With the vast adoption of social websites, and cloud technologies adoption, attackers have started looking into these new ventures. From denial of service (DoS) or distributed denial of service (DDoS) attacks, till today’s most sophisticated malwares, attacks are becoming more complex and hidden in nature.
The Botnets also becomes the significant part of these growing Internet malware attacks. DDoS attacks use botnet to produce floods of requests that reproduce burst crowds in client traffic. Bots are infected by malware like virus, worms. Some botnet make copies of themselves with the aim to infect many hosts.
Traditional botnets can be defined as a network of infected hosts under the remote control of certain criminal botnet operators and includes three parts in general- Botmasters, Critical Command and Control (C&C) channel and Bots.
Botmasters: The botmaster sends commands to C&C servers and do malware attacks. They are ones who construct, control and maintain the whole botnet.
Command & Control: The C&C servers receive commands from botmaster and control the distributions of computers remotely. Centralized C&C has 2 major disadvantages, First, they can be easier to detect because of many clients connect the same point. Second, detection of center location can compromise the entire system.
First generation of C&C make use of IRC (Internet Relay Chat) channels. Some IRC based Botnets tools used by attackers are TRINITY which uses UDP, TCP SYN, TCP ACK, and TCP NUL flood & CP fragment floods etc. Ago Bot is another IRC bot used by attackers widely.
Bots: The bots are compromised hosts of the victims where malware applications are installed. Traditionally Bots use DNS to find the positions of C&C server and start communicating with C&C for instructions.
Advancement in C&C Architectures & Deployment
In order to mitigate these challenges, new generation of Botnet which can hide their C&C communication have emerged, Http & Peer-to -Peer (P2P) based Botnets. Especially with P2P framework, there is no C&C server and loss of single bot does not lead to collapse of whole botnet.
Web Botnets: Attacker can use HTTP as a communication channel to send commands to the bots it makes more difficult to track. Web based botnet periodically downloads the instruction using web request and often use secure/encrypted channels over Https for additional security. Few known tools in such category are ClickBot, BlackEnergy and Low - Orbit Ion Cannon (LOIC).
Peer to Peer Botnets: The botnets, in fact, have been moving to the web 2.0 such as online social networks to exploit the vulnerable social networks as the C&C servers. The social websites use Web 2.0 technology to interact and collaborate with each other in virtual community, such as blog, video sharing, and instant messaging.
P2P Bots use Web 2.0 communication methods, such as when the attacker uses public blog service as an information temporary storage for C&C server. The interesting feature is that P2P communication sometimes used as a backup system in case the C&C servers are not reachable. Every peer in the botnet can act as a C&C server, while none of them really are one
A P2P bot’s life cycle consists of the following stages:
- Infection stage, during which the bot spreads (this might happen through drive-by downloads, a malicious software being installed by the end-user, infected USB sticks, etc.).
- Rally stage, where the bot connects with a peer list in order to join the P2P network.
- Waiting stage, where the bot waits for the bot-master’s command (and does not exhibit much activity otherwise).
- Execution stage, in which it actually carries out a command, such as a Denial of Service (DoS) attack, generate spam emails, etc
Few Known P2P Botnets are ZeroAccess, Peacomm & Phabot. These are all the typical storm worms and currently the most wide-spread P2P bot observed in the world.
Botnets Counter Measures: Detection & Control
Anomalous network activity, client system low performance and erratic performance of client systems are generally seen signs of infected systems in any organization. Enterprises can detect botnet infection on their networks via a combination of network analysis and correlation with local system logs or investigations. Few techniques and measures which can be used by enterprise are as below
- Source IP Reputation scanning and Filtering with Global Correlation basis on risk rating value
- SSL Traffic inspection on higher throughput scales
- Enabling IP Source Guards on Switches to prevent spoofed packets
- Create and enforce a no-P2P policy to prevent P2P malware
- Host and Network based Intrusion prevention Solution
- Client & Servers operating system hardening
- Updated Patching of all devices
- Data Leak Protection clients on machines
In general honeypots plays an important role in detecting and analyzing botnets and are used to analyze malware code to generate antivirus signatures. Most malware attacks use social engineering. Education can be highly effective in stopping them. Your users don’t need to be security experts. Today, just remembering four things can keep them protected.
- Only click through to trusted sources when conducting searches, especially on topics with high attention
- Never update "media player," “codec," or “Flash” when promoted by a site hosting videos or not affiliated with that application
- Do not use P2P applications on business machines and be cautious on home machines as well
- Do not click on links or attachments in spam email