International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR) ISSN 2249-6831 Vol.

2, Issue 2 June 2012 18-24 TJPRC Pvt. Ltd.,

BOTNET: AN ARMY OF DARKNESS AND ITS MULTIFACETED CONTROL

1 1,2

FARHEEN K. SIDDIQUI & 2 RICHA SRIVASTAVA

Lakshmi Narain College of Technology (LNCT), Bhopal, India.

ABSTRACT
In the media of communication, Internet is most susceptible to attacks owing to its unrestricted nature and virtually without centralized control. With the rising of number in financial dealings and reliance of businesses on Internet, vulnerability of these attacks have increased even more. Botnets create widespread security and data safety issues and are effective tools for propagating cyber-crime. Our study reveals the complexity of botnet software, and we discuss implications for defense strategies based on our analysis. Each codebase is classied along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms.

KEYWORDS: Botnet, Bot, Internet Security, Spam, Phishing, DDoS, Identity Theft INTRODUCTION
A botnet is an army of compromised machines, also known as "zombies," that are under the command and control of a single "botmaster." A bot is a type of malware that is written with the intent of compromising and taking control of hosts on the Internet. It is typically installed on the victims computer by either exploiting a software vulnerability in the web browser or the operating system, or by using social engineering techniques to trick the victim into installing the bot herself. Compared to other types of malware, the distinguishing characteristic of a bot is its ability to establish a command and control (C&C) channel that allows an attacker to remotely control or update a compromised machine. A number of bot infected machines that are combined under the control of a single, malicious entity (called the botmaster) are referred to as a botnet. The rise of consumer broadband has greatly increased the power of botnets to launch crippling denial of service (DoS) attacks on servers, infect millions of computers with spyware and other malicious code, steal identity data, send out vast quantities of spam, and engage in click fraud, blackmail, and extortion. Botnets are the primary security threat on the Internet today. Tens of thousands of machines are typically part of a single botnet. Botnets are hard to detect because they are highly dynamic in nature, adapting their behavior to evade the most common security defenses.

19

BOTNET: An Army of Darkness and its Multifaceted Control

HISTORY
As compared to the PC viruses and worms, botnets are recently new threats to the IT landscape. Their history dates back in the late 90s, when the infamous NetBus and BackOrifice2000 backdoor Trojans started to spread havoc among computer users, to allow remote administration of the infected computer, designed for fun and not for profit. One year later, in 2000, remote administration software applications got new abilities to simultaneously control multiple machines at the same time. The new generation of security threats built on a tool that has been previously used by hackers: IRC channels. In 2003, the first time an e-mail worm came with a bot as payload. As IRC botnets gained ground, ISPs imposed strict firewall limitations on IRC ports. Worldwide hackers started working on fully-fledged HTTP servers able to remotely control compromised systems located behind a corporate firewall or NAT server. In 2007 the first large P2P botnet was discovered, called the Storm botnet, built using the fearful Storm Worm (a mixed-type piece of malware that combines worm features with backdoor and Trojan capabilities) Larger botnets were immediately labeled as threats to the national security, the national information infrastructure, and the economy, so multiple government institutions took stance against the attackers. The Federal Bureau of Investigation started a new national initiative, called the Operation Bot Roast. They identified over one million of compromised machines that had been used to relay spam and perform other types of informational attacks in the US alone.

THREATS OF BOTNETS
Botnet-led exploits can take many forms. Distributed Denial of Service (DDoS) Attacks With thousands of zombies distributed around the world, a botnet may launch a massive, coordinated attack to impair or bring down high-profile sites and services by flooding the connection bandwidth or resources of the targeted system. Targets of attack may include commercial or government Websites, e-mail services, Domain Name System (DNS) servers, hosting providers, and critical Internet infrastructure, even antispam and IT security vendors. Attacks may also be directed toward specific political and religious organizations, gambling, pornography, and online gaming sites. Such attacks are sometimes accompanied by extortion demands.

