SlideShare a Scribd company logo

Tracing Back The Botmaster

IJERA Editor
IJERA Editor

Nowadays, cyber-attacks from botnets are increasing at a faster rate than any other malware spread. Detecting the botmaster who commands the tasks has become more difficult. Most of the detecting methods are based on the features of any communication protocol or the history of the network traffic. In this paper, a rational approach is brought for the live detection of the botmaster in the internal network. The victim machine monitors its packets and compromises the bots in the network and finds the traces to the botmaster. This approach works independent of the structure of the botnet, and will be a better option for online detection of the botmaster.

Technology
1 of 5
Download to read offline
Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 4 | P a g e Tracing Back The Botmaster Sneha Leslie Information Security and Cyber Forensics, SRM University Abstract- Nowadays, cyber-attacks from botnets are increasing at a faster rate than any other malware spread. Detecting the botmaster who commands the tasks has become more difficult. Most of the detecting methods are based on the features of any communication protocol or the history of the network traffic. In this paper, a rational approach is brought for the live detection of the botmaster in the internal network. The victim machine monitors its packets and compromises the bots in the network and finds the traces to the botmaster. This approach works independent of the structure of the botnet, and will be a better option for online detection of the botmaster. Keywords- Botnet, DDOS, detection methods, network security, metasploit framework. I. INTRODUCTION Cyber-crimes are increasing day by day in various forms and with various effects. Thus Internet has become the most vulnerable area. Attacks done behind the legitimate machines have got a public name “Botnet”, where the botmaster who is the real attacker compromises set of host machines in the network called zombies and makes the zombies to perform the various malicious tasks against a victim. Thus botmaster hides his real identity. The term “bot” is derived from the word “ro-bot” which is said to be nay scripts or programs that would run repeatedly and automatically once triggered by an external or internal operation in the system[1].The first bot “Eggdrop” , was designed by Jeff Fisher in 1993,as a useful feature in IRC channels (Green and et al – 2000). Mainly bots are of two types: benevolent bots and malicious bots. Bots that are used for legitimate and automated tasks are put in benevolent group. While the ones that carry out malicious codes and spread infection and cyber- crimes are put in malicious bot group. The internal working of botnet can be either as centralized one or as a peer-to-peer one. There are varieties of attack vectors performed by these botnets which include DDoS Distributed Denial of Service attack, sending spam emails, spreading malicious codes, phishing, and identity theft and click fraud and so on. There are different detection mechanisms proposed by different specialists. Most of them do work on the principle of network flow characteristics and protocol featuresand most of the approaches share the idea of detecting patterns based on communication flow [2]. Botnet Fig1. Basic Botnet structure Due to the dynamic nature of the botnets, ways already suggested are finding new approaches each and every day. The security of digital computing infrastructure has become a crucial and essential thing. The proposed work shows the live detection of the botmaster in the internal network by using concepts of compromising the zombies, packet capturing and packet analysing. A strong framework “Metasploit” is been used for the purpose of tracing the botmaster. II. RELATED WORK Though there are many mechanisms all around, some of them have proved to be identifying the botnets well. Neural network applications are widely used in the design of botnet detection mechanism because of their high capability of finding abnormal patterns in traffic and they could handle non- linearity [3].Even websites has suggested various methods like response to CAPTCHA as prevention against bots and malicious agents. Preventing a system from falling as a victim to botnet attack requires great awareness about the confidentiality, integrity and availability of the network infrastructure. Botmaster Bot Bot Victim Compromised systems commands attacks RESEARCH ARTICLE OPEN ACCESS
Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 5 | P a g e The malicious attackers had then changed their methods of communicating to the bots in various ways. This is when DNS links came into the scene. The technique of DNS tunnelling in which the attackers send the malicious code in the resource record fields of DNS message was carried out [4]. For detecting suck abnormalities, Shannon entropy methods were proposed. Many applications have the option of grouping systems that show some behaviour of botnets though they are not, and isolating them for neutralizing the probability of any further unknown attacks [5].Where a pipelined approach is used, with incorporated filtering of white and black list. Basically chat-based botnet architecture is characterized in many areas which includes the role of IRC server, code server, and controller and so on. An efficient method was brought in by using sniffing program. Sniffer program is designed to capture and analyse the communication between botnet master and its clients. It uses the following three parameters for the processing which are the file name, interface name and the count of packets to be captured [6,7]. Nepentheses is a special kind of honeypot used for automatic malware sample collection [8]. The next generation botnet detection systems must be completely independent on command and control mechanisms. III. DETECTIONMETHODOLOGY The proposed work is established for the internal network mainly in the case of any organization, institution etc. Here we depict the situation of DDoS attack by the botnet on to the targeted victim machine. The botmaster sends malicious