A virus is a self-replicating program that infect an host,
often appending itself to other executables. It needs
the user action that runs (often unintentionally) the
infected executable ﬁle to start inﬂicting to the system
any kind of damage (from unwanted behaviours like
open windows or popups or the scrambling of the
desktop icons to the complete freeze of the system).
A worm just like a virus is a damaging autoreplicating
software but unlike viruses it spread its copies
exploiting systems vulnerabilities and therefore it
doesn't necessary need the human interaction.
A trojan is just like the above malware but it typically
hide a so called "backdoor": a server running in
background waiting for a connection and giving to the
attacker some level of remote control over the infected
"Bot" is a term used to refer both the program and the
machine running them (often referred as "zombie").
Notice that botnets have all charateristics of the
previous malware types: damage, selfspreading and
remote control but also has the ability to organize many
bots to form a network.
“Never send a human to do a machine's job.”
steal personal data
abuse the victim’s CPU
abuse the network bandwidth
espionage, intelligence and
Personal data stealing
Some botnet are designed to scan computers ﬁles and
monitor user interaction (generally using key loggers )
and browser activity to steal password, contacts email,
check account etc
eg. Zeus, Waledac, Skynet
Some botnet (eg. ZeroAccess and Skynet) uses
victim’s CPU to perform bitcoin mining or brute force
hash reversing and password attacks
eg. ZeroAccess, Skynet
Network bandwidth abusing
Many bonnet uses victim’s network bandwidth to
perform dDoS attacks.
A Denial of Service (DoS) is an offensive action wich
prevent a single server or an entire network to supply a
service. When the coordination many hosts (like a
botnet) is used to attack some service host or network
we talk about dDoS (distributed DoS)
eg. Waledac, Skynet, Storm, Mariposa
and many others..
Controlling or implementing browser functionalities a
bot could automatically browse and click links,
scamming pay per click companies.
eg. ZeroAccess, Chameleon
Botnet are widely used for spamming purpose. A 2004
survey estimated that lost productivity costs Internet
users in the United States $21.58 billion annually, while
another reported the cost at $17 billion, up from $11
billion in 2003.[wikipedia]
eg. Waledac, MegaD, Kraken, Lethic
and many others..
Spam is also a medium for fraudsters to scam users
into entering personal information on fake Web sites
using emails forged to look like they are from banks or
other organizations, such as PayPal. This is known as
phishing. Targeted phishing, where known information
about the recipient is used to create forged emails, is
known as spear-phishing [wikipedia]
This phase starts when the attacker scans a system
looking for some vulnerability to exploit. Many
softwares (e.g. Metasploit) and techniques (e.g. social
engineering) can be used to conduct this preliminary
attack phase which ends when the malicious software
(sometime referred as payload or shell-code) is
successfully injected in the target machine.
The second phase starts with the code execution,
when the malware is loaded in the computer memory
and being processed i.e. when it actually runs on the
target machine turning the target machine into a
In this phase the malware establishes a connection
with the C&C and/or the rest of the network
(depending on the network topology) that could include
many other kind of servers. In that phase the bot
become ready to serve the bot herder commands that
are acquired in the next phase.
C&C instruction phase
In that phase the bot herder remotely instruct the bot
to perform some task.
eg. perform a dDoS attack versus some target host,
collect personal data etc.
Update & Mantainance
Many bots could update themselves automatically or
programmatically. In the case of spamming botnet they
could periodically update their mail templates.
any medium, hardware or software used to subvert the normal
execution of a computer system
These attacks attempt to
saturate the bandwidth of
the targeted system (it could
be a single host or an entire
network service) and could
be achieved by generating
an enormous amount of
trafﬁc in the network.
Examples of volumetric
attacks include ICMP,
Fragment and UDP ﬂoods.
These attempt to consume
the connection state tables
which are present in many
such as load-balancers,
ﬁrewalls and the application
Syn-ﬂood attack is one of
such techiques that could
lead to the unusability of a
TCP State-Exhaustion Attacks
Application Layer Attacks
These target some
aspect of an application
or service at Layer-7.
Generating a relatively
high volume of requests
(HTTP GET/POST ﬂood
etc.) servers could be
crammed with complex
tasks and jobs queues.
All bots are connected to a central server
Bots are connected to a backbone of intermediate servers
that receives instructions from one or more C&C servers
There’s not a single C&C, every computer in the
network communicates with a set of neighbors.
IP fast Flux
IP Flux: is the periodic change of ip address
associates to a particular fully qualiﬁed domain name
Domain ﬂux: is effectively the inverse of IP ﬂux.
Instead of change the ip, we change the name
High frequency ﬂuxing is named Fast-Flux
IP Flux (two ﬂavors)
Single-ﬂux is the simplest form: we have multiple
(hundreds or even thousands) ip addresses associated with
a domain name. These IP addresses are registered and de-
registered rapidly on a particular DNS server using round-
robin algorithms and very short Time-to-live (TTL) values.
