H. Cherifi, J.M. Zain, and E. El-Qawasmeh (Eds.): DICTAP 2011, Part I, CCIS 166, pp. 445–454, 2011. © Springer-Verlag Berlin Heidelberg 2011

A Wide Survey on Botnet

Arash Habibi Lashkari1, Seyedeh Ghazal Ghalebandi2, and Mohammad Reza Moradhaseli3

1 Advanced Informatics School, Universiti Technologi Malaysia (UTM), Kuala Lumpur, Malaysia

a_habibi_l@hotmail.com 2 Computer Science and Information Technology Department,

University of Malaya (UM), Kuala Lumpur, Malaysia gazelle.ghalebandi.it@gmail.com 3 Center of technology and innovation (R&D),

UCTI, Kuala Lumpur, Malaysia m.moradhaseli@gmail.com

Abstract. Botnets are security threat now days, since they tend to perform serious internet attacks in vast area through the compromised group of infected machines. The presence of command and control mechanism in botnet structure makes them stronger than traditional attacks. Over course of the time botnet developer have switched to more advanced mechanism to evade each of which new detection methods and countermeasures. As our knowledge , existing survey on botnets area have just focused on determining different attributes of botnet behavior, hence this paper attempts to introduce botnet with a famous bot sample for defined behavior that provides obvious view on botnets and its feature. This paper is based on our two previous accepted papers of botnets on IEEE conferences namely ICCSIT 2011 and ICNCS 2010.

Keywords: Botnet, p2p Botnet, IRC botnet, HTTP botnet, Command and Control Models (C&C).

1 Introduction

Highest rising usage of the Internet-based communication which is contains thousands of connected networks have shifted security practitioner ‘ focus on to protect whatever are passed through these connections to evade malicious behavior of cyber criminal. But over the time the developers improve their protection or detection methods, attackers create new way of evasion.

Botnets are emerging threat with thousand of infected computers. According to recent report [25], the extents of the botnets’ damage are becoming more critical day by day. Botnets has made an effort to control zombies remotely and instruct them by commands from Botmaster. The way Botmaster conduct bots relay on architecture of botnet command and control mechanism such as IRC, HTTP, DNS, or P2P-based [24]. At this point, we turn our attention to presenting our study to grasp botnets. According the recent papers, in [5] intuition behind this paper is to propose key metrics on botnet structure but while the sample of bots are not covered there. Also in

446 A.H. Lashkari, S.G. Ghalebandi, and M.R. Moradhaseli

[24] it has been focusing on characteristics of botnet without pointing at performance of key metrics on botnet structure. Thereby this complementary paper makes effort to cover the gaps in which it could somehow manifest their underlying techniques of botnets structure. By doing so, the researchers can improve their detection or prevention methods to deal with growing number of botnets.

For the sake of discussion, but without loss of generality, we define botnet as follow:

Botnet is a group of compromised computers. Botmasters are responsible to send and receive command and control to bot clients. Bots are not more than a software program which can create botnets by downloading that software or by clicking on infected email [1]. A vulnerable computer can be a member of centralized control model which is able to communicate with others infected computer. A Botmaster devotes a server to work as a command center (figure 1) [2].

Fig. 1. Communication of botnet components

2 Botnet Protocols

There are different classification to address properties of botnets such as command and control mechanism, protocol, infection method, type of attack and etc. first of all this paper attempts to map which protocol are used and reveal the existing bots based on each protocol.

2.1 IRC

Internet Relay Chat (IRC) was just a channel which capable users to talk together real-time. After a while malicious behaviors exploits vulnerabilities of these channels and applied it for nefarious purpose [17]. Agobot is one of the earlier kind of

A Wide Survey on Botnet 447

IRC-based botnets which is found end of 2002, this bot include major component such as command and control mechanism, capable of launching DoS attacks, defense mechanism like patching vulnerability and traffic sniffing and gather sensitive information [8]. They exploit Local Authority Subsystem Service vulnerability of windows operating system. In contrast with worms, bots like Agobots will continue victimize others so that PC’s owner unaware about what is going on in their PC [26].