codes and payloads to the legitimate host machines in the network. These malicious payloads once sent to the host machines are made to be downloaded or activated by the systems itself. Thus the host machines get affected by the bot malware and join the botnet as clients to the botmaster. Later, using these compromised systems known as zombies, botmaster would perform various attacks on other target systems. Here the botmaster is forcing the zombies to perform a distributed denial of service attack on the target system by flooding the victim’s NIC using illegal ICMP packets as in Fig 1. Meanwhile, the target victim machine will be continuously monitoring its incoming and outgoing packets. Packet capturing and sniffing tool will be run in the target machine. According to the details of the incoming packets and their count from various IPs, measures are taken appropriately. The details obtained at each steps are tabulated and stored for future reference. Then the victim machine would scan and find the OS versions, vulnerabilities, services, open ports details from the IPs that are been tabulated based on their count of packets sent. Steps are taken to compromise the systems found harmful from the table information. Here a strong and open source tool “Metasploit” is used for the whole process of tracing back the botmaster. The whole process can be defined using mainly three processes as in Fig 2. The following processes can be detailed as: i. Process1: victim machine willcontinuously monitor its own interfaces for incoming packets. When it sees more number of ICMP packets coming from any IP(s), then those IPs will be noted. Scanning and other information gathering will be done on the zombies and their environment. Vulnerabilities will be listed based on their OS version, services etc. ii. Process 2: Customized attack vectors and the payloads are designed using metasploit framework by run control files. The attack is launched on the zombies and they are compromised by gaining their access. Privilege is escalated accordingly. iii. Process 3: Sniffing tools are run remotely on the compromised zombies, other applications can also be run their accordingly. Finally, the incoming packets of the compromised machines are taken and analysed to get the source address of the attacker. There is an easy chance of getting the same source address in the interfaces of different compromised machines, which makes it confirmed to be the botmaster’s IP address. In the process of the work, there are certain assumptions made and they are as follows: i. The proposed idea of detection is to be implemented in an internal network. When it comes to external network with public IP, it has the limitation of tracing back only in systems that uses Java enabled browsers. The approach then has to be in a different fashion. The scope of the botnet problem is to find and quantify the highly covert nature of botnets which makes them harder to measure. The above mentioned processes or steps will be automated for Victim machine Bot 1 Bot 2 Process 1 Process 2 Compromised systems Botmaster Process 3 Fig 2.Structureof tracing the botmaster
Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 6 | P a g e the analysing of the incoming packets to the host system and for the detection of the botmaster from them. IV. SYSTEM ARCHITECTURE The system architecture will be the overall design of the proposed work with its modules shown in Fig 3. It will be tasks done by the victim machine for the whole scenario of botmaster detection. Certain tools and applications are needed for the same. Fig3. Architecture diagram for Botmaster detection MODULE DESCRIPTION: Module 1 describes the first and the initial phase of the work, where the target machine monitors its incoming packets using packet capturing and sniffing tools like Scapy or Winpcap module, even Wireshark can be used. Thus the output pcap file will be obtained with the IPs of different hosts and their send packets, with the type of protocols. The content of the pcap file is then translated to another output file for convenient parsing and finding the details. Usually the sources sending more ICMP packets are noted for the reason that they may probe pinging of large sized packets which may lead to flooding. The flow of the module 1 can be depicted through the Fig 4 below. Module 2 describes the process after packet capturing. A threshold value will be set, for the packet capturing in the predefined program which will be linked to the metasploit framework. The output of the pcap file which is parsed is analysed for the count of packet from each IP. Accordingly, the count of incoming packet is compared with the threshold value. The case where the count either exceeds the already set value or can be approximated to that value is noted. And IPs of such hosts machines are noted with their count of packets send. The details that are obtained are tabulated and stored in the database of the framework. Common vulnerabilities and attack vectors are listed in the tabular form for future reference that has been occurred. Fig5. Setting threshold value and comparing result Module 3 reveals the information gathering phase done by the target machine on the zombies based on the IPs obtained. Nmap scan is done to know whether the host machines are alive or not, as well as to gather information on their OS versions, services, open ports etc. Thus the environments of Continuous monitoring Packet collection Obtain packet count Compare and tabulate Module 1 Module 2 Zombie detail detection Analysis of the details Module 3 Vulnerability finding Creating rc files for automation Attack and gain access Remote sniffing on zombie machine Tabulate the details and analyse the attacker Module 5 Module 4 Victim machine Bot 1 Bot 2 router mMonitorsincoming packets Pcap file parsed and checked Module 2 Fig 4.Packet capturing and monitoring Set the threshold value Compare the count of packets with threshold If count equal or can be approximated Tabulate details Vulnerabilities and attack vectors listed
Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 7 | P a g e the zombie systems are studied. Vulnerability testing tools like Vulcan can be used for finding out the common weaknesses and all the details so far obtained are tabulated. The main activities of Module 4 include adding the existing payloads, exploits to the table in the database. Customized attack vectors are designed by the help of resource (.rc) files. These files are run to automate the attacks. The whole process can be automated according to the OS versions of the different zombie machines. The above mentioned files can be designed in a way where exploit, payload, target parameters, everything can be customized. They are been called from the metasploit module. Ruby language is used for framing the metasploit framework, Python is also supported. Input parameters necessary are added to the rc files for the execution on the target. These inputs can be inferred from the tables that were listed in the beginning. Thus this phase is all about keeping everything ready for attack or compromising the zombie machines. Fig 7 depicts the flow of this module. At last the time for compromising the zombies and gaining their access has. As the zombies are already compromised machines by the botmaster due to some vulnerability in them, it is sure that those loopholes do still exist in them. These ways do reveal a path for the target system to exploit and gain access. In module 5, the attack is launched against the zombies by running the rc files. On successful execution of the contents in the rc file, access to the admin privilege or the shell of the compromised system is gained. Techniques to escalate privileges can be handled in many ways. Backdoor creation will be performed. Metasploit framework is used efficiently for this module. Most of the payloads and exploits are predefined, which has been tested and given results. Sessions are maintained by forcing them to run background in metasploit. Similarly, different rc files are made to run on different zombie machines and they are compromised. The next step is to run the packet capturing and sniffing tool like Wireshark or Winpcap or Scapy module remotely in-order to find the incoming packets on the zombie machines. Thus the clear idea of host machines that are sending packets to these zombies can be drawn. Finally, the source address of the attacker can be traced by the output of this sniffing tool. Mostly, in different zombies when the packets are captured from their NIC, there are possibilities for the same source address appearing repeatedly which gives the clear guess of the botmaster’s address. It is always to be noted that the counting of zombies from the C&C commands always will lead to vague idea if the botnet size. This is because nowadays, zombies are instructed from different servers and C&C channels [9]. The rise of their presence are also increasing as in new detection technologies are discovered. Yet there are more techniques both known pattern based as well as anomaly based detection schemes [10]. Fig 9 depicts the graphical representation of the quantifying aspect of botnets and their effects. IPs obtained from the database Nmap scan, vulscan tool OS version, services,open ports details listed Fig6. Scanning and vulnerabilities testing Add known payloads,exploits and attack vectors to the table Creation of rc files for automation Choose rc files for attack Input parameters to rc files Fig7. Customizing attack vectors
Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 8 | P a g e Fig9. Rise of botnets and their effects V. CONCLUSION The botnet era has changed the network and its users into fear of any attack at any time. The live detection of the botmaster using metasploit framework is an efficient method for finding the address of the source. It needs less knowledge on the working principle of the communication flows. By this method, it will be assured that no systems in the process will be put to shut-down or hanged state. Along with this proposed work, the idea of bringing ingress filtering on routers and other network devices is been looked upon for anti-spoofing mechanisms. As well as, access control list will have to be incorporated together in the design for the prevention of host systems getting hanged or crashed from the excessive traffic that arises at the network interface card. The above mentioned both processes will be considered as the future work of this project, to make it work in external networks. This brings in effective and high detection rate with low computational overhead. REFERENCES [1] Banday, M. Tariq, Jameel A. Qadri, and Nisar A. Shah. "Study of Botnets and their threats to Internet Security." (2009). [2] Feily, Maryam, AlirezaShahrestani, and SureswaranRamadass. "A survey of botnet and botnet detection." Emerging Security Information, Systems and Technologies, 2009.SECURWARE'09.Third International Conference on.IEEE, 2009. [3] Nogueira, António, Paulo Salvador, and FábioBlessa. "A botnet detection system based on neural networks." Digital Telecommunications (ICDT), 2010 Fifth International Conference on.IEEE, 2010. [4] Bos, Herbert, Maarten van Steen, and Norbert Pohlmann. "On Botnets that use DNS for Command and Control." (2011). [5] Strayer, W. Timothy, et al. "Detecting botnets with tight command and control."Local Computer Networks, Proceedings 2006 31st IEEE Conference on.IEEE, 2006. [6] Al-Ahmad, Walid, and Ayat Al-Ahmad. "Botnets Detection Using Message Sniffing." The International Conference on Digital Security and Forensics (DigitalSec2014).The Society of Digital Information and Wireless Communication, 2014. [7] Gu, Guofei, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting botnet command and control channels in network traffic." (2008). [8] Nazario, Jose. "Botnet tracking: Tools, techniques, and lessons learned." Black Hat (2007). [9] Cremonini, Marco, and Marco Riccardi. "The dorothy project: An open botnet analysis framework for automatic tracking and activity visualization." Computer Network Defense (EC2ND), 2009 European Conference on. IEEE, 2009. [10]Zeidanloo, HosseinRouhani, et al. "A taxonomy of botnet detection techniques." Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on.Vol. 2.IEEE, 2010.

