How ISPs Can Help Fight Botnets and Cybe - Essay Example

Botnets Botnets have grown to become a major threat for the modern world. They adopt a distributed approach due to which it becomes difficult to control or detect them. They are the basis of many internet crimes like spam, phishing, denial of service attacks etc. Botnet operators are earning large amounts of money from the generation of botnets. ISPs need to collaborate and fight the battle against botnets with mutual help. A guideline has been proposed regarding the appropriate actions that should be taken by ISPs to overcome the problem. 1. Introduction The advent of computers has made revolutionary changes in the life of mankind. Computers have integrated deeply in our lives and it is due to this fact that the current times can be termed as the technological era. Computers have made life convenient and fast-paced. However, along with the convenience some more things have also been introduced like threat to personal information and intellectual possessions. The invention of internet has aggravated these threats and has given new means for malicious activities. Botnets is one of the newer techniques that is adapted by hackers to gain access to different systems on the network and then perform inappropriate automated tasks through them. 2. Overview of Botnets The inception of botnets dates back to the days when the Internet Relay Chat (IRC) was very popular among the internet users. IRC is a protocol that has been developed for real time many-to-many communication. IRC consisted of channels and servers on which communication used to take place. Channels used to be operated by channel operators who were in-charge of monitoring the activities on the channels and servers. With the increase of users on IRC, conflicts also increased between the users. The users wanted to gain access to more servers which thereby created conflicts. Some of the users started developing scripts to attempt denial of service and distributed denial of service attacks on the servers to crash them. Crashing the network used to cause refresh of the server and thus assign a new user as the operator. Later, these scripts started being used to target individuals. These malicious activities began the concept of botnets. 2.1 Definition Bot is defined as malicious software that may be residing on a single computer. It is automated and runs by the command from the IRC server, it makes the computer compromised and a part of a wider network of similar infected systems. Enselmi et al. (2010) stated that this server is also called the Command and Control server and the commands are sent in Command and Control languages (C&C). Bots are part of botnet i.e. autonomous set of programs that are used to perform any type of malicious activity on the network. These systems might be performing some automated activities of unethical nature without the involvement or knowledge of the owner of the system. Banday, Qadri and Shah (2009) stated that botnets may be distributed over a network with a bot controller controlling their actions and tasks. The bot controller is considered to be the mastermind behind the whole activity but the communication between the bot controller and respective bots may not be direct at times. What-is-what.com (2007) explained that direct communication makes it easy for the bot controller to be identified therefore indirect communication may be adapted i.e. from one node to the other via IRC. 2.2 Formation of Botnet Massi, Panda, Rajappa, Selvaraj and Revankar (2010) described the main requirements for the formation of a botnet; server program, client program that will operate on the command of the bot controller and a malicious software that will make the system compromised (a part of the botnet). Reference.com (2008) explained the steps during the formation of a botnet: A botnet controller sends out malicious software that can also be in the form of a virus or worm. The malicious software is installed on the respective system in an automated manner thereby making the system a part of the botnet. The bot communicates with the IRC server that will give commands to it for further actions. The bot can then be seen on the list maintained by the IRC server. A spammer buys access to the botnet from the person who developed the whole network of compromised systems. The spammer is granted access to the IRC server that can give out commands to the bots in the network to perform malicious activities like sending spam emails. Bots send out spam emails without any involvement of the user of the system. The following figure shows the above mentioned steps in a graphical format: Figure 1: Formation of Botnets (Botnet Knowledge.com n.d) Enselmi et al. (2010) stated that the most vulnerable and unprotected systems in the network are chosen as victims to be sent with malicious software. Another way to make a system compromised is to manipulate the users into installing the software that might be hidden in links or images on the websites. 2.3 Lifecycle of Botnets Botnets follow the following lifecycle: Bot herder configures the parameters of the malicious software like infection vectors, C&C details etc. DNS is registered. A static IP is registered. Bot herder plants the malicious software at different places to increase the number of compromised systems in the botnet. Bots keep on spreading and the nodes in the botnet keep on increasing. The increment in the number of bots increases the DDoS messages to the victim. Fig 2: Spread of commands through IRC Servers (Stankovic and Simic, 2009) 2.4 Techniques to Spread Botnet There are several techniques adapted by bot herders to spread bots. Liu, Xiao, Ghaboosi, Deng and Zhang (2009) explained some of the ways: Email Attachments The links to the malicious software is hidden in the form of an email attachment. When the user downloads the attachment, it gets automatically gets installed on the system thereby making the computer a bot in the wider network of botnet. Social Networking site links Social networking sites are frequently used by internet users. Intruders have discovered it as a good source for