Botnets are the most dangerous and fast emerging threat in the internet today. A botnet starts from a single bot and grow to zombie army in a short time. They are threat to client computers, organizations, domains and websites, They are even a threat to technologically advanced countries. In this paper we showed how a botnet works, how it is controlled and how it attacks. We defined botnet as a system and recommended systemic holistic approach to defend it.
Introduction of botnet system
Bot is short term of robot and in fact is a piece of software that is developed for automated and controlled tasks and attacks. So they can repeatedly perform a specific function. Bot program can perform useful tasks, such as regularly updating weather and traffic conditions on local news websites or scanning the internet to update comparison shopping websites. They can also perform destructive tasks such as scanning the internet for unsecured computers for the purpose of identifying and sometimes installing computer viruses or other destructive programs. These compromised or zombie computers can then be used to repeatedly attack a domain or IP address on behalf of the bot originator or bot herder .
A collection of bots is a robot network or botnet. A botnet is typically remotely controlled by the bot herder or bot master using a command and control server (C&C). A command and control server is an internet connected computer to which the bot herder issues instructions, which in turns sends those instructions to the bots controlled by the bot herder. A botnet is generally comprised of thousands, sometimes hundreds of thousands of computers .
It is a form of real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfers via Direct Client-to-Client . Attackers usually use an IRC channel for sending commands to bots. They setup own IRC servers privately and through it opens channels to communicate securely with their bots. An IRC network has more than hundreds command to manage users (bots) in it.
The basic means of communication in an established IRC session is a channel. A channel in IRC is like yahoo chat rooms. It shows all users in it and every message typed in the channel will displayed for all users in channel. Channels in a server can be displayed using the IRC command LIST. That lists all currently available channels. Bots can join to a channel using the JOIN command that is written in their code, in most clients available as /join #channel name .
Botnet Control Mechanisms
Botnet control refers to the command language and control protocols used to operate botnets remotely after target systems have been compromised. The command and control mechanisms for the bots that we evaluated are all based on IRC. Thus, an understanding of that system (e.g., see IETF RFC #1459 which defines IRC) will help to make sense out of the botnet commands detailed in this section. In general, there is a broad range of commands that are available. These include directing botnets to deny service, send spam, phishing, forward sensitive information about hosts, and look for new systems to add to the botnet. The most important reason for understanding the details of the communication mechanisms is that their disruption can render a botnet useless. For example, by sniffing for specific commands in IRC traffic, network operators can identify compromised systems, and IRC server operators can shutdown channels that are used by botnets (this is commonly done today). To this as mentioned before Attackers setup own IRC network. It will done very simply by installing a IRC Server software on a victim machine or attacker machine.
The use of botnets has increased from a simple flooding attack to a mixed, complicated and propagated attack used for different malicious intents. Although they mostly used for shutting down servers (DDoS attacks) and identity theft but they can utilized for more. The categorization according to Paul Bcher et al  is as follows:
Distributed Denial-of-Service (DDoS)
Denial-of-Service attack is launched from multiple hosts, attackers can consume the available bandwidth on a victim's network or overwhelm the victim's possessing power. DDOS attacks compromise availability of resources. All bot agent programs are capable of launching a variety of DDoS attacks. The most common types of attacks launched are TCP SYN and UDP flood attacks. DDoS attacks are launched for retribution, extortion, or merely as a show of the attacker's power. Virtually any service running on the internet may be a target of such an attack. Script kiddies apparently consider DDoS an appropriate solution to every social problem. An attacker can use this DDoS against a site to illicit payments for protection from further DDoS attacks from the victim. Extortion is an easy way for a Botmaster to make some extra money.
Many bots are programmed to open SOCKS proxy services enabling them to be used to forward and send unsolicited email or spam. Today, many bots have stripped down mail servers built right into them. The availability of thousands of compromised hosts virtually guarantees that spammers will be able to daily send out huge quantities of emails in anonymity. Email phishing scams are also a major security threat that attackers are now using to gain sensitive information and compromising the confidentiality and integrity of data. Some bots even include special functions that harvest email addresses. Although bots are responsible for a large amount of spam, a study which followed spam from botnets conducted out of Georgia Tech shows that 99% of bots sent less than one piece of spam per day on average (Ramachandran, Anirudh 2006). This demonstrates that bots have many different uses, of which, spamming is only a small portion.