Recommended

Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
65 113-121
65 113-12165 113-121
65 113-121
idescitation
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
CSCJournals
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation method
Acad
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
Alexander Decker
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
UltraUploader
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 

Recommended

Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
65 113-121
65 113-12165 113-121
65 113-121
idescitation
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
CSCJournals
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation method
Acad
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
Alexander Decker
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
UltraUploader
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
idescitation
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
IRJET Journal
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 
BOTNET
BOTNETBOTNET
BOTNET
Arjo Ghosh
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
Farjad Noor
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentation
kirubavenkat
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
Anant Narayanan
 
Botnet
Botnet Botnet
Botnet
PriyanKa Harjai
 
Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detection
Fabrizio Farinacci
 
Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryption
Acad
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
Bhagath Singh Jayaprakasam
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 
M0704071074
M0704071074M0704071074
M0704071074
IJERD Editor
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
Mahmoud Ibra
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
Rangana lakmal
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
ijcsbi
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...
IJERA Editor
 
Wild Animals Research Project - Gauvin
Wild Animals Research Project - GauvinWild Animals Research Project - Gauvin
Wild Animals Research Project - Gauvin
Jennifer McMahon
 

More Related Content

What's hot

A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
idescitation
 
Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detection
Fabrizio Farinacci
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
ijcsbi
 

What's hot (20)

A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Botnet
BotnetBotnet
Botnet
 
BOTNET
BOTNETBOTNET
BOTNET
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentation
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
 
Botnet
Botnet Botnet
Botnet
 
Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detection
 
Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryption
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
M0704071074
M0704071074M0704071074
M0704071074
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
 
Botnets
BotnetsBotnets
Botnets
 
Botnets
BotnetsBotnets
Botnets
 

Viewers also liked

Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...
IJERA Editor
 
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
IJERA Editor
 
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
IJERA Editor
 
A survey on RBF Neural Network for Intrusion Detection System
A survey on RBF Neural Network for Intrusion Detection SystemA survey on RBF Neural Network for Intrusion Detection System
A survey on RBF Neural Network for Intrusion Detection System
IJERA Editor
 
Vedere guardare mostrare
Vedere guardare mostrareVedere guardare mostrare
Vedere guardare mostrare
Leonarda Vanicelli Photographer
 
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
IJERA Editor
 
S T U D Y O F G I T A D R
S T U D Y O F G I T A D RS T U D Y O F G I T A D R
S T U D Y O F G I T A D R
drsolapurkar
 
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
anhanh3729771
 
worlwide activities
worlwide activitiesworlwide activities
worlwide activities
Ronald Leske
 

Viewers also liked (16)

Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...Survival function Of Realization process for Hemodynamic and hormonal effects...
Survival function Of Realization process for Hemodynamic and hormonal effects...
 
