Difference between revisions of "Botnets"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
 
(139 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==
This article has assembled the necessary information on the botnet. What the botnet is and how it works, its components, architecture, life cycle and deployment of a bot are explained briefly and concisely.


This Wiki entry deals with the topic botnets. It introduces the reader to the key terminology before discussing the various types of botnets, including architecture and infection methods. The explosion in recent years of IoT devices that lack the security standards of devices such as laptops and smartphones has created a new pool of potential hosts for botnets and exacerbated the problem of botnets.  Criminals will always look to exploit new technology for illegal financial gains and more must be done on a global level to combat the threat of botnets. Countermeasures and prevention methods will be discussed.
== Definition of Botnets ==


== What is a Botnet ==
Botnet is a concept created by combining the terms network and robot. Like a robot,
bots are programmed by the bot master for an automated task. <ref>Himanshi Dhayal and Jitender Kumar. Botnet and P2P botnet detection
strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082, 2018.</ref> A botnet is defined as a compromised network that infects other devices on the same network by running malware.<ref name="TR2">M. Thangapandiyan and P. M. Rubesh Anand. An efficient botnet detection system for p2p botnet. In 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pages 1217–1221, 2016.</ref> Botnets are used in cyber crime. For example, it is used to send spam, launch DoS
attacks, steal personal information such as bank credentials or email account. It is
widely known that about 80% of emails and such messages are spam and sent via
botnets. <ref name="NAZ">Nazrul Hoque, Dhruba K. Bhattacharyya, and Jugal K. Kalita. Botnet
in ddos attacks: Trends and challenges. IEEE Communications Surveys
Tutorials, 17(4):2242–2270, 2015.</ref> A large percentage of botnets are also used to interrupt services in
order to drive other players down (e.g. foreign states). Malicious botnets are a real
threat to individuals using Internet infrastructures and to the entire Internet world in
general. <ref>Gernot Vormayr, Tanja Zseby, and Joachim Fabini. Botnet communication
patterns. IEEE Communications Surveys Tutorials, 19(4):2768–2796, 2017.</ref>


A botnet is a network of compromised machines under the control of an attacker.<ref>Ben Stock, Jan Göbel, Markus Engelberth, Felix C Freiling, and Thorsten Holz. Walowdac-analysis of a peer-to-peer botnet. In 2009 European Conference on Computer Network Defense, pages 13–20. IEEE, 2009.</ref>
== Components of Botnets ==


==Types of Botnets==
A botnet has three main components: several bots, a Command and Control (C&C)
server, and a bot master.
Bots are software used in many games, Internet services. What we are talking about
here are malicious worms programmed by a bot master. These worms spread through the
Internet. They settle into the system using security vulnerabilities in user devices. All
user devices that have malicious bots in their system are also considered as bots. It is
also called a zombie. A bot master is someone who codes bots and infects computers
over the internet. The infected computers are an army of zombies under his command.
They manage bots via a control and command structure. ”A command and control
architecture is a structure that issues commands to a botnet and receives reports back
from the co-opted computers”. <ref>Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey
on botnet: Classification, detection and defense. In 2015 International
Electronics Symposium (IES), pages 233–238, 2015.</ref> It directives sending and receiving commands
for the other nodes. We will focus on this theme in more detail on botnet’s architecture.


There are two types of botnet architecture - centralised and decentralised.<ref>Himanshi Dhayal and Jitender Kumar. Botnet and p2p botnet detection strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082. IEEE, 2018.</ref>  Centralised botnets have a client-server architecture. They usually communicate via IRC protocol.<ref name="Botnet survey"> Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey on botnet: Classification, detection and defense. In 2015 International Electronics Symposium (IES), pages 233–238. IEEE, 2015.</ref> Decentralised botnets have a peer-to-peer(P2P)or unstructured architecture. To create a botnet, machines or IoT devices first need to be infected to allow for remote control. This is done without the consent of the owners. Infection can be done by a special Trojan virus that can breach the security of users’ computers.<ref>Kapersky. https://usa.kaspersky.com/resource-center/threats/botnet-attacks What is a botnet?, 2020. Last accessed Thursday 2nd January, 2020.</ref> The botnet is then controlled a person called the Botmaster.<ref name="Botnet survey" /> Infection mechanisms can include web downloads, email attachments as well as automatic bots that scan for vulnerabilities to exploit.<ref name="Botnet survey" /> Infection can also come in form of an infected USB stick or an insider attack.
== Life Cycle of a Bot ==


===Centralised===
To better understand how a botnet is created, deployed and developed, it is important to understand the bot life cycle.
We can divide the life cycle of a botnet into 5 phases.
"These are Initial Infection, Secondary Infection, Connection Phase, Malicious Activity and Upgrading and Maintenance phase. Bot master follows this cycle to create, infect and control the bots." <ref name="NAV">Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.</ref>. Figure 1 shows the life cycle of a bot. <ref name="NAZ"/>


