Botnets
by Mr Kumar Manthri - Marketing Director
To an avid IT security connoisseur, the recent news of mass cyber-attacks using “bots and Zombies” would not be alarming. This would not make this enthusiast think, even for a moment, that the computer world has been over taken by the living dead or better yet alien forces, but only one thing would come to mind "Botnets".
Botnet, according to google, is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks1. The term bot is derived from “ro-bot “. Bot is a generic term used to describe a script or set of scripts designed to perform predefined functions in automated fashion2.
Because of their network-based, coordinated and controlled nature; Botnets are currently one of the most dangerous species of attacks that roam the Internet.
Deriving their power both in their cumulative bandwidth and their access capabilities, botnets can cause severe network outages through massive distributed denial-of-service attacks3.
Because of their distributed architecture, and their propagating, self-organizing, and autonomous framework that is under a command and control (C2 or C&C) infrastructure, botnets are quietly different from other types of known malwares. They can spread over millions and millions of computers with the same nature as worms do. However what makes it even more dangerous is that unlike worms, zombie nodes in a single botnet can work in co-operation and at the same time be managed from a single “hive-like” mentality.
Because of this, botnets cannot be classified into the standard groups of threats like we do for other malwares. From the many works that try to summarize the taxonomy of botnets, we can understand that there are main classification areas of botnets are the topology of C&C architecture used, the propagation mechanism, the exploitation strategy and available set of commands used by perpetrator4.
The creation of a botnet requires high level of planning, coordination and deep technical skill. A good, functional botnet can be characterized as a professionally designed and built tool, intended to be re-entered or sold for use by anyone with a novice skill set, on up5. However the elements used for the infection and subsequent hijacking of a computer into a botnet are only 3:
1. Used to infect the computers by tricking users into clicking an executable file. This can be done in a variety of ways such as drive-by infections, malicious PDFs and infected USB sticks6.
2. Used to enables the cyber-criminal to issue instructions to the infected computer’s Trojan6.
3. Used for the collection of information harvested from victims 6.
Besides being used to perform the normal set of attacks spamming, malware spreading, sensitive information leakage, identity fraud, click fraud; this ingenious technique are very valuable instruments in carrying out Advanced Persistent Threats (APT) for critical organizations.
Nevertheless the most famous, and yet very dangerous, threat posed by the use of Botnets is “Denial of Service” (DoS) attacks. This can be even made much more severe by ensuring that the targeted organization's network bandwidth is consumed from wide range of IP addresses, i.e. a distributed environment (DDos), where the victim's system/network administrator would not be able to isolate the source IP addresses used in the exploit, i.e. to add to the blacklist, as it would seem to come from regular end-user.
Even if evidence reveals that most commonly implemented by botnets are TCP SYN and UDP flooding attacks (Freiling, Holz, & Wicherski, 2005), the newest botnets are designed in such a was to make discovering and eliminating the source of control even more difficult. Instead of using the traditional command and control, server-centric model (such as IRC Server), the new botnet is said to utilize the peer to peer protocol that has been made popularized on the internets by many file sharing applications found on many plat forms .Using peer to peer, or p2p, it is no longer necessary to send commands from a physical server location. The internet protocol address, or IP, is dynamic (meaning constantly changing). The benefit of this is that it is much more difficult to trace back to the source7.
In 2007 this new kind of botnet arrived using an encrypted implementation that was based on the eDonkey protocol, originally called W32/Nuwar but later gained fame as the Storm worm.
Storm had about 100 peers hardcoded into it as hash values, which the malware decrypts and uses to check for new files to download8.
What made this even more interesting is that all these transactions were encrypted, so only the malware itself could decrypt and act upon the answers. The replies generally lead to URLs that download other binaries.Storm was responsible for the vast majority of spam during 2007–2008 until it was taken down.
Initially Bots had run almost exclusively on versions of Windows. Recently, though, localized versions have emerged. Using the script language Perl, hackers created versions that ran on several flavors of Unix and Linux9.
Due to the “open” format, of the later formats, and the boom in Android application and packages; new impetus has been injected to the use of Botnets. As this new Market has few restrictions when it comes to registering as a developer, which is implemented to encourage app developers to adopt the platform, this makes it is easier for cybercriminals to upload their malicious apps or their Trojanized counterparts. Concepts such as BYOD being implemented in many blue chip organizations, has allowed the introductions of many mobile devices which run Android Operating Systems. By this, the attack surface (i.e. all of the different points through which an attacker could get into a business critical system in order to pilferage valuable data) has been considerably incremented. The attack vector had been made greater as mobiles are simpler to infect through any infected media10.
With the recent trends in cyber-warfare it would not be long where Botnets would be purchased or rented on the black market, or even worse be forcibly taken over from their nefarious owners and redirected to new targets. We know these things occur regularly, so it would be naive to not expect that government organizations or nation states around the globe have involved themselves in the acquisition of botnet capability for offensive and counter-offensive needs11.
As cyber threats grow exponentially with new forms of attack vectors, security professionals need to be on guard and try to think out of the box in order to, not only detect potential attacks, but to thwart them as well. It can also be noted that time tested strategies such as defence in depth, Layering of Technologies, etc. would not be sufficient to prevent this theat. Conversely these may in fact give rise to the potential perpetrator having more attack vectors to perpetrate the crime. The best approach, I feel, is an easy one. That is, just to ensure that our own curiosity doesn't take us to places where our computer would rather not go. Or else we may just be the reason why botnets are able to grow at such an alarming rate.
1. Google, retrieved 2013, March 9 from http://en.wikipedia.org/wiki/Botnet
2. SANS, retrieved 2013, March 9 from malicious/bots-botnet-overview_1299
3. Retrieved 2013, March 9 from http://cdn.intechopen.com/pdfs/39021/InTech-Botnet_detection_enhancing_analysis_by_Botnet_detection_enhancing_analysis_by_using_data_mining_techniques.pdf
4. Retrieved 2013, March 9 from http://cdn.intechopen.com/pdfs/39021/InTech-Botnet_detection_enhancing_analysis_by_using_data_using_data_mining_techniques.pdf
5. The hacker news, Retreived 2013, March 11 from http://news.thehackernews.com/THN-August2012.pdf.
6. ComputerWeekly.com, retrieved 2013, March 10 from http://www.computerweekly.com/feature/Setting-up-a-botnet-is-easier-than-you-think)
7. The hacker news, Retreived 2013, March 11 from http://news.thehackernews.com/THN-August2012.pdf.
8. Mcafee, retirevied 2013,march11from, http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf.
9. Mcafee, retirevied 2013, march 11 from.
10. The hacker news, Retreived 2013, march 11 from http://news.thehackernews.com/THN-August2012.pdf
11. Mcafee, retirevied 2013, march 11 from http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf.
Kumar is in the Board of Directors of ISACA Sri Lanka Chapter, serving as the Marketing Director. Kumar works as an Information Systems Auditor at SJMS Associates, an esteemed firm of Chartered Accountants an independent correspondent firm to Deloitte Touche Tohmatsu.