Wild Animals Research Project - Gauvin
Wild Animals Research Project - GauvinWild Animals Research Project - Gauvin
Wild Animals Research Project - Gauvin
 
Дополнительная информация в бюджете Березовского ГО Кемеровской области 2015 ...
Дополнительная информация в бюджете Березовского ГО Кемеровской области 2015 ...Дополнительная информация в бюджете Березовского ГО Кемеровской области 2015 ...
Дополнительная информация в бюджете Березовского ГО Кемеровской области 2015 ...
 
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
Verilog Based Design and Simulation of MAC and PHY Layers for Zigbee Digital ...
 
Μυστράς Α
Μυστράς ΑΜυστράς Α
Μυστράς Α
 
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
Optimal Duration of Submersible Pump Equipped Deep Water Borehole Project in ...
 
A survey on RBF Neural Network for Intrusion Detection System
A survey on RBF Neural Network for Intrusion Detection SystemA survey on RBF Neural Network for Intrusion Detection System
A survey on RBF Neural Network for Intrusion Detection System
 
From gradient decent to CDN
From gradient decent to CDNFrom gradient decent to CDN
From gradient decent to CDN
 
Problem Gambling Prevention Monthly Connect Call: January 2015 - minutes
Problem Gambling Prevention Monthly Connect Call: January 2015 - minutes Problem Gambling Prevention Monthly Connect Call: January 2015 - minutes
Problem Gambling Prevention Monthly Connect Call: January 2015 - minutes
 
Vedere guardare mostrare
Vedere guardare mostrareVedere guardare mostrare
Vedere guardare mostrare
 
Business dialogue
Business dialogueBusiness dialogue
Business dialogue
 
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
Effect of Nozzle Design and Processing Parameter on Characteristics of Glass/...
 
IMPORTENT 3
IMPORTENT 3IMPORTENT 3
IMPORTENT 3
 
S T U D Y O F G I T A D R
S T U D Y O F G I T A D RS T U D Y O F G I T A D R
S T U D Y O F G I T A D R
 
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
Thừa cân, béo bụng là nguyên nhân của các bệnh tim mạch, tiểu đường (1)
 
worlwide activities
worlwide activitiesworlwide activities
worlwide activities
 

Similar to Tracing Back The Botmaster

Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetGenetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
IDES Editor
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
CSCJournals
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Editor IJCATR
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
smile790243
 
Towards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationTowards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classification
IJERA Editor
 
Presentation Undergraduate Project
Presentation Undergraduate ProjectPresentation Undergraduate Project
Presentation Undergraduate Project
Cevdet Basaran
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
smile790243
 
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
IJCSIS Research Publications
 

Similar to Tracing Back The Botmaster (20)

Botnets
BotnetsBotnets
Botnets
 
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetGenetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
 
Paper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfPaper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdf
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnets
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
Towards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationTowards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classification
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash Matching
 
Presentation Undergraduate Project
Presentation Undergraduate ProjectPresentation Undergraduate Project
Presentation Undergraduate Project
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
Botnet
BotnetBotnet
Botnet
 
Paper(edited)
Paper(edited)Paper(edited)
Paper(edited)
 
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
 
A Literature Review On Sniffing Attacks In Computer Network
A Literature Review On Sniffing Attacks In Computer NetworkA Literature Review On Sniffing Attacks In Computer Network
A Literature Review On Sniffing Attacks In Computer Network
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Tracing Back The Botmaster