In the centralised model, each bot acts only a client receiving instructions from a server. There is a central point that forwards the control messages to the bots.<ref name="BCJ" >Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, and Manish Karir. A survey of botnet technology and defenses. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pages 299–304. IEEE, 2009.</ref>
[[File:lifeCycle.jpg|frameless|center|caption]]  <ref name="NAZ"/>  


====Agent Handler====
Agent handlers are comprised machines which are used by the puppet master to launch the attack and make it harder to trace back the puppet master. The handlers are commanding the compromised agents to perform the attack at the victim. <ref name="BiDA">Nazrul Hoque,  Jugal K. Kalita. Botnet in DDoS Attacks: Trends and Challenges, pages 2242 - 2270. IEEE, 20015.</ref>


====IRC====
===Initial Infection===
The IRC model is based on the Internet Relay Chat (IRC). This chat is a text-based system that is based on the client server networking model. The message exchange is grouped into channels which can also be used for group communications.  During the infection of the agents a backdoor with an IRC component gets created for instructions from the IRC Network and other data transfers. To perform an attack the puppet master only needs to log into a malicious IRC Server and send the instructions to his bot army. <ref name="BiDA">Nazrul Hoque,  Jugal K. Kalita. Botnet in DDoS Attacks: Trends and Challenges, pages 2242 - 2270. IEEE, 20015.</ref>
Attackers make numerous bots and spread them to victims who once infected will spread bots automatically. <ref name="WW">Wei Wan and Jun Li. Investigation of state division in botnet detection model. In 16th International Conference on Advanced Communication
Technology, pages 265–268, 2014.</ref> They search for vulnerable hosts and infect them using various exploitation techniques like sending spam emails, phishing, creating back doors etc.<ref name="NAV"/>


===Peer-to-Peer===
=== Secondary Infection===
A script known as shell code are executed by the infected hosts, in this phase. FTP, HTTP, or P2P protocol or from the specific location, the shell code fetches the image of the actual binary bot. <ref name="SS10">Syeda Farjana Shetu, Mohd. Saifuzzaman, Nazmun Nessa Moon, and Fer-
naz Narin Nur. A survey of botnet in cyber security. In 2019 2nd In-
ternational Conference on Intelligent Communication and Computational
Techniques (ICCT), pages 174–177, 2019.</ref><q>After installation malware script infects machines become which than becomes real active bots.</q> <ref name="NAV"/>


In the P2P model, each bot or node acts as both client and server. This means it can both send and receive commands. A P2P botnet is much harder to disrupt as the P2P communication system is much harder to disrupt.<ref name="BCJ" /> Stopping one bot does not lead to stopping the whole botnet. Control commands can be sent from the command and control centre and are then propagated throughout the botnet via the bots themselves.
===Connection===
The connection phase is the most important part of the botnet life cycle. In this phase, a command and control server is established to control the bots, namely the zombie army, and the bots connect to the server via the command and control channel. The bot master sends a request and waits for a response from the bots. If the response comes, it means the connection has been established.


====Unstructured====
===Malicious Activity===
A botnet start actually working in this phase.Command and control server and channel enables the bot master to remotely control the motion huge number of bots to conduct numerous illicit activities including, data robbery, performing DDoS (Distributed Denial-of-service) assaults, spreading malware, spamming, phishing, identification robbery, manipulating video games and many others. <ref name="SS10"/>


The unstructured model is a sub-type of P2p model where "no single bot would know about any more than one other bot".<ref name="BCJ" /> The bot or controller would send a message and it would get randomly passed on to the next bot.<ref name="BCJ" /> This makes it very hard to detect the bots and it may not even be possible to detect all the bots.<ref name="BCJ" /> The drawback for the attacker is that there is no guarantee of delivery and the latency is very high.<ref name="BCJ" />
===Upgrading and Maintaining===
This phase is necessary to control all network and is also a vulnerable phase to save the command and control (C&C) server from detection by changing its location after some period of time. In this phase, bot master maintains an overall working of active bots and infect new host machines to increase the number of bots in botnet.<ref name="NAV"/>


==Components==
== Architecture Types of Botnets ==


Every botnet needs bots. These are the machines or IoT devices that are infected by an attacker and make up the network. IoT devices include light bulbs, fridges, sensors and health equipment. The bots are controlled by a command and control server which is in turn controlled by the Botmaster.
Certain network architectures that we know are also used to set up a botnet. The oldest form of architecture, client-server architecture, also known as central architecture, comes first. It is followed by peer-to-peer, that is, decentralized architecture. Finally, a hybrid architecture, which is created by combining both architectures, can be used.


