What Are Bonnets and How They Work - Report Example

INVESTIGATION REPORT: BONETS by Student’s Name Code + Course Name Professor University City/State Date Table of Content Introduction 3 What are Bonnets? 3 How they Work 4 Classification 5 Protocols 5 Internet Relay Chat (IRC) 5 Peer –to–Peer 5 HTTP 6 Command and Control Model (C&C) 7 Type of Attacks 8 Infection Mechanisms 8 Behaviour 8 Used Data 9 Effectiveness of Available Countermeasures against the Threats Posed 9 Future Trend 9 Conclusion 11 Investigation Report: Bonets Introduction Over the recent past, due to the growth in technologies, expanding use, and lack of common control, Internet has become prone to attacks. The growing popularity of Internet in financial dealings, social networking, and firm's dependence has made it a threat target. Although, in the past years, hackers were only satisfied by breaking into people`s system, this has changed as today`s hackers function under organised crimes with the intent of obtaining illegal financial gains. These attacks include click fraud, key logging, spamming shipping, and distributed denial of services and they are carried out using botnet (Banday, Qadri & Shah 2009, p. 2). Botnets are emerging to be a threat because as developers are improving systems to detect and protect networks, attackers are evading and creating new ways (Lashkari, Ghalebandi & Moradhaseli 2014, p.1). Today, cybercrime has expanded since hackers have become more skilful at evading identification; they are using cryptography and putting their servers in dark or unidentified area of the Internet to evade detection (Sophos 2014, p.3). This paper explores more on bonnet, how they work, their classification, how the security threat they pose has changed over the past five years and future trends. What are Bonnets? Botnet are defined as assortment of conceded Internet computers, which are remotely controlled by hackers with ill and illicit objectives (Vaca 2012, p.223). The term originated from a program called robots, bots, or zombies in short, because of their automated action. Originally, bolts were helpful as they have attribute for carrying out tedious and time-consuming activities. Originally, they were called benevolent bots as they were carrying out legitimate activities in an automated manner. Nevertheless, lately, they have been exploited to carry out illegal and malicious activities resulting to malicious bots (Banday, Qadri & Shah 2009, p. 2). The software of malicious bot is a highly advanced Internet program-integrating component of virus, worms, spy worms and other malicious software. A person called botmaster or bot-herder controls bonnet; he or she hides identity at all cost (Vaca 2012, p.223). How they Work Bonnets are formed by an assortment of bots, which are controlled by a one command and control (C & C) network. Then, they obfuscate the infected host by giving a level of direction where the infected host is detached from its host by the layer of bot hosts and the attack itself is detached from collection of the bonnet by random time. Bonnets stem their influence by scale, in their reach and their collective bandwidth. They can cause main network disruption by using DDOS attack and the risk of this interruption can cause companies to incur huge losses in terms of extortions (Lee, Wang & Dagon 2007, p.1). According to network researchers, bonnets are one of key pressing internet security threat today. With upcoming new mobile phone such as smartphone, botnets remain to be a key threat as they are continuing to be stealth. Bonnets are exceedingly profitable; bot masters are either renting bot processing time or making profit through DDOs attack. Practically, some bonnets have been identified to have more than 5.9 million members. According to industry analyst up to January 2011 more than 590 million computers and networks almost thirty-six per cent of all hosts computers were estimated to be infected with bot program (Vacca 2012, p.224). By 2013, Bonnets are incorporating multiple back-ups inform of control and backup. For instance, if a botnet-infected client like game over cannot link to other infected machines, it runs into a built-in algorithm. If the logarithm realises that new servers have been created, the client restore it active part on botnet (Sophos 2014, p.4). Classification Since botnets spread over millions of computers and network like they cannot be classified as other types of malwares. The different classification parameters of botnet include; command and control mechanism, protocols, behaviour, used data, type of attack and infection method (Lashkari, Ghalebandi & Moradhaseli 2014, p.2) Protocols The protocols include: Internet Relay Chat (IRC) IRC-based botnets are the earliest type of botnet, but they are still effective and functional for attackers. IRC was a channel with the ability of users to talk together in real-time. It functions on client- server architecture but as well suitable for distributed environments. Interconnected IRC server communicate to each other as each has own subscribers. Therefore, a subscriber can communicate with others if they are interconnected and the use the same channel. IRC-based bot uses the interconnection or multiple IRC infrastructures for malicious intent by managing access list and sharing data (Karahoca 2012, p.2). Peer –to–Peer P2P botnet’s model is a modern botnet technology, which is assisting botnets to be more resilient than traditional protocols like IRC and HTTP. Consequently, their survival rate is high because they covert