Bot agents can be equipped with packet sniffing capabilities. By setting the local network interface card to "promiscuous" mode, bot networks can monitor all passing traffic and clean usernames and passwords, along with other sensitive information which is sent in plain text. Additionally, sniffing traffic from other bot networks allows botmasters to gain information that can be used to commandeer bots from existing botnets.
Key logging is a technique used to record the actual key strokes typed by a human sitting at his or her computer. Key logging bypasses encrypted secure internet communications because the key strokes are hijacked before the information is encrypted. These programs can filter key stroke information to display only requested sections. For example: a keystroke logger can highlight information following near keywords such as paypal.com or myCreditUnion.org.
Spreading of new Malware
Once a new host has been compromised and recruited into the botnet, that host can be used to compromise other hosts. All bots have mechanisms to download and execute additional exploits as they become available. Through SOCKS proxy relays botnets can also help to spread email viruses and worms. Furthermore, botnets can be used as launching pads for non-email viruses and worms. The Witty worm, which exploits vulnerability in IIS, was originally spread by a network of computers which were not running IIS, suggesting that it was lunched by a botnet.
Installing Advertisement Addons and Browser Helper Objects
Botnets can also be used for financial gain. A fake website can be set up and the operator of this website can negotiate a pay-per-click ad deal with legitimate internet companies. Botnets are then used to generate thousands of seemingly legitimate clicks on the ads. Furthermore, the start page of compromised machines can be configured to execute "clicks" every time the victim uses the browser. Botnets have also been used to install large quantities of spyware to compromised machines (Krebs, Brian 2006). Bot masters may be paid by legitimate companies on a per-client basis to install spyware. This spyware can be used to redirect internet searches and queries to the botnet sponsored websites.
Google Ad Sense Abuse
Similar to making money off of installing advertisement addons, botnets can be used to abuse Google's Ad Sense program Google Ad Sense offers companies a chance to earn money by displaying Google advertisements on their own websites and charges for pay-per-click through on searches directing back to the website. Botnets can be leveraged to click on advertisement links in an automated fashion, thus generating illegitimate statistics. Although the Honeynet Project claims that this kind of usage is relatively uncommon, At one time, Google announced that it will pay up to $90 million to settle a class action lawsuit for Ad Sense click abuse (Wong, Nicole 2006).
Attacking IRC Chat Networks
As previously mentioned, botnets were originally created largely to control IRC channels and networks. Botnets are still used to control channels and bring down IRC networks today. The "clone attack" was a very popular exploit for network attacks whereby each agent in a botnet attempts to join an IRC network with a large number of clones. The ensuing flood of service requests form tens of thousands of clients brings the IRC network down. Today, DDoS is the preferred method of bringing down IRC networks.
Manipulating online polls/games
Since each agent in a botnet has a unique IP address, botnets are efficient tools for manipulating online polls or games. The votes or attempts of the bot master are effectively multiplied by the number of bots under his or her control. As the popularity of such online polls and games grow, botnet exploitation of these polls and games will likely increase.
Mass Identity Theft
Some of the previously mentioned botnet uses can be used for mass identity theft. Phishing emails, which can be sent out using bots as proxies, direct unsuspecting users to websites designed to look like popular E-commerce websites such as E-bay or PayPal. Compromised botnet agents hosting these websites are used to harvest account names and passwords. When these sites are exposed as frauds, new sites can quickly be mirrored on other compromised agents. Key logging or traffic sniffing can also be used for mass identity theft.
Many bots are used for their computing power. Bots often sit idle and their respective processing power can be used to host and share files, perform distributed password cracking, or anything else that may benefit from distributed computing power.
Botnet Economics, Politics and strategy
In the past the hackers or attackers main objective was just to show their skills or for fun but know it is driven towards money. No matter if you are an individual sitting at home or a CFO of a publicly-traded company, a governmental body or a news agency - your compromised PC could be part of a botnet and traded online without your knowledge .
There is an underground economy emerging to support the building, selling and buying of botnet attack tools, an economy that Arbor Networks has coined Botconomics. It is emerged from botnets and economics Botconomics is fueling the rapid growth of the botnet world. The simple motivation behind the rise in botnets is money . The exponential growth of botnet with millions of infected computers bought and traded on an underground market has evolved into billion-dollar "shadow industry" .
Like any money-driven market, botnet developers operate like a legitimate business: they take advantage of the economic benefits of cooperation, trade, and development processes, and quality .