  • 1. Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 4 | P a g e Tracing Back The Botmaster Sneha Leslie Information Security and Cyber Forensics, SRM University Abstract- Nowadays, cyber-attacks from botnets are increasing at a faster rate than any other malware spread. Detecting the botmaster who commands the tasks has become more difficult. Most of the detecting methods are based on the features of any communication protocol or the history of the network traffic. In this paper, a rational approach is brought for the live detection of the botmaster in the internal network. The victim machine monitors its packets and compromises the bots in the network and finds the traces to the botmaster. This approach works independent of the structure of the botnet, and will be a better option for online detection of the botmaster. Keywords- Botnet, DDOS, detection methods, network security, metasploit framework. I. INTRODUCTION Cyber-crimes are increasing day by day in various forms and with various effects. Thus Internet has become the most vulnerable area. Attacks done behind the legitimate machines have got a public name “Botnet”, where the botmaster who is the real attacker compromises set of host machines in the network called zombies and makes the zombies to perform the various malicious tasks against a victim. Thus botmaster hides his real identity. The term “bot” is derived from the word “ro-bot” which is said to be nay scripts or programs that would run repeatedly and automatically once triggered by an external or internal operation in the system[1].The first bot “Eggdrop” , was designed by Jeff Fisher in 1993,as a useful feature in IRC channels (Green and et al – 2000). Mainly bots are of two types: benevolent bots and malicious bots. Bots that are used for legitimate and automated tasks are put in benevolent group. While the ones that carry out malicious codes and spread infection and cyber- crimes are put in malicious bot group. The internal working of botnet can be either as centralized one or as a peer-to-peer one. There are varieties of attack vectors performed by these botnets which include DDoS Distributed Denial of Service attack, sending spam emails, spreading malicious codes, phishing, and identity theft and click fraud and so on. There are different detection mechanisms proposed by different specialists. Most of them do work on the principle of network flow characteristics and protocol featuresand most of the approaches share the idea of detecting patterns based on communication flow [2]. Botnet Fig1. Basic Botnet structure Due to the dynamic nature of the botnets, ways already suggested are finding new approaches each and every day. The security of digital computing infrastructure has become a crucial and essential thing. The proposed work shows the live detection of the botmaster in the internal network by using concepts of compromising the zombies, packet capturing and packet analysing. A strong framework “Metasploit” is been used for the purpose of tracing the botmaster. II. RELATED WORK Though there are many mechanisms all around, some of them have proved to be identifying the botnets well. Neural network applications are widely used in the design of botnet detection mechanism because of their high capability of finding abnormal patterns in traffic and they could handle non- linearity [3].Even websites has suggested various methods like response to CAPTCHA as prevention against bots and malicious agents. Preventing a system from falling as a victim to botnet attack requires great awareness about the confidentiality, integrity and availability of the network infrastructure. Botmaster Bot Bot Victim Compromised systems commands attacks RESEARCH ARTICLE OPEN ACCESS
  • 2. Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 5 | P a g e The malicious attackers had then changed their methods of communicating to the bots in various ways. This is when DNS links came into the scene. The technique of DNS tunnelling in which the attackers send the malicious code in the resource record fields of DNS message was carried out [4]. For detecting suck abnormalities, Shannon entropy methods were proposed. Many applications have the option of grouping systems that show some behaviour of botnets though they are not, and isolating them for neutralizing the probability of any further unknown attacks [5].Where a pipelined approach is used, with incorporated filtering of white and black list. Basically chat-based botnet architecture is characterized in many areas which includes the role of IRC server, code server, and controller and so on. An efficient method was brought in by using sniffing program. Sniffer program is designed to capture and analyse the communication between botnet master and its clients. It uses the following three parameters for the processing which are the file name, interface name and the count of packets to be captured [6,7]. Nepentheses is a special kind of honeypot used for automatic malware sample collection [8]. The next generation botnet detection systems must be completely independent on command and control mechanisms. III. DETECTIONMETHODOLOGY The proposed work is established for the internal network mainly in the case of any organization, institution etc. Here we depict the situation of DDoS attack by the botnet on to the targeted victim machine. The botmaster sends malicious codes and payloads to the legitimate host machines in the network. These malicious payloads once sent to the host machines are made to be downloaded or activated by the systems itself. Thus the host machines get affected by the bot malware and join the botnet as clients to the botmaster. Later, using these compromised systems known as zombies, botmaster would perform various attacks on other target systems. Here the botmaster is forcing the zombies to perform a distributed denial of service attack on the target system by flooding the victim’s