Question

A BOTNET is a collection or a network of infectious ‘bots’ i.e. machines. Botnets have become a platform for the infection to the Internet. In this context, elucidate in detail about the Botnet life cycle Diagram and identify the role played by command and control server in the Botnet life cycle. Do any techniques exist to detect Botnets? If yes, exemplify. Cite your sources.

Answer 1

BOTNET LIFE CYCLE:

6 STAGES OF BOT NET LIFE CYCLE:

1)Botnet conception.:This is the first stage in any botnet life-cycle. The motivation for creating a botnet is an essential element that will directly affect its design and implementation. Diverse reasons might underlie a developer’s decision to generate a botnet. Its main design characteristics are defined in this stage, and these are obviously influenced by the specific purpose intended for the botnet.

2)Botnet recruitment:Once a botnet is conceived and created, there is a need for individual bots. Thus, a botmaster must recruit conventional hosts as members of the botnet.

3)Botnet interaction:This stage involves two different processes. First, infected bots must be registered with the botnet in order to incorporate its dynamics and functioning. Second, there must be a communication framework supporting the operation and maintenance of the botnet, so that the botmaster may keep in contact with the different bots. These communications are mainly supported by a C&C channel. The information exchanged is constituted of orders (from the botmaster to the bots) and maintenance operations (code updating, membership accounting, etc.).

4)Botnet marketing:Although the most common motivation for a developer to initiate the design and implementation of a botnet is to obtain monetary profit, there are many other possible reasons, including ego, specific cause, entrance to social groups, etc. Whatever the motivations, there is a marketing stage during which the botnet must be publicized; the developer needs to convey the advantages and capabilities of the botnet in a relevant forum in order to cede its use to clients and thus profit from it.

5)Attack execution:In this stage, the botmaster orders the bots to perform an attack. As stated before, one of the main features of botnets is the huge number of bots recruited to carry out the malicious activities. Therefore, botnets are effective weapons for launching attacks that require a large number of hosts: DDoS, spam, click fraud, and phishing, among others.

6)Attack success:The ultimate goal of a botnet is to successfully execute the attack for which it was designed.

ROLE PLAYED BY COMMAND AND CONTROL SERVER::

Command and Control  (C&C) servers are centralized machines that are able to send commands and receive outputs of machines part of a botnet. Anytime attackers who wish to launch a DDoS attack can send special commands to their botnet's C&C servers with instructions to perform an attack on a particular target, and any infected machines communicating with the contacted C&C server will comply by launching a coordinated attack.

Botnet C&C servers often exist in one of four structures each with pros and cons: star, multi-server, hierarchical, and random:

• Star topology botnets rely on one central C&C server, which sends commands to every bot in the botnet. This configuration allows for reliable, low-latency communication, but renders the botnet fairly easy to disable, as there is only one C&C server to take offline before the botnet is inoperable.
• Multi-server topology botnets are very similar to star topology botnets, except that the central "server" consists of a series of interconnected servers that allow for redundancy (preventing the single point of failure problem of star topology botnets); however, setting up multiple connected C&C servers may require more planning and overall be more difficult than just using a single server.
• Hierarchical topology botnets (involving a series of C&C servers in a hierarchy) allow for botnet owners to more easily divide their botnet up into "separate" chunks for re-sale or renting, as well as prevent researchers from enumerating the location of all other C&C servers and bots within a network with only a few captured C&C servers due to the restricted visibility of the entire botnet from lower hierarchy certain servers. Additionally, commands that have to travel through a large hierarchy of C&C servers in order to reach bots may add to latency.

Random topology botnets do not rely on any C&C servers; rather, all botnet commands are sent directly from one bot to another if they are deemed to be "signed" by some special means indicating that they have originated from the botnet owner or another authorized user. Such botnets have very high latency, and will often allow for many bots within a botnet to be enumerated by a researcher with only one captured bot. Many times special forms of encrypted bot to bot communication over public peer-to-peer networks is used in conjunction with a more complex C&C server topology (such as in the TDL-4 botnet) in order to render such botnets that are particularly difficult to dismantle.

