Botnets

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Definition of Botnets

Botnet is a concept created by combining the terms network and robot. Like a robot, bots are programmed by the bot master for an automated task. [1] A botnet is defined as a compromised network that infects other devices on the same network by running malware.[2] Botnets are used in cyber crime. For example, it is used to send spam, launch DoS attacks, steal personal information such as bank credentials or email account. It is widely known that about 80% of emails and such messages are spam and sent via botnets. [3] A large percentage of botnets are also used to interrupt services in order to drive other players down (e.g. foreign states). Malicious botnets are a real threat to individuals using Internet infrastructures and to the entire Internet world in general. [4]

Components of Botnets

A botnet has three main components: several bots, a Command and Control (C&C) server, and a bot master. Bots are software used in many games, internet services. What we are talking about here are malicious worms codded by a bot master. These worms spread through the Internet. They settle into the system using security vulnerabilities in user devices. All user devices that have malicious bots in their system are also considered as bots. It is also called a zombie. A bot master is someone who codes bots and infects computers over the internet. The infected computers are an army of zombies under his command. They manage bots via a control and command structure. ”A command and control architecture is a structure that issues commands to a Botnet and receives reports back from the co-opted computers”. [5] It directives sending and receiving commands for the other nodes. We will focus on this theme in more detail on botnet’s architecture.

Life Cycle of a Bot

To better understand how a botnet is created, deployed and developed, it is important to understand the bot life cycle. We can divide the life cycle of a botnet into 5 phases. "These are Initial infection, Secondary infection, Connection phase, Command and Control Server and upgrading and maintenance phase. Bot master follows this cycle to create, infect and control the Bots." [6]. Figure 1 shows the life cycle of a bot. [3]

caption


Initial Infection

Attackers should make numerous bots and spread them to victims who once infected will spread bots automatically. [7] They search for vulnerable hosts and infect them using various exploitation techniques like sending spam emails, phishing, creating back doors etc.[6]

Secondary Infection

A script known as shell code are executed by the infected hosts, in this phase. FTP, HTTP, or p2p protocol or from the specific location, the shell code fetches the image of the actual binary bot. [8]After installation malware script infects machines become which than becomes real active bots. [6]

Connection

The connection phase is the most important part of the botnet life cycle. In this phase, a command and control server is established to control the bots, namely the zombie army, and the bots connect to the server via the command and control channel. The bot master sends a request and waits for a response from the bots. If the response comes, it means the connection has been established.

Command and Control Server

A botnet start actually working in this phase.Command and control server and channel enables the bot master to remotely control the motion huge number of bots to conduct numerous illicit activities including, data robbery, performing DDoS (Distributed Denial-of-service) assaults, spreading malware, spamming, phishing, identification robbery, manipulating video games and many others. [8]

Upgrading and Maintaining

This phase is necessary to control all network and is also a vulnerable phase to save the command and control (C\&C) server from detection by changing its location after some period of time. In this phase, bot master maintains an overall working of active bots and infect new host machines to increase the number of bots in botnet.[6]

Architecture Types of Botnets

Certain network architectures that we know are also used to set up a botnet. The oldest form of architecture, client-server architecture, also known as central architecture, comes first. It is followed by peer-to-peer, that is, decentralized architecture. Finally, a hybrid architecture, which is created by combining both architectures, can be used.

Centralized (Client-Server) Architecture

The old approach used by Botnet for their Command and control (C\&C) architecture was the centralized mechanism (hierarchical). In this approach, the Bot-master (attacker) distributes the command over the Botnet via various Bot-Controllers in order to hide attacker’s real identity. The uses of multiple Bot-Controllers prevent security professionals from shutting down C\&C channel shown in Figure 2[9]. In Figure, the Bot-Controller retrieves the command from the Bot-master and then Bot-controller distributes these commands further to all the Bots in the Botnet. [9]

caption

Decentralized (P2P) Architecture

There is no centrally managed server in the P2P botnet structure. All bots on the network are interconnected and work as both client and C&C server. Because the advantages over traditional centralized botnets, P2P botnets are more robust and difficult for security community to defend as the next generation of botnets in the future. [10] The client bots are attacked by the C\&C servers. Once a client is attacked, all the other clients that communicate with the infected client gets attacked. The infected bots communicate with other bots and send the malicious codes to them in the event of P2P communications shown in Figure 3.[9]

caption

Hybrid Architecture

A hybrid C\&C system is designed to exploit the benefits of both centralized and P2P models. There are two types of bots in this structure: the servant bot and the client bot. Client bots contain non-routable dynamic IP-addresses. Servant bots, on the other hand, contain static routable IP-addresses and act as both a server and a client. Hybrid C\&C systems can also be located behind firewalls without a global connection to the Internet shown in Figure 4 [3]

caption

Propagation

To expand the botnet, infected machines spread bots to other machines in their network. The bot that exploits the vulnerabilities accesses the system and turns the machine into a new bot. In this way, the spread of the network is ensured. We can consider network propagation in two parts: active propagation and passive propagation.