Jeanson James Ancheta, the Botnet operator being called the "Bot Herder" once explained to someone that "It's immoral, but the money makes it right."  He earned 60000 dollars and a BMW in a year. So to benefit form it On-line barter and marketplace sites have sprung up to service this underground community with barter and trade forums, on-line support, and rent and lease options for bot-herders.
POLITICAL AND STRATEGIC
In May 2007 Estonia a small Baltic state was hit by series of DoS attacks by at least 1 million computers and the damage inflicted had run into tens of millions of Euros . Michel Tammet, chairman of Estonia's cyber-defense co-ordination committee, explained: "This is a kind of terrorism," he said. "The act of terrorism is not to steal from a state, or even to conquer it. It is, as the word suggests, to sow terror itself. If a highly IT country cannot carry out its every day activities, like banking, it sows terror among the people . Dmitri Galushkevich a 20 year student was behind this and fined 1100 by a regional court. This attack led many countries to start thinking of battling botnets as Peter A. Buxbaum, MIT Correspondent says in his article. "Estonia attack, even if it was not initiated by the Russian government, underscored the need to protect systems from a military style attack, perhaps also to develop the capability to counterattack" .
Are we going towards cyber war perhaps yes? Botnets can be used to during wars to destroy enemy country's command and control system. The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace.........America needs the ability to carpet bomb in cyberspace to create the deterrent we lack. Why America needs a military botnet by Col. Charles W. Williamson Iii .
Systemic Holistic Approach
Comparing BotNet and living system
Botnet can be seen as a living system because its structure is quite similar to an organism. Some of them are:
- Bots are building blocks of botnet just like cells to an organism.
- As cells grow and makeup organs bots grow and make bot herds.
- Communication lines between IRC channels can be seen as neurons.
- Command and control centre is the backbone of the system controlled by the bot master just like brain controlling the whole body.
Peter Denning in Computers under Attack:
"The growing world network shares many characteristics with biological organisms, especially an astronomical number of connections among a large number of simple components. The overall system can exhibit behaviors that cannot be seen in an analysis of its separate components. Like their biological counterparts, computer networks can suffer disorders from small organisms that create local malfunctions; in large numbers these organisms can produce network wide disorder. For this reason, the attacks against networks of computers have biological analogies, and two of them, worms and viruses, are designated by explicit biological terminology."
Churchman's five basic considerations
Our system can be easily mapped according to churchman's five considerations.
Information gathering for financial fraud and monetary gain.
Digital vandalism (spam, DDoS).
Approaches to Botnet Mitigation
Methods to eliminate botnet infection can be divided to 2 main parts: technical and non technical observation, non technical includes Government observation, Co operation between low makers and user awareness. In technical part there are some techniques in several levels (including ISP, LAN and User) can help to mitigate bot's effect.
Whether botnet activity is punishable depends on the precise activity and on the law that can be applied. Agreement is needed within the EU and beyond to prosecute cyber crime in a consistent and coordinated way (for example in line with the European Convention on Cybercrime, which has still not been ratified by all signing countries). Too few decision makers are sufficiently aware of the extent of the botnet problem and the consequences of inaction.
Co-operation between Law
Enforcement agencies and private companies (ISP, financial entities, security companies etc.), working for a better dialogue and helping each other to detect, prevent and react to botnet incidents. Government Computer Emergency Response Teams (CERTs) are a valuable first point of contact, perhaps with ENISA acting as an additional focal point for long-term co-ordination and the sharing of best practice. A dialogue has been initiated among individual bodies (especially law enforcement agencies and providers), but it could be improved, for example with the establishment of working groups and workshops at the European level. The option of a permanent body to fight cyber crime in Europe should be discussed
Everyone who uses a computer connected to the Internet should know and understand the threats that could affect him/her. Proper education about security measures should be included in school curricula, in public service announcements on television and the Internet and other awareness raising initiatives.
There are variety of approaches can detect and eliminate botnet activities. We divide and investigate them in 3 major portion ISP level, LAN level and finally end user.
