Question

A BOTNET is a collection or a network of infectious ‘bots’ i.e. machines. Botnets have become a platform for the infection to the Internet. In this context, elucidate in detail about the Botnet life cycle Diagram and identify the role played by command and control server in the Botnet life cycle. Do any techniques exist to detect Botnets? If yes, exemplify. Cite your sources.

Answer 1

ANSWER :

A Botnet is a collection or a network of infectious ‘bots’ i.e. machines. Botnets have become a platform for the infection to the Internet.

It is number of Internet-connected devices, each is running in one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control software.

The word "botnet" is a taken from the word’s "robot" and "network". The term is usually used with a negative or malicious connotation.

A botnet is a logical collection of Internet-connected devices such as computers, smartphones or IoT devices whose security have been breached and control ceded to a third party. Each compromised device, known as a "bot", is created when a device is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols, such as IRC and Hypertext Transfer Protocol (HTTP).

Botnet life cycle

A typical botnet can be created and maintained in five phases including:

1. initial infection
2. secondary injection
3. connection
4. malicious command
5. control, update and maintenance

During the initial infection phase, the attacker, scans a target subnet for known vulnerability, and infects victim machines through different exploitation methods. After initial infection, in secondary injection phase, the infected hosts execute a script known as shell-code. The shell-code fetches the image of the actual bot binary from the specific location via FTP, HTTP, or P2P. The bot binary installs itself on the target machine. Once the bot program is installed, the victim computer turns to a “Zombie” and runs the malicious code. The bot application starts automatically each time the zombie is rebooted .

In connection phase, the bot program establishes a command and control (C&C) channel, and connects the zombie to the command and control (C&C) server. Upon the establishment of C&C channel, the zombie becomes a part of attacker’s botnet army. After connection phase, the actual botnet command and control activities will be started. The botmaster uses the C&C channel to disseminate commands to his bot army. Bot programs receive and execute commands sent by botmaster. The C&C channel enables the botmaster to remotely control the action of large number of bots to conduct various illicit activities .

Diagram

Last phase is to maintain bots lively and updated. In this phase, bots are commanded to download an updated binary. Bot controllers may need to update their botnets for several reasons. For instance, they may need to update the bot binary to evade detection techniques, or they may intend to add new functionality to their bot army. Moreover, sometimes the updated binary move the bots to a different C&C server. This process is called server migration and it is very useful for botmasters to keep their botnet alive . Botmasters try to keep their botnets invisible and portable by using Dynamic DNS (DDNS) which is a resolution service that facilitates frequent updates and changes in server locations. In case authorities disrupt a C&C server at a certain IP address, the botmaster can easily set up another C&C server instance with the same name at a different IP address. IP address changes in C&C servers propagate almost immediately to bots due short time-to-live (TTL) values for the domain names set by DDNS providers. Consequently, bots will migrate to the new C&C server location and will stay alive

command and control server in the Botnet life cycle

The vital element of Botnet is the Command and Control (C&C) server. Botnet is a collection of computers, which are connected to the cyber world mainly for malicious cause. These Bots may rum automatically or they will be executing a task once they are given a precise input.

A network based on the client-server model, where individual clients request services and resources from centralized servers

The first botnets on the internet used a client-server model to accomplish their tasks. Typically, these botnets operate through Internet Relay Chat networks, domains, or websites. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.

In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.

Techniques to detect Botnets

Capturing bot malware and deactivating its malicious parts is a well-known active analysis type. Honeypots and honeynets are other active analysis methods performed in botnet detection and prevention. At first sight, while active approaches may seem useful, they have a big disadvantage of being easily detected.

• Signature-based Detection

Knowledge of useful signatures and behavior of existing botnets is useful for botnet detection

• Host-based botnet detection techniques

This proposed an anomaly detection IDS, which produces a low false positive rate. A server-based approach is employed for anomaly detection while reducing false positive alarms in the network. Two approaches are combined for anomaly detection, including host-level anomaly detection and proliferation of the false positive rate. The Markov model is employed for anomaly detection. This suggested approach correlates malicious instances at the destination, which is considered a major drawback.