==Purpose==
===Centralized (Client-Server) Architecture===


Botnets can be used for various purposes including DDOS attacks, stealing info from the infected machine (bot), bitcoin mining, spam, phishing, identity theft and keylogging.<ref name="Botnet survey" /> A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.<ref>Arbor Networks Google Ideas. https://www.digitalattackmap.com/understanding-ddos/ What is a ddos attack?, 2013. Last accessed Tuesday 7th January, 2020.</ref> According to <ref name="Gon12">Max Goncharov. Russian underground 101. Trend Micro incorporated research paper, page 51, 2012.</ref>, a DDoS service can be hired for as little as $10 per hour, $30-70 per day, $150 per week or $1,200 per month. A list of uses for botnets from <ref name="Gon12" /> is as follows:
The old approach used by botnet for their Command and control (C&C) architecture was the centralized mechanism (hierarchical). In this approach, the bot-master (attacker) distributes the command over the botnet via various bot-controllers in order to hide attacker’s real identity. The uses of multiple bot-controllers prevent security professionals from shutting down C&C channel shown in Figure 2<ref name="Rag"/>. In Figure, the bot-controller retrieves the command from the bot-master and then bot-controller distributes these commands further to all the bots in the botnet. <ref name="Rag">N.S. Raghava, Divya Sahgal, and Seema Chandna. Classification of bot-
* Attack ISPs, sometimes resulting in denial-of-service to legitimate traffic
net detection based on botnet architechture. In 2012 International Confer-
* Send spam email
ence on Communication Systems and Network Technologies, pages 569–572,
* Launch DDoS attacks and bring down websites and APIs
2012.</ref>
* Perform click fraud
* Solve weak CAPTCHA challenges on websites in order to imitate human behaviour during logins
* Steal credit card information
* Hold companies to ransom with threats of DDoS attacks
The aim is to make money out of the victims or increase the size of the botnet to in turn make more money.


==Prevention==
[[File:cent.jpg|frameless|center|caption]]<ref name="Rag"/>


<ref name="Pol18">William T Polk. A report to the president on enhancing the resilience of the internet and communications ecosystem against botnets and other automated, distributed threats. Technical report, NIST, 2018.</ref> gives a comprehensive list of actions necessary to protect and prevent botnets. These include:
===Decentralized (P2P) Architecture===
* Ingress and egress filtering
There is no centrally managed server in the P2P botnet structure. All bots on the network are interconnected and work as both client and C&C server. Because the advantages over traditional centralized botnets, P2P botnets are more robust and difficult for security community to defend as the next generation of botnets in the future. <ref>Wei Zhang, Yue-Ji Wang, and Xiao-Lei Wang. A survey of defense against
* Legacy devices that cannot be secured should be located, removed and replaced these with secure devices
p2p botnets. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 97–102, 2014</ref> The client bots are attacked by the C&C servers. Once a client is attacked, all the other clients that communicate with the infected client gets attacked. The infected bots communicate with other bots and send the malicious codes to them in the event of P2P communications shown in Figure 3.<ref name="Rag"/>
* Devices should be kept up to date
* DDoS mitigation services that are on and off premise should deployed – Cloudflare, Project Shield (Google), AWS Shield, Microsoft Azure
* Enterprise traffic should be monitored
* Market incentives that align with security practice


Further actions from <ref name="Pol18" /> are:
[[File:decent.jpg|frameless|center|caption]]<ref name="Rag"/>
* Using industry-led inclusive processes, establish internationally applicable IoT capability baselines supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards
* Internet service providers should expand current information sharing to achieve timelier and effective sharing of actionable threat information both domestically and globally
* Home IT and IoT products should be easy to understand and simple to use securely


===Countermeasures===
===Hybrid Architecture===
A hybrid C&C system is designed to exploit the benefits of both centralized and P2P models. There are two types of bots in this structure: the servant bot and the client bot.
Client bots contain non-routable dynamic IP-addresses. Servant bots, on the other hand, contain static routable IP-addresses and act as both a server and a client. Hybrid C&C systems can also be located behind firewalls without a global connection to the Internet shown in Figure 4 <ref name="NAZ"/>


Six countermeasures, as described in <ref>Christian Czosseck, Gabriel Klein, and Felix Leder. On the arms race around botnets - setting up and taking down botnets. In 2011 3rd International Conference on Cyber Conflict, pages 1–14. IEEE, 2011.</ref>, are:
[[File:hybrid.jpg|frameless|center|caption]] <ref name="NAZ"/>
* Command and Control Server Takedown
 
Command and control server takedown is only possible when the server location is known. Even if the location is known, it still may not be possible to stop the server due to backups, issues coordinating with law enforcement and geographical constraints.
Additionally, there exist other examples that are more specialized in nature. Proxy botnets use compromised computers to relay commands, making it difficult to trace the source and offering enhanced anonymity. IoT botnets exploit less secure Internet of Things devices like smart cameras and routers for tasks like DDoS attacks, cryptocurrency mining, or malware distribution.<ref>T. Trajanovski and N. Zhang, "An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)," in IEEE Access, vol. 9, pp. 124360-124383, 2021, doi: 10.1109/ACCESS.2021.3110188.</ref> Social botnets involve fake social media accounts for spreading disinformation or manipulating public opinion, often driven by political or commercial motives.<ref>J. Zhang, R. Zhang, Y. Zhang and G. Yan, "The Rise of Social Botnets: Attacks and Countermeasures," in IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 6, pp. 1068-1082, 1 Nov.-Dec. 2018, doi: 10.1109/TDSC.2016.2641441.</ref> Lastly, spam botnets focus on sending vast amounts of spam emails for revenue generation or distributing malicious content, utilizing compromised computers for this purpose.<ref>M. A. R. Putra, T. Ahmad, R. M. Ijtihadie and D. P. Hostiadi, "Detecting Botnet Spam Activity by Analyzing Network Traffic Using Two-Stack Decision Tree Algorithms," 2023 International Conference of Computer Science and Information Technology (ICOSNIKOM), Binjia, Indonesia, 2023, pp. 1-6, doi: 10.1109/ICoSNIKOM60230.2023.10364480.</ref>
* DNS-based Countermeasures
 
