Definition, Organisation, and Creation of Botnets - Case Study Example

An analyzed look into current botnet controls Introduction: Definition, Organisation and Creation of Botnets Definition A botnet refers to a legion of coordinated machines commonly referred to as “zombies” which are under the control of a “botmaster”.The increase in demand for broadband by consumers has greatly facilitated the intensity of botnets. This increased power of botnets has led to major DoS (Denial of Service) attacks towards servers. The result is that millions of computers are infected with spyware and viruses, huge amounts of spam are sent andidentity theft greatly increases.Botnets are currently the major threat on the internet. This is because assigning a botnet attack is very easy.On the other hand hackers have become very swift in exploiting these weaknesses (Gross, 2012). Organisation Practically speaking one botnet could be made up of ten thousand machines.It is quite difficult to identify since they are vigorous in nature. This is in order to escape the security measures put in place. Creation This is done through the download ofsoftware called a “bot” for example AgoBot. The download comes along with afixed payload incurred by an un-suspecting user. This download is executed through the clicking of email attachments that have been infected ordownloading infected files from malicious websites. The bot software can also be transmitted as freeway in peer to peer networks. After the installation of the bot with the fixed payload in the computer, the machine makes contact with a public server set up by the botmaster. This server is the control panel that is used to give commands to the botnet. A popular procedure involves using public (IRC) Internet Relay Chat servers. The control panels are frequently changed to avoid being detected. They are managed by machines and proxies that are not owned by the botmaster. The botmaster uses the control panel to send new exploit-code to the bots or to modify the bot-code so as to avoid detection through signature methods. This code is also used to insert new commands and attack victims (Patrick Lee, 2009). The botmaster’s main objective is to enlist new nodes into the botnet. A node is any computer that is connected to the internet hence making it a target for attack. Each node is commanded to search for other potential hosts. This pattern follows for every other machine that is recruited into the botnet. Therefore the machines that were in the botnet before and the new continuously carry out the search. Within a few hours, a botnet can become very large with a composition of millions of PCs on different network throughout the world. The effects of Botnets Distributed Denial-of-Service Given the large number of zombies distributed globally, botnets can unleash a vast simultaneous attackto paralyse major websites and facilities by engulfing the connection bandwidth. The most common attacks that are deployed include ICMP (Internet-Control-Message-Protocol), UDP and TCP SYN floods. These attacks can also be in the form of password “brute-forcing” and application layer attacks. These attacks can are carried out at in networks with speeds as high as multigigabit per second. The main targets of these attacks are commercial institutions, government owned websites, domain name system servers (DNS), hosting providers, essential internet infrastructure, antispam or even IT security agents. Where botnets are extortion intended, they could target political, religious, gaming, gambling and pornography sites. Spyware and malware Infected nodescensor and report the web activity of the user for profit gains. This is usually done without the knowledge of the user. Sometime there is the use of extortion and blackmail. Additional software can also be installed which is used to gather important data. This information could be crucial for the system hence is sold to third parties. Identity theft This is done through the theft of crucial personal informationsuch as ID details, financial records, passwords from a user’s computer to sell or for direct use. Adware Botnets can download automatically, install themselves and display pop-up messages depending on how the user browses the internet. In some instances they may manipulate the user’s browsing software to go to certain websites from time to time. Email spam Majority of spam nowadays belong to botnets. In a study conducted in June 2006 by IronPort study, it was found out that almost 80% of them (spams) originated from zombies. This was a 30% increase over the year. Click fraud In some instances the exploit code can impersonate a genuine web user. It clicks on advertisements in order to make money or punish the advertiser. This is mostly done on websites that have online sales or advertising networks. Phishing Sometimes infected computers can search for servers instead of other nodes. These serversare hijacked and used to host phishing-sites. They impersonate genuine facilities such as PayPal for the purpose of stealing passwords and ID details (Lemos, 2006). Ways of combating botnets Detecting and Eradicating Botnets Botnets have multiple purposes hence cannot be eradicated through the use of a single technology. For example a botnet code could be intended for: i) A DDoS attack – whose purpose is toparalyse a server, ii) A phishing attack – entice users into a malicious site in order to acquire their personal data iii) Malware – collecting confidential data a zombie, sending spam and showing advertisements. Former methods of securing systems like packet filtering, signature methods and port based techniques are inefficient to botnets. This is because as mentioned earlier, botnets change their exploit code and servers to avoid being detected. Several open source and business-related items are in use for detecting botnets. Most of them examine the flow of data recounted by routers. Other tools use behavioural changes to detect botnets. They build a baseline in a network as the normal condition. Whenever abnormal traffic is