BOTNET Study in Internet Crime and Their Threats Presented by: Farheen K. Siddiqui, Richa Srivastava and Shobhini Job M.Tech, CSE Lakshmi Narain College Of Technology ( LNCT ), Bhopal.
What are Botnets?
How do they work?
Threats caused by Botnets
Detection and Prevention Methods
Analysis of Botnets
BOT + NET = BOTNET
“ A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task.”
- Typically refers to botnets used for illegal purposes.
Controlled by one person or a group of people (aka. the botmaster)
- Under a command and control structure (C&C)
Botmaster infects victim with bot (worm, social engineering, etc)
Bot connects to C&C server. This could be done using HTTP, IRC or any other protocol.
Botmaster sends commands through C&C server to bot.
Repeat. Soon the botmaster has an army of bots to control from a single point
Distributed Denial of Service (DDoS)
DDoS has been available in bots since the beginning
Used for extortion
- Take down systems until they pay – threats work too!
Many bots are able to send out spam or phishing attempts
Spam are bulk emails in mass quantity
Gives the spammer/phisher a way to send out
thousands of emails and easily beat spam defenses
Phishing is luring user to reveal personal detail
Ad-ware pays by the number of “installs” a person has
Many bots download and install ad-ware when they are loaded
- Often multiple versions of ad-ware
Generates income from ad-ware revenues
Online advertisers pay by the number of unique “clicks” on their ads
Thousands of bots can generate thousands of
Botmaster “rents” out the clicks and gets a piece of the revenue
Clickbot.A botnet found with more than 34,000
machines in it
- Other malware to increase the odds of keeping that machine
Spyware - Identity Theft
- Sniff passwords, keystroke logging
- Grab credit card, bank account information
Rent out the botnet!
- Pay as little as $100 an hour to DoS your favorite
IDSes (Intrusion Detection Systems)
IPSes (Intrusion Prevention Systems)
botnet control mechanisms
host control mechanisms
exploits and attack mechanisms
malware delivery mechanisms
obfuscation methods and
The predominant remote control mechanism for botnets remains Internet Relay Chat (IRC) and in general includes a rich set of commands enabling a wide range of use.
Monitors of botnet activity on IRC channels and disruption of speciﬁc channels on IRC servers should continue to be an effective defensive strategy for the time being.
The host control mechanisms used for harvesting sensitive information from host systems are ingenious and enable data from passwords to mailing lists to credit card numbers to be gathered.
This is one of the most serious results of our study and suggests design objectives for future operating systems and applications that deal with sensitive data.
There are at present only a limited set of propagation mechanisms available in botnets with Agobot showing the widest variety. Simple horizontal and vertical scanning are the most common mechanism.
The speciﬁc propagation methods used in these botnets can form the basis for modeling and simulating botnet propagation in research studies
Exploits refer to the speciﬁc methods for attacking known vulnerabilities on target systems.
The set of exploits packaged with botnets suggest basic requirements for host-based anti-virus systems and network intrusion detection and prevention signature sets.
Shell encoding and packing mechanisms that can enable attacks to circumvent defensive systems are common.
A signiﬁcant focus on methods for detecting polymorphic attacks may not be warranted at this time but encodings will continue to present a challenge for defensive systems.
All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., by anti-virus software) once installed on a host system.
Development of methods for detecting and disinfecting compromised systems will need to keep pace.
Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. These mechanisms are also referred to as rootkits.
As these mechanisms improve, it is likely to become increasingly difficult to know that a system has been compromised, thereby complicating the task for host-based anti-virus and rootkit detection systems.
objective is to expand the knowledge base for security research
Some of the most important of ﬁndings:
- the diverse mechanisms for sensitive information gathering on compromised hosts,
- the effective mechanisms for remaining invisible once installed on a local host, and
- the relatively simple command and control systems that are currently used moving towards peer-to-peer infrastructure in the near future.