increasing number of bots. The malicious software might be hidden in the form of an image or link on the respective site and will be automatically installed when the user chooses to go on that link. 2.5 Purpose of Botnets There are several purposes of making botnets; they range from monetary gains to more power. Each one of them have been explained below: Denial of Service Attacks (DoS) Bots are programmed to send large amount of requests for a service providing source on the internet. Bots function in a way that the user of the system will be hidden from the whole process. All servers are capable of handling a specific amount of requests. The overloading of requests makes the server crash and it goes out of service temporarily. This online crime is very common and many big organizations have been made targets of such crimes. Koch (2007) stated that a massive denial of service attack was initiated by a hacker in 2000 against big organizations namely; CNN, Amazon and Yahoo! Spam Spam has become so common now that it is not even considered unethical. Spam accounts for the undesired emails that are sent to internet users without their permission. Bots are controlled to send thousands of spam every day. Botnet herders tend to compete regarding the number of bots that are under their control. Along with the number of the bots, the type of systems that are possessed is also a question of pride for e.g. government machines, multinational data storages etc. The bots are then sold according to their status and numbers. Akass (2008) explained that the three reasons for the activities of botnet operators are prestige, politics and profits. The botnet operators not only get profit from selling the access to the botnet, they also get a share of the profits that are generated from the business. Phishing McLaughlin (2004) pointed out another threat of botnets; some bots are programmed to send spam that is designed to make the user reveal his personal information. An email is sent to the user from sources that are posing to be authentic sources like banking institutions, lottery announcement organization, government institutions etc. These emails direct the user to other websites that are maintained by attackers. The data entry in these websites enables the attacker to gain the personal information of the users which can then be used for any malicious purpose. Intrusion in the System Some bots are programmed to search the computer of the user for personal information like IP, computer name, passwords, email addresses, product keys etc. The bots are designed to retrieve the information and then send it to the bot controller. 2.6 Scale of Botnet Attacks Kirk (2006) pointed out that spam has increased so much that it accounts for around 60% of the whole world’s email traffic. The monetary gains in the area of botnets have started attracting more and more botnet operators. According to an instance stated in an article by Koch (2007); US Department of Justice arrested a botnet herder in California who had planned an elaborate acquisition of bots from a variety of networks in 2005. He automated the installation of malicious software on 20,000 computers and as a result, he accumulated over $50,000. Akass (2008) stated that a worm by the name of ‘Storm’ spread in UK in the year 2009. It generated great revenues for the botnet operators. The worm prevailed for around a year and compromised many systems in that time period. The botnet attacks are not confined to a certain region; they are widespread in the whole world. An article in The Times of India (2010) reported that India is known to be at the 25th rank in the world for botnet infections. They suffer great losses every year due to the attacks; it is due to these frequent attacks that they have deployed efficient measures to clean their systems. This article also discussed a report that was issued by Microsoft in the beginning of the current year. It revealed that around $780 million losses were suffered by companies around the world in the year 2008-2009. The scale of botnets is increasing day by day since it does not require much infrastructure or time to plan the attack. Even teenagers are able to plan these attacks from the vicinity of their homes. A similar instance was witnessed in New Zealand when a teenager was arrested with the charges of being the mastermind of a major botnet attack in the respective region. He was responsible for infecting 1.3 million computers and generated lot of money. Kates (2010) reported that another major botnet attack was found in US in 2010 that infected approximately 75,000 computers around the world and was also able to infect 10 US government agencies. The attack was targeted to retrieve the login information from financial institutions, social networking sites and email web account services. 2.7 Detection Techniques There are not many techniques or methods to adopt when a system becomes compromised or when a botnet attack takes place since they are widespread on the network. There exists no clear pattern linking to the compromised machines and the user cannot identify the number of bots that might be initiating the attack. However, some methods are present to keep systems safe from the attack and to identify the bot controller that might be controlling the bots. 2.7.1 Honeypots Honeypots are used in the system to enhance the security level and to detect the bots in the network. Edwards (2008) explained that honeypots are defined to be isolated systems that are present in the network to pose as an attractive, unprotected machine on the network. Some information is saved on the machine that might attract the bot controller to gain access to it. The honeypot allows itself to be infected by the malicious software and becomes a part of the botnet. Then, its aim is to identify the bot controller so that the remotely controlled functions can be stopped. There are mainly two types of honeypots; low-interaction and high interaction honeypots. Low Interaction Honeypots Spitzner (2003) stated that they provide limited access to the attacker i.e. they do not allow themselves to be fully exploited. They are