1. Botnets: Implementation, Detection, Countermeasures
and Analysis of Virtual Network Attacks
Introduction
The project is about the cyber security threat of botnets; which are used to
compromise computers (creating bots using malware giving the attacker a
remote control mechanism, without the owners’ knowledge) for illegal purposes,
for financial gain. E.g. phenomena such as key loggers for stealing online
banking details, phishing emails, bitcoin mining and disruption to Internet
services i.e. Distributed Denial of Service attacks (DDoS) which is also used as
ransomware (threatening for money otherwise launching DDoS attacks).
The problem of threats can be solved by determining provision of adequate
defences against botnets by investigating existing detection strategies and
countermeasures. Then contributing ideas, to suggest a new initiative of a Wide
Area Network that involves intrusion prevention systems and honeynets that
cover the whole network for members, of this system, joining for a small fee. The
aim is to put forward these suggestions for implementation to organisations that
can put this into practice in the future, by documenting improvements to policy.
Detection of Botnets
There are different techniques for botnet detection methods
that can be categorised. Detection is an important step which
precedes any countermeasures for the counteraction of
botnets, unless prevention strategies are taken and are
successful. This will involve intrusion prevention systems;
new and advanced systems improvise next-generation
firewalls such as the Palo Alto designed for enterprise level
protection. Specially crafted packets are designed by
attackers to evade detection by custom intrusion detection
systems, firewalls and intrusion prevention systems, but they
can be picked up by the monitoring done by a next-
generation firewall using stateful packet inspection
implemented alongside an intrusion prevention system.
Other detection techniques include honeynets, botnet
infiltration and malware reverse engineering. A honeynet is a
collection of honeypots that work and function cohesively
together as traps, which are network nodes that provide a
fake network but look real from the perspective of an
attacker, on the network at different points to optimise the
possibility of capturing data from an attack.
Botnet Technical Countermeasures
Most of them are focussed on the command-and-control
infrastructure of botnets, for example, by filtering botnet-
related traffic, sinkholing domains with the assistance of DNS
registrars and obtaining the shutdown of malicious servers in
data centres, to exemplify. The countermeasures can impose
perceived legal complications that can arise when the
techniques are applied. Collaboration of organisations and
governments are making use of initiatives to counteract
threats and develop countermeasures against organised
cyber crime.
Various countermeasures include: Blacklisting, Distribution of
Fake/Traceable Credentials, Border Gateway Protocol (BGP)
Blackholing, DNS Sinkholing, Direct Take Down of
Command-and-Control Server, Port 25 Blocking, Walled
Gardens, Infiltration and Remote Disinfection, Peer-to-Peer
Countermeasures and Packet Filtering on Network and
Application Level.
Results: Botnet Implementation
An artefact was developed creating and implementing the
Solar botnet. The attacks launched were on a specific virtual
network created for this purpose. This was achieved by
configuring an email server (SquirrelMail) with its supporting
DNS server (both configured in Linux), through which emails
sent to the user email accounts which contained the bot
executable file as an attachment, was used to infect the
machines; adding them to the botnet as bots. The data
captured from the login showed in the botnet’s logs revealing
passwords, similar to harvesting online banking credentials.
Figure 2: Solar Botnet Logs Email Login Data Capture
Information View
Student Name: Cevdet Basaran
Student No: 1203167
Supervisor Name: Dr Haider M. al-Khateeb
Course: BSc (Hons) Computer Security and Forensics
Problem Statement
There is a tremendous amount of financial damage due to botnets [1]. The
problem can be addressed by taking down as many botnets as possible. (Refer
to the thesis for more references).
Aim
To eliminate botnet threats and malware. To create and implement a botnet
attack to develop defensive strategies and replicate the psychology of a bot
master (attacker) to comprehend the mind-set of cyber criminals to outsmart
them.
Objectives
• To create and implement a botnet.
• To investigate techniques to detect botnets.
• To apply countermeasures to eliminate or mitigate botnet attacks.
• To investigate quantum botnet research.
Methodology
• Qualitative analysis in the survey of botnets describing
existing botnets, their properties and operation.
• Quantitative analysis on the artefact development, i.e.
number of bots, data capture analysis and statistics.
Figure 1: Typical Botnet Architecture Network Diagram [2]
(Microsoft Symantec Corporation; Dell Secure Works, 2013)
References
[1] Computer Economics (2014) Annual Worldwide Economic Damages from Malware Exceed $13 Billion.
Available at: http://www.computereconomics.com/article.cfm?id=1225 (Accessed: 17 October 2014).
[2] Microsoft Symantec Corporation; Dell SecureWorks (2013) Diagram showing the typical structure of a
Botnet computer network. Available at: https://uk.images.search.yahoo.com/images/view (Accessed: 23
December 2014).