NIC using illegal ICMP packets as in Fig 1. Meanwhile, the target victim machine will be continuously monitoring its incoming and outgoing packets. Packet capturing and sniffing tool will be run in the target machine. According to the details of the incoming packets and their count from various IPs, measures are taken appropriately. The details obtained at each steps are tabulated and stored for future reference. Then the victim machine would scan and find the OS versions, vulnerabilities, services, open ports details from the IPs that are been tabulated based on their count of packets sent. Steps are taken to compromise the systems found harmful from the table information. Here a strong and open source tool “Metasploit” is used for the whole process of tracing back the botmaster. The whole process can be defined using mainly three processes as in Fig 2. The following processes can be detailed as: i. Process1: victim machine willcontinuously monitor its own interfaces for incoming packets. When it sees more number of ICMP packets coming from any IP(s), then those IPs will be noted. Scanning and other information gathering will be done on the zombies and their environment. Vulnerabilities will be listed based on their OS version, services etc. ii. Process 2: Customized attack vectors and the payloads are designed using metasploit framework by run control files. The attack is launched on the zombies and they are compromised by gaining their access. Privilege is escalated accordingly. iii. Process 3: Sniffing tools are run remotely on the compromised zombies, other applications can also be run their accordingly. Finally, the incoming packets of the compromised machines are taken and analysed to get the source address of the attacker. There is an easy chance of getting the same source address in the interfaces of different compromised machines, which makes it confirmed to be the botmaster’s IP address. In the process of the work, there are certain assumptions made and they are as follows: i. The proposed idea of detection is to be implemented in an internal network. When it comes to external network with public IP, it has the limitation of tracing back only in systems that uses Java enabled browsers. The approach then has to be in a different fashion. The scope of the botnet problem is to find and quantify the highly covert nature of botnets which makes them harder to measure. The above mentioned processes or steps will be automated for Victim machine Bot 1 Bot 2 Process 1 Process 2 Compromised systems Botmaster Process 3 Fig 2.Structureof tracing the botmaster
  • 3. Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 6 | P a g e the analysing of the incoming packets to the host system and for the detection of the botmaster from them. IV. SYSTEM ARCHITECTURE The system architecture will be the overall design of the proposed work with its modules shown in Fig 3. It will be tasks done by the victim machine for the whole scenario of botmaster detection. Certain tools and applications are needed for the same. Fig3. Architecture diagram for Botmaster detection MODULE DESCRIPTION: Module 1 describes the first and the initial phase of the work, where the target machine monitors its incoming packets using packet capturing and sniffing tools like Scapy or Winpcap module, even Wireshark can be used. Thus the output pcap file will be obtained with the IPs of different hosts and their send packets, with the type of protocols. The content of the pcap file is then translated to another output file for convenient parsing and finding the details. Usually the sources sending more ICMP packets are noted for the reason that they may probe pinging of large sized packets which may lead to flooding. The flow of the module 1 can be depicted through the Fig 4 below. Module 2 describes the process after packet capturing. A threshold value will be set, for the packet capturing in the predefined program which will be linked to the metasploit framework. The output of the pcap file which is parsed is analysed for the count of packet from each IP. Accordingly, the count of incoming packet is compared with the threshold value. The case where the count either exceeds the already set value or can be approximated to that value is noted. And IPs of such hosts machines are noted with their count of packets send. The details that are obtained are tabulated and stored in the database of the framework. Common vulnerabilities and attack vectors are listed in the tabular form for future reference that has been occurred. Fig5. Setting threshold value and comparing result Module 3 reveals the information gathering phase done by the target machine on the zombies based on the IPs obtained. Nmap scan is done to know whether the host machines are alive or not, as well as to gather information on their OS versions, services, open ports etc. Thus the environments of Continuous monitoring Packet collection Obtain packet count Compare and tabulate Module 1 Module 2 Zombie detail detection Analysis of the details Module 3 Vulnerability finding Creating rc files for automation Attack and gain access Remote sniffing on zombie machine Tabulate the details and analyse the attacker Module 5 Module 4 Victim machine Bot 1 Bot 2 router mMonitorsincoming packets Pcap file parsed and checked Module 2 Fig 4.Packet capturing and monitoring Set the threshold value Compare the count of packets with threshold If count equal or can be approximated Tabulate details Vulnerabilities and attack vectors listed