useful to gain information about the network probes or any possible worm activity. High Interaction Honeypots These types of honeypots allow themselves to be fully possessed by the malicious software. The system is possessed by the attacker to such a great extent that further attacks can also be performed from it. Advantages Honeypots provide information regarding the bot controller in the network and any worms that might be prevailing in the network. Shadow Server.org (2005) described that high interaction honeypots tend to provide more extensive knowledge about the attack since it is fully possessed by the attacker. The whole process can be analyzed and thus the systems in the network can be protected accordingly. Disadvantages A disadvantage about honeypots is that they tend to provide a narrow view of the issue. The attacker might be attacking other systems in the network but the honeypot will not be aware of such a happening unless it is attacked. Stankovic and Simic (2009) described it as a microscopic view of the issue i.e. concentrating on one system while ignoring the data around it. Honeypots tend to provide good detection service for the network but induces risk as well. The risk lies in the possibility of losing control over the honeypot to such an extent that the attacker starts initiating attacks against the nodes in its own home network. Stankovic and Simic (2009) clarifies that risk varies according to the type of honeypots present in the network; High interaction honeypots tend to induce much more risk in the network than low interaction honeypots. 2.7.2 IRC-Based Botnet Detection One of the techniques to detect any botnet activity on the network is to transfer the network traffic from a live network to an IRC port for e.g. TCP port 6667 and then monitor the traffic for any terms that would be a match with botnet commands. Another approach is to look for behavioural characteristics of botnets for example botnets are usually idle but respond to a request faster than a human. Such a technique can help in the identification of botnets. Advantages No separate system has to be deployed to attract the attackers. This technique does not threaten the security of the network like the honeypot technique. Disadvantages Cooke, Jahanian and McPherson (2005) stated that the technique that relies on behavioural characteristics of botnet, tends to give a high false positive rate since many valid systems might be idle for elongated periods of time and alert users when an event happens. 2.8 Prevention Techniques Support for Scripting Languages Another technique to reduce the vulnerability of a system is to turn off the support for scripting languages. These might include JavaScript, VBScript and ActiveX. This will reduce the probability of bot installation on the system. The user’s rights should also be put to a limited access level whenever he/she is connected to the internet. The ceasing of the support for scripting languages will not let the attacker install the software even if he gains access to the system. Updated Software It is always good practice to install the updates for the operating systems and other necessary software. Usual targets of botnets are the machines that are vulnerable and unprotected. The updates of the software are necessary since there is always new development and research going on regarding newer ways to mitigate the respective problem. The regular updates will ensure better protection and security. Email Attachments It is always advised not to open attachments of emails that come from unknown sources. Spam is one of the most common techniques to try to increase the number of botnets. Another better approach is to enable the file extension visibility option at the operating system level. This way the attachment extension can be visible and thus an email with an unknown file extension can be deleted even before it is opened. Appropriate Protection Software Efficient intrusion detection systems, anti-virus and anti-Trojan should be installed on the system to get alerts regarding any unexpected activity. Another solution is to deploy a firewall on the system or the network to keep all unwanted communication outside the boundary of the network. 3. ISP’s role in the battle against Botnets ISPs play an important role in the detection and thus mitigation of the problem. According to an article by Higgins (2006); botnets are found to be the cause of almost half of the DDoS attacks in the whole world therefore they are a major threat to the service providing entities on the internet. One of the most appropriate strategies is to make the ISPs join hands in the battle and get more aggressive regarding prevention and detection techniques. It is the responsibility of the individuals to protect their systems against this threat but lot of responsibility also lies with the ISPs for securing the network. Bookman (n.d.) stated that some ISPs tend to block port 25 which is responsible for SMTP transfers. Botnet communication usually uses this port for spam emails and junk mail. The changing of the email port will make the spam communication. Many ISPs around the world have made agreements to share useful botnet information so that the issue can be resolved at a faster pace. Bookman (n.d.) pointed out that a similar instance has been witnessed in Australia and Netherlands when around dozen ISPs agreed to share information about botnets and block users who have compromised systems. 