In active propagation is needed neither a software nor human activities. Bots try to propagate directly to other machines in the network.

One of active propagation mechanism is scanning.A bot scans the hosts in the network to exploit their vulnerabilities to access the system and installs the bot binary that enables command and control communication. Some bots act like a worm. They copy themselves and propagate automatically to inject as many devices as possible. The worm may not necessarily include the main bot binary, however, it prepares ground for future bot binary installation [11]

Passive propagation is not directly, so it need a user activity. We describe some passive propagation mechanisms that are used widely: Drive-by Download, Infected Media, Social Engineering. [11]

Drive-by Download: A virus can infect user agents through some unsafe websites. Once the user visits this web page, on background malware is quickly downloaded to the visitor's machine.

Infected media: Using infected media like a USB is a powerful passive propagation method to infect a private network that no directly connect to the internet.

Social Engineering: Another method of passive propagation is social engineering that actually is underestimated. It covers all the methods that convince the user to download the bot binary [11] to the machine.

It happens when the user downloads a file voluntarily. For example, if a visitor who wants to watch a movie on an illegal movie site tells him to click on the link below and download the file to watch the movie, if the user does this, it means that user is probably downloading a malware to her/his machine with her/his own hand. At the end of this, her/his own machine will also turn into a bot. Or user will click on the referral link from a trusted but hacked account and reach a fake youtube site. When the user watches the video here, she/he actually downloads a malware to her/his computer. The result takes its place in the zombie army again.

Conclusion

Courses

List of Figures

[12] Life Cycle of a Bot

[Figure 1] Centralized (Client-Server) Architecture

[Figure 2] Decentralized (P2P) Architecture

[Figure 3] Hybrid Architecture

References

  1. Himanshi Dhayal and Jitender Kumar. Botnet and p2p botnet detection strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082, 2018.
  2. M. Thangapandiyan and P. M. Rubesh Anand. An efficient botnet detection system for p2p botnet. In 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pages 1217–1221, 2016.
  3. 3.0 3.1 3.2 Nazrul Hoque, Dhruba K. Bhattacharyya, and Jugal K. Kalita. Botnet in ddos attacks: Trends and challenges. IEEE Communications Surveys Tutorials, 17(4):2242–2270, 2015.
  4. Gernot Vormayr, Tanja Zseby, and Joachim Fabini. Botnet communication patterns. IEEE Communications Surveys Tutorials, 19(4):2768–2796, 2017.
  5. Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey on botnet: Classification, detection and defense. In 2015 International Electronics Symposium (IES), pages 233–238, 2015.
  6. 6.0 6.1 6.2 6.3 Navdeep Kaur and Maninder Singh. Botnet and botnet detection techniques in cyber realm. In 2016 International Conference on Inventive Computation Technologies (ICICT), volume 3, pages 1–7, 2016.
  7. Wei Wan and Jun Li. Investigation of state division in botnet detection model. In 16th International Conference on Advanced Communication Technology, pages 265–268, 2014.
  8. 8.0 8.1 Syeda Farjana Shetu, Mohd. Saifuzzaman, Nazmun Nessa Moon, and Fer- naz Narin Nur. A survey of botnet in cyber security. In 2019 2nd In- ternational Conference on Intelligent Communication and Computational Techniques (ICCT), pages 174–177, 2019.
  9. 9.0 9.1 9.2 N.S. Raghava, Divya Sahgal, and Seema Chandna. Classification of bot- net detection based on botnet architechture. In 2012 International Confer- ence on Communication Systems and Network Technologies, pages 569–572, 2012.
  10. Wei Zhang, Yue-Ji Wang, and Xiao-Lei Wang. A survey of defense against p2p botnets. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 97–102, 2014
  11. 11.0 11.1 11.2 Sheharbano Khattak, Naurin Rasheed Ramay, Kamran Riaz Khan, Affan A. Syed, and Syed Ali Khayam. A taxonomy of botnet behavior, detection, and defense. IEEE Communications Surveys Tutorials, 16(2):898–924, 2014.
  12. LifeCycleOfaBot


Cite error: <ref> tags exist for a group named "Figure", but no corresponding <references group="Figure"/> tag was found

Retrieved from "https://wiki.elvis.science/index.php?title=Botnets&oldid=8653"