Beruflich Dokumente
Kultur Dokumente
CHAPTER 2
Drive-by download
Early variants of the Zeus botnet also adopt drive-by download for
initial infection by redirecting victims to a webpage which contains a
malicious Portable Document Format (PDF) file and also exploits known
vulnerabilities in the Adobe Reader software. Gumblar botnet also exploits
the similar vulnerabilities in the Adobe reader. Asprox botnet initiates
Structured Query Language (SQL) injection attacks against vulnerable pages
based on Microsoft Active Server Page (MSASP) to inject malicious scripts
for propagating malware.
Software vulnerabilities
trigger buffer overflows, which allow the existing bots to send and install
malware on the victim machine without user’s knowledge.
Backdoor
Social Engineering
actually a malware that turns the system into a zombie. Another popular
medium for social engineering is emails with interesting subjects and content,
enticing users to download attachments. For examples, the Srizbi/Reactor
botnet was behind the Ron Paul spam campaign. Strom sent spam emails with
catchy subjects that contained malicious links to install the bot binary on
victim machines. Zeus uses Facebook phishing and fake billing emails from
Verizon Wireless to initiate drive-by download.
After the successful initial infection, the next step by the system is
to download and execute a script known as shell-code in order to create a bot
which is under the control of the botmaster. The shell-code fetches the actual
bot binaries from the specific location using Trivial File Transfer Protocol
(TFTP), File Transfer Protocol (FTP), HTTP and Peer-to-Peer networks.
Once the bot malware is installed, the victim machine turns to a zombie and
runs the malicious code. The bot malware starts automatically, whenever the
zombie is rebooting.
2.1.3 Connection
Hardcoded IP address
After the connection phase, the actual botnet C&C activities will
start. The botmaster uses the C&C to distribute commands to his bot army.
Bots receive and execute commands sent by the botmaster through this
channel. The C&C enables the botmaster to remotely control the action of
large number of bots to conduct various illicit activities. Also it represents an
organization of a botnet in the way it functions and receives commands,
updates its features for performing various tasks and the way it transmits data.
The first generation of botnets utilized the IRC protocols as their C&C
structures. Due to the central point of failure, botmasters moved to robust and
resilient C&C structures namely, P2P, HTTP, etc.
The C&C mechanism is very important and is the major part of the
botnet design. This mechanism is used to instruct botnets to operate some tasks
such as spamming, phishing, denying services, etc. It directly determines the
27
fail, the remaining servers maintain the integrity. Typically, the botmasters
distribute the C&C servers in different countries such that the bots in those
locations can communicate with the server in an efficient manner.
Bot
Bot
S
Bot
Bot
Bot
Bot
Bot
Bot S
Bot
S S
Bot
Bot
Bot
Proxy Proxy
out the command server. Fast-flux uses rapid DNS record updates to change
the address of the botnet controller very often among a large and redundant
set and is considerably more resilient to interference compared to previous
command approaches.
Bot Bot
Bot
Bot
Bot
Bot
The last phase of the botnet life cycle is maintenance of bots and
update of the bot malware. Maintenance is a necessary step that keeps the
botmasters with their army of bots up to date for further coordinated attacks.
Moreover, there are many reasons for updating bot binary codes for the bot
army, such as evading different detection techniques, adding further
functionality to the botnet. Server migration is also done when updating the
bot binary, which moves the bots to a different C&C server. This phase is
usually considered as a vulnerable phase. As the botmaster intends to
broadcast updates as soon as possible, some behavioral patterns of the zombie
machines belonging to the network may emerge and make the botnet
detectable.
40%
35%
30%
25%
Attack (%)
20%
15%
10%
5%
0%
Spam DDoS Clickfraud ID theft Others
Botnet Attack Types
Spamming
50
Spam per day in billions
40
30
20
10
0
Grum Bobax Rustock Bagle Mega-D Maazben Cutwail Xarvester
Spam Botnets
120
100
Number of Attacks
80
60
40
20
0
BlackEnergy Targets
Some more examples of botnets that are used for DDoS are Spybot
and Agobot (Barford & Yegneswaran 2007). The DDoS botnet in 2014 which
runs on Linux servers, named ‘Wopbot’ uses the bash shekkshock bug to auto
infect other servers. This botnet is active and scanning the Internet for
vulnerable systems, including the United States Department of Defense,
Chief executive of Italian security consultancy, Tiger Security etc. This botnet
has launched a DDoS attack against servers hosted by content delivery
network Akamai and is also aiming for other targets. Two more DDoS botnets
from the same year, namely, Warbot, Spikebot are used to launch DDoS
attacks.
Click Fraud
Click fraud is used to exploit Pay per Click (PPC) advertising. Data
collection is corrupted by the generation of illegitimate clicks, so that the
advertiser pays for clicks that offer no sales prospects. The distributed
processing offered by a botnet allows the bot master to allocate the task of
running automated scripts and binaries to machines. These programs generate
clicks and therefore illicit income.
Bitcoin Mining
Botmaster
C&C server
Zombie 1
Zombie 2
Zombie 15
Zombie 3
Zombie 4
Classification
Clustering
Association –rule
Statistical
Graph based
Symptom based
Active monitoring
Passive Monitoring
IRC-based, HTTP-based, and P2P botnets with a low false positive rate. The
system has many desirable features but it needs long monitoring time and
unforged large scale data to detect malicious activities; however real botnets
communicate silently with large number of small packets, and forge their
information. Strayer et al. (2008) proposed a network based approach to
detect botnet traffic using machine learning techniques. The detection process
uses two main steps: first, traffic that is unlikely to be part of a botnet is
eliminated; the remaining traffic is then classified into groups and correlated
to find common communication patterns that would suggest botnet activity.
This approach is specific to IRC botnets; also it cannot detect encrypted C&C
traffic.
C&C server migration. The scheme may also detect botnets with encrypted
channels, as it uses information from IP headers. The main drawback of the
approach is the high processing time required to monitor the huge scale of
network traffic.
2.6 SUMMARY