Question

A BOTNET is a collection or a network of infectious ‘bots’ i.e. machines. Botnets have become a platform for the infection to the Internet. In this context, elucidate in detail about the Botnet life cycle Diagram and identify the role played by command and control server in the Botnet life cycle. Do any techniques exist to detect Botnets? If yes, exemplify.

Answer 1

# Lifecycle of a Botnet :

The life cycle of a botnet is very standard in nature  , whether it is control and communication architecture used or the initial method of spreading the malicious code to the target machines.

Stages in a botnets life :

1. Exploiting any  vulnerabilities of a target system, the malicious code gains entry into the system and converts itself into a bot.

2. The infected machine sends a message to the botmaster to let him know that it has joined the team of bots,called (rallying).

3. Secure itself on this newly infected machine, by using the command and control server the bot tries to download and install an anti-antivirus software that will render any antivirus software on the machine ineffective.

4. Bot fixes the vulnerabilities on the host system by applying patches, this will prevent other malicious programs   from entering the system and taking over the control of the system.

5 The design of the botnets allows the botmaster to install payload modules which will implement the functionality which is currently required.

6. Depending on its architecture listens to either command and control servers or their peers for commands. Most of the botnets use Internet Relay Chat (IRC) as the communication medium between the servers and the bots.

7. The bot then executes the command and reports the status to the command and control servers at required time.

8. Bot again then goes back to stage 5, it waits listening on the specified ports for new instructions or new payloads to be delivered

the bot can completely erase all traces on the computer and abandon the client.

# Role played by command and control server in the Botnet life cycle :

In command and control Server all the bots present are connected to the servers, thus the Botmaster can communicate with all the bots without any issue. Botmaster issue commands. Botmaster are in direct contact with the bots, they can identify which bots are active or which one is in global distribution . It is considered as a  from Internet Relay Chat (IRC), the proposal of Botnet was initiated. IRC can be  considered a social chat which is text based, categorizes the communication in the form of channels . The IRC protocol is considered a model for centralized communication. One to one (private) communication is possible in this protocol. command and contro are based on Hypertext Transfer Protocol (HTTP). The Botnets cannot be found out using Global Positioning System (GPS) in order to  locate their positions .

# techniques exist to detect Botnets :

Botnet detection by honeypot :

By creating a honeypot  you may be able get a list of botnet recognition signatures for it. this, always look for any attempt to connect to known C&C servers .

Wireshark:

Wireshark is a very popular  tool . this  tool is used for DNS traffic analysis. Botnets that are based on DNS detection technique is also based on domain name system (DNS).

Capinfos:

Capinfos is a computer program that is used to read one or more capture files and returns all available statistics of the input file.