  • 4. Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 7 | P a g e the zombie systems are studied. Vulnerability testing tools like Vulcan can be used for finding out the common weaknesses and all the details so far obtained are tabulated. The main activities of Module 4 include adding the existing payloads, exploits to the table in the database. Customized attack vectors are designed by the help of resource (.rc) files. These files are run to automate the attacks. The whole process can be automated according to the OS versions of the different zombie machines. The above mentioned files can be designed in a way where exploit, payload, target parameters, everything can be customized. They are been called from the metasploit module. Ruby language is used for framing the metasploit framework, Python is also supported. Input parameters necessary are added to the rc files for the execution on the target. These inputs can be inferred from the tables that were listed in the beginning. Thus this phase is all about keeping everything ready for attack or compromising the zombie machines. Fig 7 depicts the flow of this module. At last the time for compromising the zombies and gaining their access has. As the zombies are already compromised machines by the botmaster due to some vulnerability in them, it is sure that those loopholes do still exist in them. These ways do reveal a path for the target system to exploit and gain access. In module 5, the attack is launched against the zombies by running the rc files. On successful execution of the contents in the rc file, access to the admin privilege or the shell of the compromised system is gained. Techniques to escalate privileges can be handled in many ways. Backdoor creation will be performed. Metasploit framework is used efficiently for this module. Most of the payloads and exploits are predefined, which has been tested and given results. Sessions are maintained by forcing them to run background in metasploit. Similarly, different rc files are made to run on different zombie machines and they are compromised. The next step is to run the packet capturing and sniffing tool like Wireshark or Winpcap or Scapy module remotely in-order to find the incoming packets on the zombie machines. Thus the clear idea of host machines that are sending packets to these zombies can be drawn. Finally, the source address of the attacker can be traced by the output of this sniffing tool. Mostly, in different zombies when the packets are captured from their NIC, there are possibilities for the same source address appearing repeatedly which gives the clear guess of the botmaster’s address. It is always to be noted that the counting of zombies from the C&C commands always will lead to vague idea if the botnet size. This is because nowadays, zombies are instructed from different servers and C&C channels [9]. The rise of their presence are also increasing as in new detection technologies are discovered. Yet there are more techniques both known pattern based as well as anomaly based detection schemes [10]. Fig 9 depicts the graphical representation of the quantifying aspect of botnets and their effects. IPs obtained from the database Nmap scan, vulscan tool OS version, services,open ports details listed Fig6. Scanning and vulnerabilities testing Add known payloads,exploits and attack vectors to the table Creation of rc files for automation Choose rc files for attack Input parameters to rc files Fig7. Customizing attack vectors
  • 5. Sneha Leslie Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 4, Issue 12( Part 5), December 2014, pp.04-08 www.ijera.com 8 | P a g e Fig9. Rise of botnets and their effects V. CONCLUSION The botnet era has changed the network and its users into fear of any attack at any time. The live detection of the botmaster using metasploit framework is an efficient method for finding the address of the source. It needs less knowledge on the working principle of the communication flows. By this method, it will be assured that no systems in the process will be put to shut-down or hanged state. Along with this proposed work, the idea of bringing ingress filtering on routers and other network devices is been looked upon for anti-spoofing mechanisms. As well as, access control list will have to be incorporated together in the design for the prevention of host systems getting hanged or crashed from the excessive traffic that arises at the network interface card. The above mentioned both processes will be considered as the future work of this project, to make it work in external networks. This brings in effective and high detection rate with low computational overhead. REFERENCES [1] Banday, M. Tariq, Jameel A. Qadri, and Nisar A. Shah. "Study of Botnets and their threats to Internet Security." (2009). [2] Feily, Maryam, AlirezaShahrestani, and SureswaranRamadass. "A survey of botnet and botnet detection." Emerging Security Information, Systems and Technologies, 2009.SECURWARE'09.Third International Conference on.IEEE, 2009. [3] Nogueira, António, Paulo Salvador, and FábioBlessa. "A botnet detection system based on neural networks." Digital Telecommunications (ICDT), 2010 Fifth International Conference on.IEEE, 2010. [4] Bos, Herbert, Maarten van Steen, and Norbert Pohlmann. "On Botnets that use DNS for Command and Control." (2011). [5] Strayer, W. Timothy, et al. "Detecting botnets with tight command and control."Local Computer Networks, Proceedings 2006 31st IEEE Conference on.IEEE, 2006. [6] Al-Ahmad, Walid, and Ayat Al-Ahmad. "Botnets Detection Using Message Sniffing." The International Conference on Digital Security and Forensics (DigitalSec2014).The Society of Digital Information and Wireless Communication, 2014. [7] Gu, Guofei, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting botnet command and control channels in network traffic." (2008). [8] Nazario, Jose. "Botnet tracking: Tools, techniques, and lessons learned." Black Hat (2007). [9] Cremonini, Marco, and Marco Riccardi. "The dorothy project: An open botnet analysis framework for automatic tracking and activity visualization." Computer Network Defense (EC2ND), 2009 European Conference on. IEEE, 2009. [10]Zeidanloo, HosseinRouhani, et al. "A taxonomy of botnet detection techniques." Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on.Vol. 2.IEEE, 2010.