3.1 Guideline for ISPs to Combat Botnets Spam Fighter (2008) proposed an approach that should be followed by all the ISPs: Detect the computers that have been attacked. Contact is made with the users whose system has been affected. Information and recommendations are given to the user to deal with the compromised machine. Warnings must be communicated to all the ISP users so that they can be cautious about the usage of internet for example, attacks that might pose greater security threats. Like many other countries in the world, pact should be made amongst the ISPs and should abide by the following rules: ISPs should filter all information that is going through them and block all the users that portray a security threat to other users. This action should be communicated to all the users so that they are well-aware of the consequences of inappropriate actions regarding the usage of internet. ISPs should share information and knowledge about any findings about botnets that might have been discovered by them. The ISPs that show consent towards the pact should be held accountable for non-compliance to the above mentioned rules and recommended actions. An efficient form of communication would be to maintain a platform where all the latest information can be shared. The medium can be group or a site which has strict security measures installed to keep all unwanted comments away from the platform. Single account should be made for a single individual in every ISP who would have the authorization rights to share his company’s respective findings about botnets (if any). Few other access rights can be granted for every company which would enable them to view the accumulated findings from each ISP. This can serve to benefit the companies by providing latest information; quick actions can be taken with respect to the posts on the website. Another approach to handle the aspect of sharing the information amongst ISPs can be to issue monthly report about the actions taken at their ends to mitigate the issue and the findings that have been discovered at their ends. The communication between the ISPs needs to take place after appropriate security measures have taken since any intrusion might cause addition or modification of the data that has been uploaded by the ISP workforce. Any alteration of the data can be very misleading for the companies and might cause them to take contrasting actions in response of the attacks. 3.2 Nature of Information to be shared ISPs should only share information about the active botnets that might be attacking machines and their adapted process of gaining control. The information that should not be shared with other ISPs will involve the data about their customers. They should not reveal the identity of their customers whose machines are compromised since it is the social responsibility of the company to safeguard their data at all costs. The customers that are believed to possess compromised machines should be dealt internally and blocked as soon as possible by the respective ISP. 3.3 Actions taken after Receiving of Information Once the information is received by the ISPs, it is their duty to analyze it and evaluate their security measures to judge if their respective systems would be able to withstand such security threats. For example if a new worm or virus is discovered to be prevailing in the network then the ISP’s intrusion detection systems, firewalls, anti-virus etc should be evaluated with respect to their capability to handle such an instance. If it is discovered that systems are not strong enough then stronger mechanisms need to be deployed. The company’s customers should be warned about any new threats that might be present in the network. 4. Conclusion Botnets are considered to be one of the most severe security threats in the modern world. Botnets are used to commit a diverse range of internet crimes; ranging from phishing to spamming, denial of service (DoS) attacks and intrusion activities. Botnet herders aim to increase the number of systems in their botnets and also to gain control over sensitive machines belonging to governments, banks etc. The number of systems and the status of the machines decide the price of the botnet for the botnet operator. The need of the hour is to promote the unison of ISPs to fight the battle against botnets. They need to detect the existence of botnets in the network and block the respective users from their network. ISPs should share information regarding their findings about the latest botnets on networks so that the issue can be eliminated. References Akass, C 2008, ‘Why botnet operators do it: profit, politics, & prestige’, Personal Computer World, 11 Feb 2008, viewed 7 Nov 2010, http://blog.granneman.com/2009/02/08/1163/ Bookman, E n.d. ‘How ISPs Can Help Fight Botnets and Cybercrime’, Trend Labs, viewed 10 Nov 2010, Banday, MT, Qadri, JA, Shah, NA 2009, ‘Study of Botnets and Their Threats to Internet Security’, Sprouts: Working Papers on Information Systems, 9(24) Botnet Knowledge.com n.d., Botnet, viewed 6 Nov 2010, Cooke, E., Jahanian, F., McPherson, D 2005 ‘The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets’, viewed 8 Nov 2010, Enselmi, D., Bosocovich, R. Campana, T.J. (2010), ‘Battling Botnets for Control of Computers’, Microsoft- Security Intelligence Report, Vol. 9 Edwards, J 2008, ‘The Rise of Botnet Infections’, Network Security Journal, 15 Sept, viewed 8 Nov 2010, Higgins, KJ 2006, ‘ISPs Needed in Botnet Battle’, Sep 25, viewed 9 Nov 2010, Kates, B 2010, ‘Kneber botnet virus attacks 75,000 computers worldwide, including US government systems’, Daily News, 18 Feb, viewed 7 Nov 2010, Koch, C 2007, ‘A Brief History of Malware and Cybercrime’, CIO, 4 June. Kirk, J 2006, ‘Guidelines let UK ISPs share spam data’, Mac World, viewed 4 Nov 2010, Liu, J, Xiao, J, Ghaboosi, K, Deng, H, Zhang, J 2009, ‘Botnet: Classification, Attacks, Detection, Tracing, and Preventive Measures’, EURASIP Journal on Wireless Communications and Networking, Vol 2009 Massi, J., Panda, S., Rajappa, G., Selvaraj, S., Revankar, S 2010, ‘Botnet Detection and Mitigation’, Proceedings of Student-Faculty Research Day, viewed 5 Nov 2010, McLaughlin, L 2004, ‘Bot software spreads, causes new worries’, IEEE Distributed Systems Online, vol. 5(6) Reference.com 2008, Botnet, viewed 5 Nov 2010, Shadow Server.org 2005, ‘Honeypots’, viewed 8 Nov 2010, Stankovic, S., Simic, D 2009, ‘Defence Strategies against Modern Botnets’, International Journal of Computer Science and Information Security, Vol 2, No.1 Spitzner, L 2003, ‘The Value of Honeypots’, InfromIT, viewed 9 Nov 2010, Spam Fighter 2008, ‘Australia Proposes Botnet Clampdown Initiative’, viewed 9 Nov 2010, The Times of India 2010, ‘Indian PCs under botnet attack’, 14 Oct What-is-what.com 2007, ‘What is a botnet’, viewed 5 Nov 2010, Read More