2.2 P2P

P2P botnet’s concept represents a distributed malicious software networks. This new botnet technology which making them more resilient to previous protocols such as IRC or HTTP due to increase survivability as well as to covert identities of operators. In contrast of IRC, estimating P2P botnet’s size is difficult [27].

2.2.1 Parasite Parasite is one type of P2P botnets. Its structure exploits P2P network and its members are limited to vulnerable hosts exist inside P2P network. Hence all bots exits in the network can find the other bots due to P2P protocol. It is convenient and simple to create P2P botnets through this way because all bots are chosen from existing network. In this type of P2P botnet, bot peers and normal peers are mixed together therefore in order to collect more information in such network, legitimate nodes can be chosen as sensor to help in monitoring issue [4]. In 2008, Srizbi bot become well-known as a world’s worst spamming botnet. Srizbi can run inside the kernel on infected host quite stealthy within a network driver which uses TCP/IP parameter. It is used rootkit techniques to hide its file so that can bypass firewalls. It can be identified through TCP fingerprinting of operating system on infected host [31].

2.2.2 Leeching Leeching is the other class of p2p botnet upon a p2p network and it exploits protocols of that network within C&C structure which vulnerable hosts are chosen through the internet so that they will participate in and become the member of existing network. Leeching type is looks like parasite but differs in bootstrap point, it means parasite does not have a bootstrap steps but leeching has. After a peer is compromised it has some files, so this file is used to make sure commands from Botmaster is forwarded in proper peer.[5]. According to [4] the earlier version of storm bot belongs to leeching class of P2P botnets. Strom bot propagates by using email which includes text so that attempts to trick victim into opening the attachments or clicking the link inside the body of email content. The attachments could be a copy of storm binary. The goal is to copy storm binary to victim’s machine. To evade detection, exploit code would be changed periodically. After the victim installed the code that machine is being infected [33].

2.2.3 Bot-Only Other type of p2p botnet is called bot-only which totally differs from 2 others because it has own network. Also it uses bootstrap mechanism, and Botmasters in this type of

448 A.H. Lashkari, S.G. G

botnet are flexible even to this class of P2P botnet, aftmust be set up between clieexchanging the RSA key. Alistening port number and por servant. Moreover it wipeer list [34].

2.3 HTTP Bobax is known as HTTP-blist of email addresses are rand also plaintext HTTP server [10].

3 Command and Co

The command and control operate some tasks such asmore bots and etc [8].

3.1 Centralized C&C Mo

There are two types of botpush style where commandcentralized C&C is set up binstructs bots; in push stylinfected host is connected tIn pull style the Botmasterreceive commands, the botempirical research indicateInterruption of command centralized command and c

Ghalebandi, and M.R. Moradhaseli

construct new C&C protocol [5]. Nugache can be puter the peer list is created, since the encryption P2P chanent and servant, Nugache peers will join to network throuAfter these steps an internal protocol is used to determpeer’s list IP address, as well as to identify peer as a cliill check binaries may need to update. Bootstrap contr

based bot so that it tends to create spam. A template anrequired to send its email. It uses Dynamic DNS providwhich is used to communicate with HTTP-based C

ntrol Models (C&C)

mechanism used to instruct botnets. They direct botnets deny service, spamming, try to find new system to or

odel

tnet centralized C&C server. they are called pull style ds are download (pull) by bots or sent to bots (push). Eby Botmaster. Typically it depends on the way a Botmale the Botmaster has direct control on botnet, so that to the C&C server , then they should be wait the commar does not have direct control on botnet, hence in ordets interact the C&C server periodically [9]. Over the yees centralized C&C servers can be easily detect. As sand control is led to a useless botnet. Figure 2 shoommunication mechanism.

Fig. 2. Centralized C&C mechanism

ut to nnel ugh

mine ient rols

nd a der,

C&C

ts to rder

and Each aster any

and. er to ears uch ows

SDBot is an IRC-basemechanism. First it starts blike NICK and USER, PINother commands such as PR

3.2 P2P-Based C&C Mod

In P2P botnets C&C server enters to the network and cof that network. Hence freqpeers. By now this peer commands are being sent vi

F

Storm botnet employ disseminate commands to themail spam, phishing attacbotnet and assigns a uniqupartition individually in ordvictim’s machine, a 128-biincludes ID where is the 1format. New infected nodfinding available updates of

3.3 Unstructured C&C M

Unstructured C&C model connection between victim

A Wide Survey on Botnet

d botnet which uses centralized command and conby establishing a connection to server through commNG and PONG, JOIN and so on. Next step is to expRIVMSG, NOTICE, and TOPIC IRC message [8].

del

is concealed, then detection is become harder. After a pcontract to the other peers, finally it can become a memquently updates its database through interacting with oth

can play role as command and controller. Therefia this peer to the remaining peers [7].