Tecniques exist to detect botnet:

1 ) Honeypots and honeynets:

A honeypot can be defined as an “environment where vulnerabilities have been deliberately introduced to observe attacks and intrusions”. They have a strong ability to detect security threats, to collect malware signatures and to understand the motivation and technique behind the threat used by perpetrator. In a wide-scale network, different size of honeypots form honeynet. Usually, honeynets based on Linux operating systems are preferred because of their ability richness and of toolbox contents.

Honeypots are classified as high-interaction and low-interaction according to their emulation capacity. A high-interaction honeypot can simulate almost all aspects of a real operating system. It gives responses for known ports and protocols as in a real zombie computer. On the other hand, low-interaction honeypots simulate only important features of a real operating system. High-interaction honeypots allow intruders to gain full control to the operating system; however low-interaction honeypots do not. Honeypots are also classified according to their physical state. Physical honeypot is a real machine running a real operating system. Virtual honeypot is an emulation of a real machine on a virtualization host.

The value of a honeypot is determined by the information obtained from it. Monitoring the network traffic on a honeypot lets us gather information that is not available to network intrusion detection systems (NIDS). For example, we can log the key strokes of an interactive session even if encryption is used to protect the network traffic. NIDS require signatures of known attacks to detect malicious behavior, and often fail to detect compromises that were unknown before deployment. On the other hand, honeypots can detect vulnerabilities that are not foundyet. For example, we can detect compromise by observing network traffic on the honeypot even if the cause of the exploit has never been seen before.

As honeypots and honeynets are very popular in detecting and preventing threats, intruders are seeking new ways of protecting honeypot traps. Some feasible techniques are used by intruders like detecting VMWare or other emulator virtual machines, detecting incoherent responses from bots. have successfully identified honeypots using intelligent probing. They used public internet threat report statistics. In addition, Krawetz(2004) have presented a commercial spamming tool, called “Send-Safe’s Honeypot Hunter”, which is capable of anti-honeypot function. Zou and Cunninqham have proposed a system to detect and eliminate honeypot traps in P2P networks.

2 ) Signature based detection technique:

Malware executable signatures are widely used for detecting and classifying malware threats. Signatures based on known malwares have a discriminating power on classification of executables running on an operating system. Rule based intrusion detection systems like Snort are running by using known malware signatures. They monitor the network traffic and detect sign of intrusions. The detection may be according to the signatures of executable malwares or according to the signatures of malicious network traffic generated by malware. However, signature-based detection techniques can be used for detection of known botnets. Thus, this solution is not useful for unknown bots.

3)Anomaly Based Detection tecniq:

Exploring new botnet detection techniques based on network behavior is a considerable research area for botnet researchers. Anomaly based botnet detection, tries to detect bot activities based on several network behavior anomalies such as unexpected network latencies, network traffic on unusual and unused ports, high volumes of traffic for a mid-class network or unusual system behaviors that could indicate the existence of malicious parties in the network.

4) DNS based detection tecnique:

As mentioned in the first section, a typical bot activity resumes by getting commands and execution parameters of commands from command and control center. Thus bots are bound to send DNS queries to know the IP address of the command and control center. C&C servers have generally a distributed nature in present botnets. Hence they have to use dynamic DNS (DDNS) entries with short time to live to hide them from intrusion detection/prevention systems. Thus, it is possible to detect botnet DNS traffic by monitoring the DNS activities and detecting unusual or unexpected DNS querying.DNS based techniques are quietly similar to other anomaly based detection techniques. They are commonly based on detection of anomalous DNS network traffic generated by bot computers.

5 )Data Mining Based detection techniq:

Anomaly based techniques are mostly based on network behavior anomalies such as high network latency, activities on unused ports. However C&C traffic usually does not reveal anomalous behavior. It is mostly hard to differentiate C&C traffic from usual traffic behavior. At this point of view pattern recognition and machine learning based data mining techniques are very useful to extract unexpected network patterns.Firstly it can be useful to introduce a research of preprocessing tasks of anomaly and data mining based botnet detection systems. Davis and Clark introduce a review of known preprocessing tasks for anomaly based and mining based intrusion detection techniques .

This is how botnet works.

.