detected, it flags down the traffic especially if it is an indication of a DDoS attack. Some of the most common methods of detecting and mitigating botnets include: Monitoring of data flow - this method utilises protocols that are based on flow of data. It gets a summary of information that is based on thenetwork and transport layer from the network devices. Anomaly detection(behavioural approaches)–in this case normal traffic is marked alongside all its characteristics. After that, deviations are searched for and any form of scanning by zombie machines on the network is detected and blocked. This method is effective on the network and endpoints. On the endpoints such as servers and laptops, suspicious commotion and violation of policy are identified to prevent infections. Analysis of the DNS log – botnets mostly depend on DNS hosting facilities to search for Internet Relay Chat (IRC) servers which have been taken over by the botmaster. These IRCs also host the associated zombies. The botnet code usually refers to the DNS server.This reference can be noticed by the DNS log analysis equipment.When identified, the botnet is paralysed by an administrator of the DNS server. This is done by null routing the offensive subdomain. The process involves guiding the sub-domains to anempty IP-address. Even though the procedure is efficient, it is difficult to employ because it needs the coordination of other providers of hosting services and name registrars (Richard Smith, 2011). Honey pots – this refers to a trap that imitates a real resource, service or network. This mimic is an independent, safe and watched area.The main aim is to entice and spot mischievous attacks and interventions.It is more effective as an observation and a warning system. It can also be used by security researchers to figure out threats that are emerging.Because of the complexity in setting up and the vigorous examination required, honeypots have a limited value on large scale networks (U.S. House of Representatives, 2012). Policies put in place to combat botnets Due to their diverse nature, vigorous activity and frequent change of the botnet code, it is almost impossible to counter check botnets. There are various methods that are in place such as: Signature based methods–this method places a mark on a weakness in a system thereby making it a frequent reference point for any intrusions. Drawback –if a botnet was to attack on this weakness, its code would be changed immediately and another path in the system identified in order to avoid being detected. Tracking the botmaster – the logic behind this method is to find the botmaster and shut him/her down hence cripple the entire botnet (Hucaby, 2011). Drawback – unfortunately botmasters never use their personal computers but servers to run the botnet hence making it an impossibility to shut down the botnet without crippling the essential services of the hijacked server. Nevertheless botnets use peer to peer networks and this makes the botmaster’s work irrelevant. Luring botnets into a trap – this is one of the most effective methods with limited success. In this case a fake network is created in order to entice the botnet to search for nodes. When the botnet accesses the network, the network gets shutdown hence crippling the botnet. Drawback –only part of the botnet can be crippled if the botmaster had not accessed the network. This means that it will only be the zombies that will be denied access to the network. The rest of the zombies in the botnet will continue searching for other potential nodes thus the botnet will go on. Making fake servers in the network – this is another enticing method whereby mimics of real servers are made so as to lure botmasters to establish their control panel there. When successful the botnets are redirected to dead IP addresses thereby crushing the whole botnet. This method has not yet been put in place but is promising. The only drawback would be if the botnet uses peer to peer architecture. Then it would not need a server (Wang, 2006). Evaluation and conclusion of the literature review In general, botnets are a major problem facing networks. Their effects on the economy are devastating to the extent that if they are not checked they could lead to a shutdown of online businesses. The various methods that are in place to control them are almost useless. There are even jobs paying more $100,000for botnet designers. It is necessary to have new innovative mechanisms that will avoid botnets rather than prevent them since their designers are always several steps ahead.For example since botnets are already adapted to the current network system (peer to peer and architecture based) newly designed networks would prove to be a task for them. This will be a tough task to implement but the only long-lasting solution (Dagon et al., 2006). References Dagon, D., C. Zou, and W. Lee. (2006) “Modeling botnet propagation using timezones”. In Proceedings of Network and Distributed Security Symposium, NDSS. Gross, G. (2012) White House Launches Coordinated Effort to Battle Botnets. Retrieved from http://www.pcworld.com/businesscenter/article/256507/white_house_launche s_coordinated_effort_to_battle_botnets.html Hucaby, D. Et al (2011) CCNP Security Firewall 642-617 Official Cert Guide, Cisco Press. Lemos, R (2006). Bot software looks to improve peerage. Retrieved from Http://www.securityfocus.com/ Members and Committees of Congress (2008). Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. Retrieved from https://opencrs.com/document/RL32114/2008-01-29/news/11390. Patrick Lee, Christopher (2009) Framework for Botnet Emulation and Analysis, New York: Pro Quest. Richard Smith, Smith (2011) Elementary Information Security, New Jersey: Jones and Bartlett. U.S. House of Representatives (2012). NASA Cybersecurity: An Examination of the Agency’s Information Security. Retrieved from http://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing _February_26_edit_v2.pdf. Wang C. (2006) Malware Detection Advances in Information Security. London: Springer Read More