Fig. 3. P2P-based C&C mechanism

P2P network structure as his C&C infrastructurehe peers. They tend to participate in illicit behavior such

cks, instant messaging o attacks, etc. Botmaster partitiue encryption keys to each partition so that employ eder to illicit activity. Since a storm binary is installed oit ID is generated so that a peer-list file is created wh128-bit node ID, IP address, UDP PORT in hexadecime joins botnet and the peer-list file is used to join f nodes [22].

Model

is known as a random. In this model there is no actand bot. likewise, bot does not have any information ab

449

ntrol mand

pect

peer mber hers fore

to h as ions each on a hich mal and

tive bout

450 A.H. Lashkari, S.G. Ghalebandi, and M.R. Moradhaseli

any more than one other bot. command sender or Botmaster encrypts command messages and randomly scans the internet and deliver it to another bot when it is being detected. Finding single bot, it would not be lead to detection full botnet. Advantages include difficult to being detected or taken down. And disadvantages include latency and scalability [29].

4 Botnet Behaviors

We make effort to grasp botnet behavior by review several related paper. Through accomplishing our survey, it makes us clear that botnets tend to perform common serious attacks such as distributed denial service attack, spamming, sniffing, etc, in large scales based on their nature which recruit vulnerable systems to accomplish their nefarious purpose. Therefore in this section the behaviors and characteristics are mentioned including one bot sample for each of which.

4.1 DDOS Attack

BlackEnergy is a HTTP-based botnet and the primarily goal directs to DDoS attacks. Messages interact with these bots and their controlling servers include information about bot’s ID and unique build ID for the bot binary. Build ID is used to keep tracking of updates. BlackEnergy uses base64 encoding of commands to covert the attacker [13]. Once bots receive from a Botmaster a command which indicated DDoS attack, all of them start to attack defined target [14].

4.2 Spam

Mybot is one of the bots that uses IRC protocol and centralized structure for its connection. This bot is used to send spam. From detection prospective, researchers have found bots will send spam within same URLs if they belong to the same botnet. This result supports that fact bot clients in a same group (botnet) involve with same instruction from bot master [3].

4.3 Phishing

Since botnets enable attackers to control a large number of compromised computers, they are being considered as a threat to internet systems. Hence they tend to use bots to attack against other systems such as identity theft [16]. Phishing is known for its online financial fraud through stealing personal identity. Coreflood is a bot which is responsible for phishing. This bot takes order from command and control remotely so that it makes it capable to keep track of HTTP traffics [15].

4.4 Steal Sensitive Data

Attackers conduct bots in compromised machines to retrieve sensitive data from infected host. There are several bots which evolve with steal information such as Agobot and SDBot. Besides the spying, these bots send out ideal commands to run different program and function in order to achieve their goals. Spybot is a popular bot

A Wide Survey on Botnet 451

which uses different functions to gain information from infected hosts such as listing RSA password and so on [17].

5 Infection Mechanisms

Infected mechanism refers the way bots use to find new host. Earlier infection mechanisms include horizontal scans and vertical scans, where horizontal is applied on single port within a defined address range, and vertical is applied on single IP address within a defined range of port number [8]. The recently methods are appeared to improve traditional techniques such as socially engineered malware links attached or embedded in email or remotely exploiting vulnerabilities on a host machine. Bots participate in malicious behavior automatically over internet. In contrast with earlier variations, presence of Botmaster makes them more sophisticated thereby bots can be controlled [30].

5.1 Web Download

Web download command has 2 parameters; URL and file path so that first one is used for download data and the other one is used for store those data. Through these commands, IP addresses of target are obtained [18]. Commands and updates are frequently accessed within query web servers via infected hosts [20].