Farheen K. Siddiqui & Richa Srivastava

20

(Spyware and Malware Zombies monitor and report users Web activity for profit, without the knowledge or consent of the user. They may also install additional software to gather keystroke data and harvest system vulnerability information for sale to third parties. Identity Theft Botnets are often deployed to steal personal identity information, financial data, or passwords from a user's PC and then either sell it or use it directly for profit. Adware Zombies may automatically download, install, and display popup advertising based on a user's surfing habits, or force the user's browser to periodically visit certain Websites. E-Mail Spam Most of today's e-mail spam is sent by botnet zombies. Studies estimated that 80% of all spam came from zombies, an increase of 30% year-over-year for the same period. Click Fraud The exploit code may imitate a legitimate Web browser user to click on ads for the sole purpose of generating revenue (or penalizing an advertiser) for a Website on pay-per-click advertising networks. Phishing Zombies can help scan for and identify vulnerable servers that can be hijacked to host phishing sites, which impersonate legitimate services (e.g., PayPal or banking Websites) in order to steal passwords and other identity data. BOTNET DETECTION AND MITIGATION Since botnets use different attack strategies, several tools are needed to detect the malware and mitigate its effects, including: Anti-Malware Technology: Anti-malware tools can spot malware worms and prevent users from downloading them. They can also scan system for the presence of worms, Trojan horses and other types of threats. IDSes (Intrusion Detection Systems): By looking for deviations in ordinary traffic flow, an IDS can identify the start of a DoS attack, giving the network administrator time to take corrective actions, such as switching to an emergency block of IP addresses with a separate route for critical servers. IPSes (Intrusion Prevention Systems): An IPS is designed to take immediate action such as blocking specific IP addresses whenever a traffic-flow anomaly arises, potentially weakening a DoS attack's impact. ASIC (application-specific integrated circuit) -based IPSes, in particular, have the power

21

BOTNET: An Army of Darkness and its Multifaceted Control

and in-depth analysis capabilities required to detect and block DoS attacks, functioning somewhat like an automated circuit breaker. Honeypots: Closely watched network decoys, honeypots can distract botnets from critical network machines. The technique can also be used to generate early warnings about a new attack and exploitation trends.

TAKING CONTROL OF THE BOTNET

Our work reveals that effective network security in the future will be based on detailed understanding of the mechanisms used by malware. In this paper we begin the process of codifying the capabilities of malware by dissecting widely-used Internet Relay Chat(IRC) botnet codebases. Each codebase is classied along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our objectives are to highlight the richness and diversity of each codebase, to identify commonalities between codebases and to consider how knowledge of these mechanisms can lead to development of more effective defense mechanisms.

BOTNET CONTROL MECHANISMS

Botnet control refers to the command language and control protocols used to operate botnets remotely after target systems have been compromised. The most important reason for understanding the details of the communication mechanisms is that their disruption can render a botnet useless. For example, by sniffing for specic commands in IRC traffic, network operators can identify compromised systems, and IRC server operators can shutdown channels that are used by botnets. Implications: Understanding command and control systems has direct and immediate implications for creation of methods and systems to disrupt botnets. The continued reliance on IRC as the foundation for botnet command and control means that IRC server operators can play a central role in blocking botnet traffic. However, we anticipate that future botnet development will include the use of encrypted communication, eventually a movement away from IRC and adopt peer-to-peer style. While this will

Farheen K. Siddiqui & Richa Srivastava

22

certainly make defending against botnets more difficult, botnet traffic may still be able to be identied via statistical ngerprinting methods. Host Control Mechanisms Host control refers to the mechanisms used by the bot to manipulate a victim host once it has been compromised. The general intent of host control is to fortify the local system against other malicious attacks, to disable anti-virus software, and to harvest sensitive information. Implications: The capabilities and diversity of the host control mechanisms in botnets are frightening and have serious implications. First they underscore the need to patch and protect systems from known vulnerabilities. Second, they informs software development and the need for stronger protection boundaries across applications in operating systems. Third, the capabilities of gathering sensitive information such as Paypal passwords and software keys provide clear economic incentives for people to operate botnets and for sponsorship by organized crime. Propagation Mechanisms Propagation refers to the mechanisms used by bots to search for new host systems. Traditional propagation mechanisms consist of simple horizontal scans on a single port across a specied address range, or vertical scans on a single IP address across a specied range of ports. However, as botnet capability expands, it is likely that they will adopt more sophisticated propagation methods. Implications: There are several implications for bot propagation mechanisms. First, at present, botnets use relatively simple scanning techniques. This means that it may be possible to develop statistical nger printing methods to identify scans from botnets in distributed monitors. Second, scanning methods inform requirements for building and conguring network defenses based on rewalls and intrusion detection systems that consider scanning frequency. Finally, source code examination reveals detail of scanning mechanisms that can enable development of accurate botnet propagation models for analytic and simulation-based evaluation. We project that future versions of bot codebases will focus on propagation as an area of improvement, including both ash mechanisms and more stealthy mechanisms. Exploits and Attack Mechanisms Exploits refer to the specic methods for attacking known vulnerabilities on target systems. Exploits are usually attempted in conjunction with scanning for target hosts. Implications: The set of exploits packaged with botnets suggest basic requirements for hostbased anti-virus systems and network intrusion detection and prevention signature sets. It seems clear that in the future, more bots will include the ability to launch multiple exploits as in Agobot since this increases the opportunity for success. The DDoS tools included in bots, while fairly straightforward, highlight the potential danger of large botnets.