DNS-based countermeasures only work if the command and control infrastructure of the botnet is based on DNS. It requires the de-registration of the domains used by the botnet. It only affects the newly connected hosts and not the already connected computers.
Different botnet types are chosen based on the botmaster's goals and skills, each with specific functions and traits. Cybersecurity professionals and law enforcement actively strive to combat these botnets to safeguard people and organizations. Recognizing the variety of botnets is crucial for mitigating their effects in the digital world.
* Response DDoS
 
For this countermeasure to work, the command and control endpoints need to be known. A DDoS response will only keep the botnet offline as long as the DDoS response lasts. DDoS attacks are illegal in most countries which means that this countermeasure should not be considered.  
==Propagation==
* Hack-Back
To expand the botnet, infected machines spread bots to other machines in their network. The bot that exploits the vulnerabilities accesses the system and turns the machine into a new bot. In this way, the spread of the network is ensured.
If a command and control server can be found then it would be possible to disable the botnet via hacking. A vulnerability must be found and compromised in the infrastructure and this countermeasure requires a team of specialised penetration team. The ethics of hacking a compromised machine are a little murky. It is possible that third-party data is obtained as a result of hacking
We can consider network propagation in two parts: active propagation and passive propagation.
* Infiltration/Manipulation
 
Identifies and exploits weaknesses in the command and control protocol and/or architecture.
In active propagation, a bot scans the hosts in the network to exploit their vulnerabilities to access the system and installs the bot binary that enables command and control communication.
* BGP Blackholing
Some bots act like a worm. They copy themselves and propagate automatically to inject as many devices as possible. The worm may not necessarily include the main bot binary, however, it prepares ground for future bot binary installation <ref name="TAX">Sheharbano Khattak, Naurin Rasheed Ramay, Kamran Riaz Khan, Affan A. Syed, and Syed Ali Khayam. A taxonomy of botnet behavior, detection, and defense. IEEE Communications Surveys Tutorials, 16(2):898–924, 2014.</ref>
BGP Blackholing (also known as sinkholing) is the redirecting of botnet-related traffic. Redirected traffic can be discarded or analysed to gain insight into the botnet.
 
Passive propagation is not directly, so it need a user activity. We describe some passive propagation mechanisms that are used widely: Drive-by Download, Infected Media, Social Engineering. <ref name="TAX"/>
 
Drive-by Download: A virus can infect user agents through some unsafe websites. Once the user visits this web page, on background malware is quickly downloaded to the visitor's machine.
 
Infected media: Using infected media like a USB is a powerful passive propagation method to infect a private network that no directly connect to the internet.
 
Social Engineering: Another method of passive propagation is social engineering that actually is underestimated. It covers all the methods that convince the user to <q>download the bot binary</q> <ref name="TAX"/> to the machine.
 
It happens when the users downloads a file voluntarily. For example, if some visitors who want to watch a movie on an illegal movie site tells the visitors to click on the link below and download the file to watch the movie, if the user does this, it means users is probably downloading a malware to machine with their own hand. At the end of this, their own machine will also turn into a bot. The users will click on the referral link from a trusted but hacked account and reach a fake youtube site. When the users watches the video here, they actually downloads a malware to their computer. The result takes its place in the zombie army again.
 
==Detection techniques==
 
===Anomaly-based detection===
Anomaly-based botnet detection is about detecting different network irregularities,
such as high network latency, unusually high traffic, traffic on unusual ports or unusual system behavior.
Such irregularitites are so-called anomalies.
Detection based on anomalies can be divided into two subcategories: Host-based and Network-based techniques.
 
====Host-based techniques====
The strategy for host-based botnet detection is to analyze the host machine itself.
The analysis is based on examining various parameters and predetermined commands that bots receive from their C&C server.
 
BotSwat is a scanner developed to identify a host as a bot.
The scanner monitors the so-called "execution status" of the Win32 library and observes runtime system calls, which are created by a processor.
The problem with the BotSwat technique is malicious code can be hidden by code injection in harmless processes.
Thus, the bots remain unnoticed.
 
Another detection technique is based on the analysis of multiple log files.
Since bots act much faster than humans, the time needed for a complete request & response cycle can be used to determine whether the request came from a human or a bot. This technique can
be used for IRC as well as for non-IRC botnets. A tool called BotTracer has been developed for this method.
 