the identity of operator. They are classified as:Parasite; in their formation the parasite exploits P2P infrastructure and its members are limited to the vulnerable host in the P2P infrastructure. Therefore, all the bots in the infrastructure can get in touch with other bots as they are facilitated by network of P2P. It is suitable and easy to develop P2P by this method as all bots are selected from P2P network. In parasite, both bot and normal peer are incorporated in order to gather more data in the network and genuine node may be used as spy to assist in surveillance issues. Leaching is the other type of P2P botnet and its protocols exploits network within the C& C structure that vulnerable host are selected in the internet for them to contribute in and be the member of p2p network. Although it is similar to parasite, it varies as it has bootstraps points, but parasite does not have. Once the peer is compromised, it uses selected files to ensure that the command from the bot master is progressed in proper peer. Presently, Storm worm is the most widespread P2P bot (Karahoca 2012, p.3). Finally, we have Bot only. It is different from other P2P botnets as it has its own network. Moreover, similar to leeching it has bootstrap mechanism and the bot masters are able to create new C& C infrastructure (Lashkari, Ghalebandi & Moradhaseli 2014, p.3) HTTP HTTP- based bot as well-known as borax and it seems to make spam. Email addresses are necessary in sending its email. For instance, spy eye is a dominant HTTP botnet. (Lashkari, Ghalebandi & Moradhaseli 2014, p.3) Command and Control Model (C&C) (Stratrek n.d) C & C system works to instruct bonnet in a way that they direct them to operate some task for instance spamming or deny service. They include Centralised C & C model; it is of two types pull style and push style. Each of them is setup by a bot master where in push style the bot master has power to control botnet where every infected host is linked to the C&C server and hence waits for the command. Whereas in pull style, although bot master have no power to control he or she wait to receive commands where the bots periodically network with the C&C server. According to research centralised, C&C are easily detectable. P2P-Bases C&C model; in this type the server is concealed hence making detection complex. Once a peer pass into the network and it bonds to the other peers and then became a member of that group. Finally, random or unstructured C&C Model: this type has no active link for victim and bot. The bot master encrypt command message, arbitrarily assess the Internet, and send it to another bot when it is sensed. In this type, finding a single bolt leads to detection of the full bonnet (Lashkari, Ghalebandi & Moradhaseli 2014, p.5) Type of Attacks Botnets are regularly used for distributed denial service attack as they distributed and tough to detect. Besides, botnets as well use spamming, malware spreading, stealing sensitive data, identity fraud, phishing and click fraud. They are valued instruments of getting Advanced Persistent Threats (APT) for main organizations (Karahoca 2012, p.4). APT is a good example of most vicious modern malware that target information of enterprises, banks, and governments. APT is a sophisticated tool used to perform directed mission. In 2013, it performed numerous adversaries that were well-planned, well targeted. Other examples are Fareit and Andromeda, which are the dominant types of malware currently rooted in spamming. Fareit is regularly downloaded P2P Zeus, however, it as well gathers passwords kept in the software like email and FTP clients. Andromeda downloads additional malware such as “P2P Zeus, spambots, and ZeroAccess,” as well as its modules in a bid to infect shared networks and transferable drives (Sophos 2014, p.6) Infection Mechanisms This can be defined as ways in which bots apply to search more hosts. Past-infected hosts comprise of either horizontal or vertical scan. Horizontal scan is employed on one port within a clear address collection, as well as vertical is employed on one IP address in a clear array of port numbers. They include “web download, mail attachments and automatic scan, exploits and compromise” (Lashkari, Ghalebandi & Moradhaseli 2014, p.7). Behaviour Classification according to the behaviour can be carried out in two forms: active approach where the botnet examination covers all types of assessment method that makes the bot master directly or indirectly aware of botnet analysis. Alternatively, it can involve a passive approach where analysis of traffic which is generated by botnet is done without modifying it. Passive analysis mainly focuses on secondary impact of bonnet traffic for instance, broken packet resulting from DDOs attack from a distant (Karahoca 2012, p.5). Used Data Classification is done by analysis of intrusion detection system data as the system delivers a message if an intrusion pattern is detected and flow of data (Karahoca 2012, p.7). Effectiveness of Available Countermeasures against the Threats Posed Today, the threats modelled by current botnets affect all computer systems. In spite of all current available countermeasures, this threat cannot be anticipated to be eliminated in the near future. Therefore, it is even more significant to learn the lesson from experience in order to be more effective in eliminating botnets prospectively. The evolution of botnets has stemmed advanced criminal groups within an all-inclusive underground economy. Since botnets are professionally developed and distrusted