Double-ﬂux is the evolution of Single-ﬂux wich not only
ﬂuxes the IP addresses associated with the fully-qualiﬁed
domain name, but also ﬂuxes the IP addresses of the DNS
servers used to lookup the IP addresses of the FQDN.
Domain Wildcarding abuses the DNS functionality to
wildcard an higher domain such that all FQDN’s point
to the same IP address.
eg. *.domain.com could encapsulate both
mypc.foo.domain.com and myserver.domain.com
In Domain Generation Algorithms (DGA), a periodically
changed list of FQDN’s is created, these names are
then polled by the bot agent looking for the C&C
infrastructure. Since the created domain names are
dynamically generated in volume and typically have a
short life of a single day, the turnover makes it very
difﬁcult to investigate or block every possible domain
Blind proxy redirection
With this technique some host of the botnet acts like a
proxy, interrupting the tracing attempts to discover and
shutdown the ﬂux services network (dns register, C&C
etc.) Relay-nodes basically act as an intermediary
between the slave-nodes and the master command-
and-control servers, as well as for each other
Blind Proxy Redirection
*from a bot herder perspective, from a law enforcer’s perspective it’s exactly the opposite
Every time an antivirus is updated it
downloads the digital signature of known
malware and then comparing the signature
of the executables on the machine with the
one stored on the database could detect
and remove the threatening software.
As countermeasure to that, malware
programmers uses to repack and encrypt
the binaries of their software in order to
diffuse it. Some of them also continuously
downloads the new code to execute
changing its signature and hence remaining
hidden to the antivirus software that
couldn't know a priori all possible signature
of an encrypted executable .
Part II Case of study
Botnets real examples
There is a database of
known threat. Files or
connection are scanned
to search matching
Pro: zero false positives
Con: unable to detect
The system ﬁrst learns from an
initial condition (usually safe)
and, in a second phase,
controls if the system behave
accordingly to that condition. If
the observed system diverges
from the "normal" condition it
will be notiﬁed.
Pro: could detect zero-days
Con: could give false positives
Statistics, rules and
thresholds are used to
deﬁne some anomaly
condition. If system
conditions alert will be
Pro: could detect zero-days
Con: doesn’t scales very well
Anomaly based detectors
“something that is abnormal is probably suspicious”
Self-learning systems learn by
example what constitutes normal
for the installation typically by
observing trafﬁc for an extended
period of time and building some
model of the underlying process.
(stocastic models, machine
learning, hidden markov models,
neural network, hybrid models)
Honeypot refers to a decoy system
to entice the attention of attackers
to attack this computer system to
having an aim of protecting the
critical targets. Honeypots are
computer systems which don't have
any production value. According to
this concept, a resource that
expects no data, so any trafﬁc to or
from it is most likely suspicious
activity and must be investigated 
DNS-based detection techniques
are based on particular DNS
information generated by a Botnet.
DNS-based detection techniques
are similar to anomaly detection
techniques as similar anomaly
detection algorithms are applied
on DNS trafﬁc 
a proposed taxonomy 
Some detectors described in  grouped by features
Cisco® Cyber Threat Defense Solution 1.0 
ETPro™ Ruleset (works with Snort) 
The Botnets 
Strategies for mitigation are offensive, technical means
that slow botnets down, by consuming resources for
instance. Examples can be temporary DoS attempts
against C&C servers, trapping and holding connections
from infected machines, or blocking of
malicious domains. 
Possible manipulation can be the alteration or removal
of DDoS or Spam commands as well as commands to
download and execute programs, which allows a
remote cleanup of infected machine. Less invasive
options include dropping collected personal data,
like credit card or banking details, replacing them by
fake information, or issuing commands to make bots
stop the collection .
is a special strategy that makes use of bugs found in
bots. Like bugs in other products, these can be used
to perform actions on the infected machines. Even
though, this category is the most powerful, it is the one
with the highest risk involved because exploits can
easily crash and damage systems if not designed
 Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000.
 Raghava, N. S., Divya Sahgal, and Seema Chandna. "Classiﬁcation of Botnet Detection Based on Botnet Architechture."
Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012
 Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." Emerging
Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on. IEEE, 2009.
 Leder, Felix, Tillmann Werner, and Peter Martini. "Proactive botnet countermeasures–an offensive approach." The Virtual
Battleﬁeld: Perspectives on Cyber Warfare 3 (2009):
 Hu, Xin, Matthew Knysz, and Kang G. Shin. "RB-Seeker: Auto-detection of Redirection Botnets." NDSS. 2009.
 Schiller, Craig, and James R. Binkley. Botnets: The killer web applications. Syngress, 2011.