BotTracer divides the life cycle of a bot into three phases (Startup, Preparation, Attack). In the startup phase, the bot is successfully im- planted in the target system.
Afterwards, in the Preparation phase, the bot connects to the C&C server and waits for its commands.
Finally, the botmaster sends its commands to the bots (Attack Phase).
BotTracer tries to recognize the three phases and to find out where the connection with the bot is going.
After that the traffic is compared with already known properties of C&C channels.
The fundamental disadvantage of this technique is that it is not possible to detect the existence of virtual machines
 
====Network-based techniques====
In the network-based detection technique, attempts are made to detect botnets by examining the network traffic.
The network-based techniques are divided into two subcategories, Active Monitoring and Passive Monitoring.
 
=====Active Monitoring=====
Active monitoring is based on the possibility of injecting test packets into the network.
This produces extra traffic, but the response time of the network can be measured.
The current best strategy for Active Monitoring is BotProb.
BotProbe takes advantage of the fact that bots usually send commands according to certain predefined patterns.
BotProb injects its packets into the network to find these patterns.
This deterministic approach can effectively prove the existence of bots.
 
=====Passive Monitoring=====
Passive monitoring inspects the traffic while the network is in use.
The traffic is analyzed by various anomaly detection techniques (distance-based techniques, support vector machines, neural networks, cluster analysis, and learned rules).
Unlike active monitoring, no additional traffic is generated.
 
BotSniffer is a framework used for passive monitoring.
The idea is that bots within the same botnet are very likely to have similarities in their activities.
If bots are detected then the corresponding hosts are clustered together.
An alarm is then triggered with a warning that the hosts in the cluster may be infected.
For the detection of the bots, log files are used.
Here, the log files store the incoming and outgoing traffic with the start time for the execution time of the started processes.
Several correlation analysis algorithms are used for the analysis.
 
===Honeynet-based detection===
The term honeynet describes a network of real network components that intentionally uses components with vulnerabilities.
This allows attackers to be distracted from the actual network.
The honeynet is divided into two subcategories:
 
# Honeypot
# Honey-Wall
 
====Honeypot====
The honeypot is a mechanism for detecting unauthorized access to a system.
As the bots infect the network, the honeypot collects information, such as the bot characteristics and the intent of the Botmaster.
 
There are three types of honeypots:
 
''Low-interaction honeypots'' have only a limited number of services.
Furthermore, the honeypot's interaction is severely limited.
Often they communicate here only with dummy messages.
This type of honeypot is usually only used to collect statistical information.
The configuration and maintenance of this honeypot is very simple.
However, an attacker can quickly detect that his target network is a honeypot.
 
''Medium-interaction honeypots'' are very similar to low-interaction honeypots.
They also have limited services, but with a greater level of interactions.
The purpose of this type of honeypot is to get an attacker to continue his attack with the ability to send his payload.
 
''High-interaction honeypots'' are the most advanced honeypots.
They have an interactive operating system with which the attacker can interact.
This complexity makes the installation and maintenance of the system the most demanding, but it also allows the most information to be collected.
By imitating a complete system, appropriate preventive measures are needed in case the attacker compromises the system to use it for his attacks.
 
====Honey-Wall====
A honey-wall is used to protect honeypots from attacks.
It acts as a gateway for the honeypots and collects all traffic from the honeynet system.
Through the honey-wall, the network acquires the functions of ''Data Capture'', ''Data Control'' and ''Data Analysis''.
# Data Capture states that all actions within the network should be captured without the attacker being aware of it.
# Data Control aims to protect the Internet from compromising Honeynet systems. All data that enters or leaves the network is stopped.
# Data Analysis supports the analysis of the collected data.
 
Honey-wall simplifies the collection and analysis of data and also helps to control what data enters and leaves the network.
However, a firewall is needed to verify the authenticity of the user.


==Conclusion==
==Conclusion==


In conclusion, botnets will continue to pose a threat to enterprises and home users until global standards can be reached to better secure devices, especially IoT devices. Whilst having an infected IoT device or computer might not be recognisable to the average user as the device will continue to function normally, albeit at a slightly reduced capacity, outages to DNS servers and for example a loss of access to services such as Netflix will or when sensitive data such as a credit card or banking details are stolen from an infected machine. There needs to be globally concerted action to improve standards to make sure the onus does not lie on the consumer. Criminals will always look to exploit weaknesses to make financial gains and to disrupt services. It should not be made easy for them by offering unsecured IoT devices on a platter to be infected.
With the exponential spread of internet technologies and the involvement of more and more smart tools in our lives, our need for cyber security is increasing. In this study, botnet, which is one of the cyber-attack crimes, has been mentioned and the information that the reader needs to protect themselves from malicious bots has been given in an understandable way.


== Courses ==
== Courses ==


* [[Ausgewählte Kapitel der IT-Security SE]] (2019, 2020)
* [[Ausgewählte Kapitel der IT-Security SE]] (2021, 2022)


== References ==
== References ==

Latest revision as of 21:43, 8 January 2024

Summary

This article has assembled the necessary information on the botnet. What the botnet is and how it works, its components, architecture, life cycle and deployment of a bot are explained briefly and concisely.

