Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  13. N.S. Raghava, Divya Sahgal, and Seema Chandna. Classification of bot- net detection based on botnet architechture. In 2012 International Confer- ence on Communication Systems and Network Technologies, pages 569–572, 2012.
  14. Wei Zhang, Yue-Ji Wang, and Xiao-Lei Wang. A survey of defense against p2p botnets. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 97–102, 2014
  15. M. Thangapandiyan and P. M. Rubesh Anand. An efficient botnet detection system for p2p botnet. In 2016 International Conference on Wireless Com- munications, Signal Processing and Networking (WiSPNET), pages 1217–1221, 2016.
  16. Cite error: Invalid <ref> tag; no text was provided for refs named Botnet survey
  17. Arbor Networks Google Ideas. https://www.digitalattackmap.com/understanding-ddos/ What is a ddos attack?, 2013. Last accessed Tuesday 7th January, 2020.
  18. 18.0 18.1 Max Goncharov. Russian underground 101. Trend Micro incorporated research paper, page 51, 2012.
  19. 19.0 19.1 William T Polk. A report to the president on enhancing the resilience of the internet and communications ecosystem against botnets and other automated, distributed threats. Technical report, NIST, 2018.
Retrieved from "https://wiki.elvis.science/index.php?title=Botnets&oldid=8500"