5.2 Mail Attachments

Mail-attachment is a file sent along with an e-mail message. Unexpected e-mail with the fake attachment can be considered suspicious, if the sender is not known. Clickbot is a HTTP-based bot spreads through email message. They direct attacker by open or download those attachments which may contain advertisements. Clickbots are instructed from Botmaster. They tend to achieve IP and they have ability to disguise IP address of PC which they attempts to exploit that its vulnerability, hence it is difficult to detect Clickbot to finding them at web server logs [11] [12].

5.3 Automatically Scan, Exploit and Compromise

Recruiting new host is a most important part of botnet creation mission in order to spread widely. It can be ascertained by vulnerability scanning. To accomplish this goal, large number of infected hosts should attempt to identify exploitable vulnerabilities in the other new hosts. For example FTP services suffer a buffer overflow exploit. Hence large range of IP addresses are being searched for this vulnerability. Therefore founded IP addresses are considered in a distinct log file. After all several log files are compiled together in order to exploitation of vulnerabilities [19].

6 Taxonomy

By investigation about botnets and their structure and also their malicious behavior, it is required to classify threats in more aspects which are related to possible defenses.

452 A.H. Lashkari, S.G. Ghalebandi, and M.R. Moradhaseli

The goal is to identify most effective approach to treat botnets and classifying key properties of botnets types. In this part we present to review important attributes of botnets [6]. The performance measurements of botnets can be considered by determination of three dimensions as below:

6.1 Efficiency

Communication efficiency of each botnet can be used as a major factor to evaluate a botnet [6]. It means how fast a command is delivered from a Botmaster to a botnet. Since in p2p botnets where there is no plot among command sender and receiver, so efficiency is considered as a measure for determine distance between peers. It determines the reliability of delivered command in such botnet whether or not the command is successfully received [5].

6.2 Effectiveness

Effectiveness is used to determine the extent of damaged which is caused by a particular botnet directly. On the hand the size of botnets represents effectiveness of botnets [5] [6].

6.3 Available Bandwidth

If normal usage of bandwidth is subtracted from maximum network bandwidth, the result will be the available bandwidth [5].

6.4 Robustness

Robustness of network is expressed by the measure such as distributed degree and clustering [5].if there are two pairs of nodes so that they have a shared node in their pairs, local transitivity will measures the chance of that unshared nodes in each pairs will be able to have connection together. Hence robustness of network is applying this fact to measure redundancy [6].

7 Conclusion

Since botnets start to appear as the forthcoming danger to internet, this paper focused on botnet characteristics to grasp more detailed behavior on their mechanism which could be well preparation for future study as well as thwarting botnet communication. It has been summarized most major characteristics of botnet including botnet protocols, and moreover the command and control structures are described, also botnet behavior covered to address serious attacks took our attention to study. The infection mechanism section includes completing point of view through considering architecture of existing botnet attacking method. The last part of this paper, Taxonomy, tends to meet different aspect of botnets characteristics. We provided name of bots which well-known for their related task as a member of botnets on each section to shed light on in the context of botnet structure.

A Wide Survey on Botnet 453

References

1. Brodsky, A., Brodsky, D.: A Distributed Content Independent Method for Spam Detection, University of Winnipeg, Winnipeg, MB, Canada, R3B 2E9, Microsoft Corporation, Redmond, WA, USA (2007)

2. Cole, A., Mellor, M., Noyes, D.: Botnets: The Rise of the Machines (2006) 3. Botnets: The New Threat Landscape, Cisco Systems solutions (2007) 4. Shirley, B., Mano, C.D.: Sub-Botnet Coordination Using Tokens in a Switched Network.