Definition of Botnets

Botnet is a concept created by combining the terms network and robot. Like a robot, bots are programmed by the bot master for an automated task. [1] A botnet is defined as a compromised network that infects other devices on the same network by running malware.[2] Botnets are used in cyber crime. For example, it is used to send spam, launch DoS attacks, steal personal information such as bank credentials or email account. It is widely known that about 80% of emails and such messages are spam and sent via botnets. [3] A large percentage of botnets are also used to interrupt services in order to drive other players down (e.g. foreign states). Malicious botnets are a real threat to individuals using Internet infrastructures and to the entire Internet world in general. [4]

Components of Botnets

A botnet has three main components: several bots, a Command and Control (C&C) server, and a bot master. Bots are software used in many games, Internet services. What we are talking about here are malicious worms programmed by a bot master. These worms spread through the Internet. They settle into the system using security vulnerabilities in user devices. All user devices that have malicious bots in their system are also considered as bots. It is also called a zombie. A bot master is someone who codes bots and infects computers over the internet. The infected computers are an army of zombies under his command. They manage bots via a control and command structure. ”A command and control architecture is a structure that issues commands to a botnet and receives reports back from the co-opted computers”. [5] It directives sending and receiving commands for the other nodes. We will focus on this theme in more detail on botnet’s architecture.

Life Cycle of a Bot

To better understand how a botnet is created, deployed and developed, it is important to understand the bot life cycle. We can divide the life cycle of a botnet into 5 phases. "These are Initial Infection, Secondary Infection, Connection Phase, Malicious Activity and Upgrading and Maintenance phase. Bot master follows this cycle to create, infect and control the bots." [6]. Figure 1 shows the life cycle of a bot. [3]

caption

[3]


Initial Infection

Attackers make numerous bots and spread them to victims who once infected will spread bots automatically. [7] They search for vulnerable hosts and infect them using various exploitation techniques like sending spam emails, phishing, creating back doors etc.[6]

Secondary Infection

A script known as shell code are executed by the infected hosts, in this phase. FTP, HTTP, or P2P protocol or from the specific location, the shell code fetches the image of the actual binary bot. [8]After installation malware script infects machines become which than becomes real active bots. [6]

Connection

The connection phase is the most important part of the botnet life cycle. In this phase, a command and control server is established to control the bots, namely the zombie army, and the bots connect to the server via the command and control channel. The bot master sends a request and waits for a response from the bots. If the response comes, it means the connection has been established.

Malicious Activity

A botnet start actually working in this phase.Command and control server and channel enables the bot master to remotely control the motion huge number of bots to conduct numerous illicit activities including, data robbery, performing DDoS (Distributed Denial-of-service) assaults, spreading malware, spamming, phishing, identification robbery, manipulating video games and many others. [8]

Upgrading and Maintaining

This phase is necessary to control all network and is also a vulnerable phase to save the command and control (C&C) server from detection by changing its location after some period of time. In this phase, bot master maintains an overall working of active bots and infect new host machines to increase the number of bots in botnet.[6]

Architecture Types of Botnets

Certain network architectures that we know are also used to set up a botnet. The oldest form of architecture, client-server architecture, also known as central architecture, comes first. It is followed by peer-to-peer, that is, decentralized architecture. Finally, a hybrid architecture, which is created by combining both architectures, can be used.

Centralized (Client-Server) Architecture

The old approach used by botnet for their Command and control (C&C) architecture was the centralized mechanism (hierarchical). In this approach, the bot-master (attacker) distributes the command over the botnet via various bot-controllers in order to hide attacker’s real identity. The uses of multiple bot-controllers prevent security professionals from shutting down C&C channel shown in Figure 2[9]. In Figure, the bot-controller retrieves the command from the bot-master and then bot-controller distributes these commands further to all the bots in the botnet. [9]

caption

[9]

Decentralized (P2P) Architecture

There is no centrally managed server in the P2P botnet structure. All bots on the network are interconnected and work as both client and C&C server. Because the advantages over traditional centralized botnets, P2P botnets are more robust and difficult for security community to defend as the next generation of botnets in the future. [10] The client bots are attacked by the C&C servers. Once a client is attacked, all the other clients that communicate with the infected client gets attacked. The infected bots communicate with other bots and send the malicious codes to them in the event of P2P communications shown in Figure 3.[9]

caption

[9]

Hybrid Architecture

A hybrid C&C system is designed to exploit the benefits of both centralized and P2P models. There are two types of bots in this structure: the servant bot and the client bot. Client bots contain non-routable dynamic IP-addresses. Servant bots, on the other hand, contain static routable IP-addresses and act as both a server and a client. Hybrid C&C systems can also be located behind firewalls without a global connection to the Internet shown in Figure 4 [3]

caption

[3]

Additionally, there exist other examples that are more specialized in nature. Proxy botnets use compromised computers to relay commands, making it difficult to trace the source and offering enhanced anonymity. IoT botnets exploit less secure Internet of Things devices like smart cameras and routers for tasks like DDoS attacks, cryptocurrency mining, or malware distribution.[11] Social botnets involve fake social media accounts for spreading disinformation or manipulating public opinion, often driven by political or commercial motives.[12] Lastly, spam botnets focus on sending vast amounts of spam emails for revenue generation or distributing malicious content, utilizing compromised computers for this purpose.[13]

Different botnet types are chosen based on the botmaster's goals and skills, each with specific functions and traits. Cybersecurity professionals and law enforcement actively strive to combat these botnets to safeguard people and organizations. Recognizing the variety of botnets is crucial for mitigating their effects in the digital world.