Some products analyze DNS queries to detect whether a computer has been infected by malicious code. Although this approach seems to be a valid one, the truth is that it might be useful but it is not the final solution. Analyzing DNS traffic to detect zombie computers that are attempting to connect to their C&C is only useful if the C&C is already known (in the same way that signature-based intrusion detection or anti-virus software also needs to have a record of which traffic is known to be bad), but:
- DNS traffic analysis does not detect unknown C&C panels
- Some C&C panels connect directly to an IP address instead of a domain name
- Some C&C panels are hosted in compromised
computers with an authentic domain name Then, in order to detect botnet traffic, in a similar way to anti-virus software or intrusion detection systems, ISP administrators need to combine a signature-based method (e.g. based on DNS or HTTP) with a heuristic one, for instance with a flow-based method (analysing where the user is connecting), which looks for anomalous connections.
As many worms try to infect nearby computers in a local area network (LAN), a local honeypot (a computer system set up as a trap for attackers) could help with the early detection of any malicious software that is trying to infect all the computers in an organization. Local administrators play a key role since they can detect an infection and take appropriate action.
One of holistic approach was provided by the FireEye Company , they have applied a two level approach to detect and counter the botnets. During first stage only suspicious traffic is detected and in second phase exact point of malicious activity is tracked. This is done by forwarding the suspected activity into a virtual environment. If virtual environment is damaged the flow is marked as malicious. The whole process will only result the delay of few seconds in the network traffic.
A step further would be to implement Access control list for the resources. This way only registered client would be able to use the organization resources.
There are some hints as to whether malicious code is running on a computer:
- Strange process names
- Slow connection to the Internet (the computer could be sending spam or participating in a DDoS attack)
- Strange browser behavior (home page change, new windows appearing on the screen)
- Anti-virus software seems not to be running
- Strange program filenames added to the list of programs that are allowed to access the Internet
- Changes to the computer's hosts file
- Strange files in the startup programs
- New Browser Helper Objects (plug-ins) added to the Internet Explorer browser, or malicious extensions added to Firefox browsers
- Strange Windows services
- Unknown network connections established in the computer
All these give-away signs are only valid if the computer has not installed a rootkit, because a rootkit will hide all the above indicators to enable it to survive in the system without being detected. There are, however, special software tools (rootkit detectors) that help to uncover the existence of rootkits on infected machines.
SUGGESTIONS TO COUNTER
So there exist some advises to protect better although it is not guaranteed.
Since there are botnets vying for more bots, it is important that systems are patched properly. Patching fixes security weaknesses in programs and can effectively reduce unauthorized access to a system.
Hosts are often compromised by malware. Viruses can infiltrate a system and effectively recruit all compromised hosts into a bot network. Anti-virus/spyware software can prevent much of this malware. This software looks for signatures or programs that have already been identified as malicious which can then be deleted before they compromise the system.
Bots are sometimes commanded to make connections to the command and control on their own. This type of out connection is difficult to pick up but the right firewalls can detect these "phone home" attempts and then be set to block the connection ports.
Block IRC ports
Since IRC is a primary channel for botnets, simply blocking IRC ports can effectively eliminate a large portion of the botnet threat.
When system administrators are aware of the botnet threats and defenses, they will be much more capable of handling the problems they may face due to botnets. Cutting edge botnets are moving away from using IRC toward a peer to peer communication system. These new techniques are much more resilient to detection and conventional protection methods. It is imperative that network administrators are aware of forthcoming threats.
We need a comprehensive strategy that holistically addresses security at each tier of the network, the client, the server and the gateway that uses key security technologies. Mitigation of botnet threats can be done by strong cooperation between non technical e.g. social, legal, governmental aspects and technical ones including firewalls, intrusion detection systems, virtual honey pots and vulnerability assessment and white lists etc. When these technologies combine together to work as a part of an integrated solution, the system will have a better protection against botnets as well as other threats.
- http://voices.washingtonpost.com/securityfix/Raisley Signed Complaint.pdf
- http://www.yaguti.eu/Documenten Database/White Papers/Arbor Networks/Arbor_Networks_WP_ProtectingIP.pdf/
- Denning, Peter J., ed., Computers under Attack. Intruders, Worms, and Viruses, ACM Press, Addison-Wesley Publishing Company, 1990
- Churchman, West C. et al., Introduction to Operations Research, John Wiley & Sons, New York, 1957
- Beer, S., Cybernetics and Management, John Wiley & Sons, 1964.
- Schoderbek, P., Schoderbek, G., Kefalas, A., Management Systems. Conceptual Considerations, 4th ed., Irwin, Boston, 1990
- Yngstrm, L., Systemic-Holistic Approach to IT Security, DSV SU/KTH Stockholm, Sweden.2003.