23

BOTNET: An Army of Darkness and its Multifaceted Control

Malware Delivery Mechanisms Packers and shell encoders have long been used in legitimate software distribution to compress and obfuscate code. GT/SD/Spy Bots all deliver their exploit and encoded malware packaged in a single script. However, Agobot has adopted a new strategy, the idea is to rst exploit a vulnerability (e.g., via buffer overow) and open a shell on the remote host. The encoded malware binary is then uploaded using either HTTP or FTP. This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams. Implications: The malware delivery mechanisms used by botnets have implications for network intrusion detection and prevention signatures. In particular, NIDS/NIPS benet from knowledge of commonly used shell codes and ability to perform simple decoding. If the separation of exploit and delivery becomes more widely adopted in bot code, it suggests that NIDS could benet greatly by incorporating rules that can detect follow-up connection attempts. Obfuscation Mechanisms Obfuscation refers to mechanisms that are used to hide the details of what is being transmitted through the network and what arrives for execution on end hosts. Polymorphism has been suggested as a means for evading signatures based on specic bit sequences by generating random encodings. Implications: While polymorphic botnet delivery appears to be a reality, it is not yet widely available across bot families. As such, a concentrated focus on polymorphism by the network security community may not be warranted at this time. However, while the polymorphic routine packaged with Agobot is rather simplistic, it is conceivable that future botnets will have signicantly support for polymorphism. As a result, anti-virus systems and NIDS will need to eventually develop mechanisms to account for this capability. Deception Mechanisms Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. These mechanisms are also referred to as rootkits. These include (i)tests for debuggers such as OllyDebug, SoftIce and procdump, (ii) test for VMWare, (iii) killing anti-virus processes, and (iv) altering DNS entries of anti-virus software companies to point to localhost. Implications: The elaborate deception strategy of Agobot some ways represents a merging of botnets with other forms of malware such as trojans and has several implications. First, honeynet monitors need to be aware of malware that specically targets virtual machine environments. Second, it suggests the need for better tools for dynamic analysis of this malware since simply executing them in VMware or debuggers will provide false information. Finally, as these mechanisms improve, it is likely to become increasingly difcult to know that a system has been compromised, thereby complicating the task for host-based anti-virus and rootkit detection systems.

Farheen K. Siddiqui & Richa Srivastava

24

CONCLUSIONS AND FUTURE WORK

Continued improvements and diversication of malware are making the task of securing networks against attacks and intrusions increasingly difficult. The objective of our work is to expand the knowledge base for security research through systematic evaluation of malicious codebases. Overall, our evaluation highlights the sophistication and diverse capabilities of botnets. The details of our ndings include descriptions of the primary functional components of botnets organized into categories. Some of the most important of ndings within these categories include the diverse mechanisms for sensitive information gathering on compromised hosts, - the effective mechanisms for remaining invisible once installed on a local host, and the relatively simple command and control systems that are currently used. While the IRC-based command and control systems remain an area that the network security communities can potentially exploit for defensive purposes, it is likely that these systems will evolve toward something like a peer-to-peer infrastructure in the near future. The results in this paper represent a much larger process of decomposing and documenting malware of all types. Ultimately, we anticipate that the resulting database will enable proactive network security.

REFERENCES
1. 2. 3. 4. 5. 6. 7. F-Secure Corporations Data Security Summary for 2004. http://www.fsecure.com/2004 IDA Pro. http://www.datarescue.com, 2005. Sophos virus analyses. http://www.sophos.com/virusinfo/analyses, 2005. German Honeynet Project. Tracking Botnets. http://]www.honeynet.org/papers/bots, 2005. D. Kawamoto. Bots Slim Down to get Tough. CNET News.com, November 2005. Botnet Communication Topologies, Damballa, 10 June 2009. "Hackers Strengthen Malicious Botnets by Shrinking Them" (PDF). Computer (IEEE Computer Society). April 2006. Retrieved 2010-10-22. "The size of bot networks peaked 8. 9. Messmer, Ellen. "The botnet world is booming". Network World. Retrieved 6 April 2011. "What is a Botnet trojan?". DSL Reports. Retrieved 7 April 2011.