Propagation

To expand the botnet, infected machines spread bots to other machines in their network. The bot that exploits the vulnerabilities accesses the system and turns the machine into a new bot. In this way, the spread of the network is ensured. We can consider network propagation in two parts: active propagation and passive propagation.

In active propagation, a bot scans the hosts in the network to exploit their vulnerabilities to access the system and installs the bot binary that enables command and control communication. Some bots act like a worm. They copy themselves and propagate automatically to inject as many devices as possible. The worm may not necessarily include the main bot binary, however, it prepares ground for future bot binary installation [14]

Passive propagation is not directly, so it need a user activity. We describe some passive propagation mechanisms that are used widely: Drive-by Download, Infected Media, Social Engineering. [14]

Drive-by Download: A virus can infect user agents through some unsafe websites. Once the user visits this web page, on background malware is quickly downloaded to the visitor's machine.

Infected media: Using infected media like a USB is a powerful passive propagation method to infect a private network that no directly connect to the internet.

Social Engineering: Another method of passive propagation is social engineering that actually is underestimated. It covers all the methods that convince the user to download the bot binary [14] to the machine.

It happens when the users downloads a file voluntarily. For example, if some visitors who want to watch a movie on an illegal movie site tells the visitors to click on the link below and download the file to watch the movie, if the user does this, it means users is probably downloading a malware to machine with their own hand. At the end of this, their own machine will also turn into a bot. The users will click on the referral link from a trusted but hacked account and reach a fake youtube site. When the users watches the video here, they actually downloads a malware to their computer. The result takes its place in the zombie army again.

Detection techniques

Anomaly-based detection

Anomaly-based botnet detection is about detecting different network irregularities, such as high network latency, unusually high traffic, traffic on unusual ports or unusual system behavior. Such irregularitites are so-called anomalies. Detection based on anomalies can be divided into two subcategories: Host-based and Network-based techniques.

Host-based techniques

The strategy for host-based botnet detection is to analyze the host machine itself. The analysis is based on examining various parameters and predetermined commands that bots receive from their C&C server.

BotSwat is a scanner developed to identify a host as a bot. The scanner monitors the so-called "execution status" of the Win32 library and observes runtime system calls, which are created by a processor. The problem with the BotSwat technique is malicious code can be hidden by code injection in harmless processes. Thus, the bots remain unnoticed.

Another detection technique is based on the analysis of multiple log files. Since bots act much faster than humans, the time needed for a complete request & response cycle can be used to determine whether the request came from a human or a bot. This technique can be used for IRC as well as for non-IRC botnets. A tool called BotTracer has been developed for this method.

BotTracer divides the life cycle of a bot into three phases (Startup, Preparation, Attack). In the startup phase, the bot is successfully im- planted in the target system. Afterwards, in the Preparation phase, the bot connects to the C&C server and waits for its commands. Finally, the botmaster sends its commands to the bots (Attack Phase). BotTracer tries to recognize the three phases and to find out where the connection with the bot is going. After that the traffic is compared with already known properties of C&C channels. The fundamental disadvantage of this technique is that it is not possible to detect the existence of virtual machines

Network-based techniques

In the network-based detection technique, attempts are made to detect botnets by examining the network traffic. The network-based techniques are divided into two subcategories, Active Monitoring and Passive Monitoring.

Active Monitoring

Active monitoring is based on the possibility of injecting test packets into the network. This produces extra traffic, but the response time of the network can be measured. The current best strategy for Active Monitoring is BotProb. BotProbe takes advantage of the fact that bots usually send commands according to certain predefined patterns. BotProb injects its packets into the network to find these patterns. This deterministic approach can effectively prove the existence of bots.

Passive Monitoring

Passive monitoring inspects the traffic while the network is in use. The traffic is analyzed by various anomaly detection techniques (distance-based techniques, support vector machines, neural networks, cluster analysis, and learned rules). Unlike active monitoring, no additional traffic is generated.

BotSniffer is a framework used for passive monitoring. The idea is that bots within the same botnet are very likely to have similarities in their activities. If bots are detected then the corresponding hosts are clustered together. An alarm is then triggered with a warning that the hosts in the cluster may be infected. For the detection of the bots, log files are used. Here, the log files store the incoming and outgoing traffic with the start time for the execution time of the started processes. Several correlation analysis algorithms are used for the analysis.

Honeynet-based detection

The term honeynet describes a network of real network components that intentionally uses components with vulnerabilities. This allows attackers to be distracted from the actual network. The honeynet is divided into two subcategories:

  1. Honeypot
  2. Honey-Wall

Honeypot

The honeypot is a mechanism for detecting unauthorized access to a system. As the bots infect the network, the honeypot collects information, such as the bot characteristics and the intent of the Botmaster.