Department of Computer Science Utah State University, Logan, Utah (2008) 5. Davis, C.R., Fernandez, J.M., Neville, S., McHugh, J.: Sybil attacks as a mitigation

strategy against the Storm botnet, École Polytechnique de Montréal, University of Victoria, Dalhousie University (2008)

6. Li, C., Jiang, W., Zou, X.: Botnet: Survey and Case Study, National Computer network Emergency Response technical, Research Center of Computer Network and Information Security Technology Harbin Institute of Technology, China (2010)

7. Dagon, D., Gu, G., Lee, C.P., Lee, W.: A Taxonomy of Botnet Structures. Georgia Institute of Technology, USA (2008)

8. Dittrich, D., Dietrich, S.: Discovery techniques for P2P botnets, Applied Physics Laboratory University of Washington (2008)

9. Dittrich, D., Dietrich, S.: P2P as botnet command and control: a deeper insight. Applied Physics Laboratory University of Washington, Computer Science Department Stevens Institute of Technology (2008)

10. Stinson, E., Mitchell, J.C.: Characterizing Bots’ Remote Control Behavior, Department of Computer Science. Stanford University, Stanford (2008)

11. Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. Electrical Engineering and Computer Science Department University of Michigan (2005)

12. Naseem, F., Shafqat, M., Sabir, U., Shahzad, A.: A Survey of Botnet Technology and Detection, Department of Computer Engineering University of Engineering and Technology, Taxila, Pakistan 47040. International Journal of Video & Image Processing and Network Security IJVIPNS-IJENS 10(01) (2010)

13. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, School of Computer Science, College of Computing Georgia Institute of Technology Atlanta, GA (2008)

14. Milletary, J.: Technical Trends in Phishing Attacks, US-CERT (2005) 15. Nazario, J.: BlackEnergy DDoS Bot Analysis, Arbor Networks (October 2007) 16. McLaughlin, L.: Bot Software Spreads, Causes New Worries. IEEE Distributed Systems

Online 1541-4922 © (2004) 17. Daswani, N., Stoppelman, M.: the Google Click Quality and Security Teams, The

Anatomy of Clickbot.A, Google, Inc. (2007) 18. Provos, N., Holz, T.: Virtual honeypot: tracking botnet (2007) 19. Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime, CERT/Coordination

Center (2005) 20. Yegneswaran, P.B.V.: An Inside Look at Botnets, Computer Sciences Department

University of Wisconsin, Madison (2007) 21. Royal, P.: On the Kraken and Bobax Botnets, DAMBALLA (April 9, 2008) 22. Wang, P., Aslam, B., Zou, C.C.: Peer-to-Peer Botnets: The Next Generation of Botnet

Attacks. School of Electrical Engineering and Computer Science. University of Central Florida, Orlando (2010)

454 A.H. Lashkari, S.G. Ghalebandi, and M.R. Moradhaseli

23. Wang, P., Wu, L., Aslam, B., Zou, C.C.: A Systematic Study on Peer-to-Peer Botnets. School of Electrical Engineering & Computer Science University of Central Florida Orlando, Florida 32816, USA (2009)

24. Mitchell, S.P., Linden, J.: Click Fraud: what is it and how do we make it go away, Thinkpartnership (2006)

25. Mori, T., Esquivel, H., Akella, A., Shimoda, A., Goto, S.: Understanding Large-Scale Spamming Botnets From Internet Edge Sites, NTT Laboratories 3-9-11 Midoricho Musashino Tokyo, Japan 180-8585, UW – Madison 1210 W. Dayton St. Madison, WI 53706-1685, Waseda University 3-4-1 Ohkubo, Shinjuku Tokyo, Japan (2010)

26. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on StormWorm, University of Mannheim, Institut Eur´ecom, Sophia Antipolis (2008)

27. Holz, T.: Spying with bots, Laboratory for Dependable Distributed Systems at RWTH Aachen University (2005)

28. Lu, W., Tavallaee, M., Ghorbani, A.A.: Automatic Discovery of Botnet Communities on Large-Scale Communication Networks, University of New Brunswick, Fredericton, NB E3B 5A3, Canada (2009)

29. Zhu, Z., Lu, G., Chen, Y., Fu, Z.J., Roberts, P., Han, K.: Botnet Research Survey, Northwestern Univ., Evanston, IL (2008)

30. Zhu, Z., Lu, G., Fu, Z.J., Roberts, P., Han, K., Chen, Y.: Botnet Research Survey, Northwestern University, Tsinghua University (2008)

31. Li, Z., Hu, J., Hu, Z., Wang, B., Tang, L., Yi, X.: Measuring the botnet using the second character of bots, School of computer science and technology, Huazhong University of Science and Technology, Wuhan, China (2010)