22-05-2014, 12:37 PM
BOTNET
OVERVIEW
The widespread adoption of broadband Internet connections has enabled the birth of a new threat against both service providers and the subscribers they serve. Botnets – vast networks of compromised PCs under the control of a single master – possess the ability to launch crippling denial of service attacks, send vast quantities of unsolicited e-mail messages, and infect thousands of vulnerable systems with privacy-violating spyware and other forms of malicious software.
By design, botnets are difficult to detect and even more challenging to stop as their dynamic and adaptive capabilities permit them to easily circumvent traditional means of detection and mitigation.
With the failure of port- and signature-based technologies, service providers are being forced to adopt new approaches in the effort to address this growing threat. By using botnets’ very nature as an indicator of their presence, behavior-based detection and mitigation approaches are vital weapons in the ongoing battle to clean up broadband networks.
In this paper, using a real-world example, we outline the birth of a typical botnet. While doing so, we explain the shortcomings of traditional approaches that rely on port and signature matches. This analysis is followed with an introduction to behavioral techniques that look for the telltale signs of botnet presence in order to trigger mitigation measures.
INTRODUCTION
A collection of bots form up a botnet. The term bot is derived from “ro-bot “.Bot is used to describe a script or set of scripts designed to perform predefined functions in automated fashion like computer robots.
A bot is the compromised machine that waits for commands from a certain controller, Several compromised machines form up a botnet. They are remotely controller from a Command and Control (C&C) machine that is also a compromised machine used to protect the real IP of the controller. Initially bots were used to automate some tasks in the server environment i.e.to run as a daemon process on legit machines and to help the chat room owners in keeping their channel nice and tidy. One of these bot is the Eggdrop. These bots could communicate between themselves to form a botnet. Thus originally botnets were used for creative purposes.
Like many other things these botnet also possess the two notions promotion and degradation.. So, a bot in the "degredation" notion could be defined as a computer program installed without user's knowledge; running hidden, on a Windows or UNIX platform that connects to a pre-defined server and chat room and awaits for commands from a master. These are the compromised machines also known as “zombies”.
BOTNETS EXPOSED
A more complete understanding of how botnets operate is imperative in formulating and delivering effective protection mechanisms for providers and subscribers.
Bot & Exploit Selection
Botnets typically begin when an individual, who becomes known as a “botmaster”, downloads a bot program and exploit code. The botmaster need not be acting alone; in fact, criminal investigations have begun to link botnets with organized crime syndicates, so the problem is by no means isolated to a handful of individuals acting alone.
Bot programs such as AgoBot, SDBot, and IRCBot are freely available on the Internet, as is exploit code, making armed bot creation a simple affair. Generally, exploits for Microsoft’s Windows operating systems are selected.
These exploits are attractive both due to the sheer number of security exploits available and the widespread adoption of Windows amongst business and residential users.
By simply plugging the exploit code into the ready-to-use bot software, the botmaster creates a weapon capable of infecting and assuming control of vulnerable systems, the vast majority of which will belong to unsuspecting residential broadband subscribers.
Residential subscribers have long been regarded as a weak link in network security, as a relatively small number of users possess the technical knowledge or threat awareness to attempt to secure their systems. With the continuing growth of broadband Internet connections, residential networks have quickly become a buffet for malware authors and distributors.
Conclusions
1,800 attacks were registered throughout United States last month, May2008, almost 20% higher than last month’s. Hence Peer-to-Peer botnets intrusion malware is continuously
increasingly growing type of spam in the Internetwork. Botnets, although quite simple in design, are effective attack tools. They provide massive amounts of bandwidth to an individual, provide cover from tracking the botmaster, and are easily capable of evading static signature and port-based blocking measures.
Intelligent techniques that rely on behavioral analysis offer the only effective means of detecting and defending against the proliferation of botnets. Bots, much like worms, behave in a predictable manner, such as scanning for new hosts to infect, transmitting payloads to target machines, and engaging in attacks. By detecting these activities and applying them against policy heuristics, as was the case in the example considered herein, it is possible to identify bots and implement policies to mitigate the further spread of infection.