There are three types of honeypots:

Low-interaction honeypots have only a limited number of services. Furthermore, the honeypot's interaction is severely limited. Often they communicate here only with dummy messages. This type of honeypot is usually only used to collect statistical information. The configuration and maintenance of this honeypot is very simple. However, an attacker can quickly detect that his target network is a honeypot.

Medium-interaction honeypots are very similar to low-interaction honeypots. They also have limited services, but with a greater level of interactions. The purpose of this type of honeypot is to get an attacker to continue his attack with the ability to send his payload.

High-interaction honeypots are the most advanced honeypots. They have an interactive operating system with which the attacker can interact. This complexity makes the installation and maintenance of the system the most demanding, but it also allows the most information to be collected. By imitating a complete system, appropriate preventive measures are needed in case the attacker compromises the system to use it for his attacks.

Honey-Wall

A honey-wall is used to protect honeypots from attacks. It acts as a gateway for the honeypots and collects all traffic from the honeynet system. Through the honey-wall, the network acquires the functions of Data Capture, Data Control and Data Analysis.

  1. Data Capture states that all actions within the network should be captured without the attacker being aware of it.
  2. Data Control aims to protect the Internet from compromising Honeynet systems. All data that enters or leaves the network is stopped.
  3. Data Analysis supports the analysis of the collected data.

Honey-wall simplifies the collection and analysis of data and also helps to control what data enters and leaves the network. However, a firewall is needed to verify the authenticity of the user.

Conclusion

With the exponential spread of internet technologies and the involvement of more and more smart tools in our lives, our need for cyber security is increasing. In this study, botnet, which is one of the cyber-attack crimes, has been mentioned and the information that the reader needs to protect themselves from malicious bots has been given in an understandable way.

Courses

References

  1. Himanshi Dhayal and Jitender Kumar. Botnet and P2P botnet detection strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082, 2018.
  2. M. Thangapandiyan and P. M. Rubesh Anand. An efficient botnet detection system for p2p botnet. In 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pages 1217–1221, 2016.
  3. 3.0 3.1 3.2 3.3 3.4 Nazrul Hoque, Dhruba K. Bhattacharyya, and Jugal K. Kalita. Botnet in ddos attacks: Trends and challenges. IEEE Communications Surveys Tutorials, 17(4):2242–2270, 2015.
  4. Gernot Vormayr, Tanja Zseby, and Joachim Fabini. Botnet communication patterns. IEEE Communications Surveys Tutorials, 19(4):2768–2796, 2017.
  5. Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey on botnet: Classification, detection and defense. In 2015 International Electronics Symposium (IES), pages 233–238, 2015.
  6. 6.0 6.1 6.2 6.3 Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  7. Wei Wan and Jun Li. Investigation of state division in botnet detection model. In 16th International Conference on Advanced Communication Technology, pages 265–268, 2014.
  8. 8.0 8.1 Syeda Farjana Shetu, Mohd. Saifuzzaman, Nazmun Nessa Moon, and Fer- naz Narin Nur. A survey of botnet in cyber security. In 2019 2nd In- ternational Conference on Intelligent Communication and Computational Techniques (ICCT), pages 174–177, 2019.
  9. 9.0 9.1 9.2 9.3 9.4 N.S. Raghava, Divya Sahgal, and Seema Chandna. Classification of bot- net detection based on botnet architechture. In 2012 International Confer- ence on Communication Systems and Network Technologies, pages 569–572, 2012.
  10. Wei Zhang, Yue-Ji Wang, and Xiao-Lei Wang. A survey of defense against p2p botnets. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 97–102, 2014
  11. T. Trajanovski and N. Zhang, "An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)," in IEEE Access, vol. 9, pp. 124360-124383, 2021, doi: 10.1109/ACCESS.2021.3110188.
  12. J. Zhang, R. Zhang, Y. Zhang and G. Yan, "The Rise of Social Botnets: Attacks and Countermeasures," in IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 6, pp. 1068-1082, 1 Nov.-Dec. 2018, doi: 10.1109/TDSC.2016.2641441.
  13. M. A. R. Putra, T. Ahmad, R. M. Ijtihadie and D. P. Hostiadi, "Detecting Botnet Spam Activity by Analyzing Network Traffic Using Two-Stack Decision Tree Algorithms," 2023 International Conference of Computer Science and Information Technology (ICOSNIKOM), Binjia, Indonesia, 2023, pp. 1-6, doi: 10.1109/ICoSNIKOM60230.2023.10364480.
  14. 14.0 14.1 14.2 Sheharbano Khattak, Naurin Rasheed Ramay, Kamran Riaz Khan, Affan A. Syed, and Syed Ali Khayam. A taxonomy of botnet behavior, detection, and defense. IEEE Communications Surveys Tutorials, 16(2):898–924, 2014.
Retrieved from "https://wiki.elvis.science/index.php?title=Botnets&oldid=13858"