commercially, they are kept up-to-date with the prevailing technology to serve their illicit and malicious object. This growth can be estimated to continue but it requires significant effort in order to counter these groups. Available countermeasures are commonly applied as a reaction on personal observed botnets, leaving the control to cyber criminals. Therefore, foreseeing the future development of botnets technology can assist in employing specific countermeasures in advance, in order to deter botnets from taking plus of individual endangered resources (Tiirmaa-Klaar 2013, p. 91). Future Trend It is difficult to foretell the future developments of botnet technology since different existing predictions have already proven false. Whereas expert have anticipated that a lot of botnets uses resilient P2P architecture, of late a large number of botnets, still use centralised C&C architecture. Although P2P technology offers a major benefit to botmasters, they use it occasionally. They use centralised C&C architecture as it offers a simple and well-tried approach compared to P2P networks which are highly complex (Tiirmaa-Klaar 2013, p. 92). In addition, technologies such as domain or fast flux lessen the requirements for decentralised C&C network architecture. In view of these aspects, since simple and well-proven approaches still serve their intent, switching to more complicated and expensive approached is not essential. On the other hand, botnets are expected to advance even more on a technical level. This advancement will particularly affect the effort required to assess and counter future botnets. While most botnets today rely on signed commands and robust encrypted communication channels, in many cases the underlying principles are not still applied correctly. For instance, Waledac botnet use state-of-the-art encrypted systems, but fail in terms of suitable execution. Consequently, the key used to encrypt the exchanged messages is at all times the same and researchers can use the key to decrypt the entire message. Since such flaws are because of botnet author lacking the experience of using encryption systems, it can be projected that such serious flaw are not likely to happen in the future botnets. Therefore, botnets are anticipated to use encryption technique in a professional way making it complex for analyst to decrypt communication messages. Moreover, future botnets are likely to rely on sophisticated technologies that complicate the assessment of their binary code. Therefore, obfuscation methods used massively to escalate the effort required to reverse engineering that is likely to happen in future botnets (Tiirmaa-Klaar 2013, p. 93). Another trend is escalating use of sandbox assessment in network security. As a result, malware are anticipated to be more sophisticated sandbox methods to prevent it from being detected. Furthermore, botnets are now targeting operating system such as Mac OS X and windows due to their expanding marketing. This trend foretells that increasing amount of will as well targets non-window platforms and mobile phones in the near future. Although botnets construction kits were sold in black market they are becoming cheaper and easier to buy and this may lead increase in a number of botnets used to generate income. Finally, owing to today's advancement in techniques, counter existing botnets, and the willingness of the responsible institutions to employ these techniques for practice, the future of botnets is sophisticated. Moreover, future botnets may use even more sophisticated attack vectors and C&C networks; for instance, by utilizing social networks, cloud services or host part of C&C network (Tiirmaa-Klaar 2013, p. 94). Conclusion Today, botnets are emerging as more threats than anticipated. Cybercrime has expanded since hackers have become more skilful at evading identification; they are using cryptography and putting their servers in dark or unidentified areas of the Internet to evade detection. Bot masters are using Advanced Persistent Threats (APT), which is a most vicious modern malware that target information of enterprises, banks, and governments for illicit purposes. The growth of botnets can be estimated to continue because new devices are such as mobile and GPRS are introduced in the market. Therefore, it requires significant effort in order to counter these groups since the available countermeasures are leaving the control to cyber criminals. More effort should put to improve the current detection systems and prevent these problems from escalating further. References Alparslan, E, Karahoca, A & Karahoca, D 2012, BotNet detection: Enhancing analysis by using data mining techniques, INTECH Open Access Publisher. Banday, T, Qadri, J & Shah, N 2009, ‘Study of botnets and their threats to internet security’, . Sprouts: Working Papers on Information Systems, vol. 9, no. 24, pp. 1-13 Lashkari, AH, Ghalebandi, SG & Moradhaseli, MR 2014, A wide survey on Botnet, viewed 15 November 2014: http://www.academia.edu/1047754/A_Wide_Survey_on_Botnet Lee, W, Wang, C & Dagon, D 2007, Botnet detection: Countering the largest security threat, Springer, New York Sophos 2014, Security threat report 2014, viewed 15 November 2014: http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf Startek N.d, Command and Control (C&C), viewed 15 November 2014: http://www.spsims.com/index.php?page_topic=simview&simpg=2&view=Pasteur Tiirmaa-Klaar, H 2013, Botnets, Springer, London. Vacca, J. R 2010, Computer and information security handbook, Elsevier, Amsterdam Read More