http://wiki.cas.mcmaster.ca/index.php?feed=atom&target=Rosard&title=Special%3AContributionsComputing and Software Wiki - User contributions [en]2026-05-21T13:37:15ZFrom Computing and Software WikiMediaWiki 1.15.1http://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T23:46:05Z<p>Rosard: </p>
<hr />
<div>Each phase our world has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread through the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to increase the spread of these threats. One powerful way of this spread, has been through Bots that integrate Botnets, which are the main focus of this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]] (C&C) infrastructure. These new installed malicious software (most likely to exist in machines that run on [[Windows]] OS - most used OS in the world -, which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine through a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|200px|frame|Schematic time line of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What actions are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used (mainly as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network) and ways to detain it.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” through where the IRC commands will be sent, or through a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated with any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys through "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Through files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As mentioned before, information is the most valuable resource of our century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some signs of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless; although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data through these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet looking for these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should have not being used by any host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organizations that wish to verity if their network has any irregularity. Although they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic not to fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection through the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is a commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something; otherwise, Norton will simply leave it alone in its idle mode. Since it is a commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been proved to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate these Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 19:49, 12 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T18:29:41Z<p>Rosard: </p>
<hr />
<div>Each phase our world has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread through the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to increase the spread of these threats. One powerful way of this spread, has been through Bots that integrate Botnets, which are the main focus of this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]] (C&C) infrastructure. These new installed malicious software (most likely to exist in machines that run on [[Windows]] OS - most used OS in the world -, which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine through a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|200px|frame|Schematic time line of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What actions are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used (mainly as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network) and ways to detain it.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” through where the IRC commands will be sent, or through a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated with any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys through "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Through files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As mentioned before, information is the most valuable resource of our century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some signs of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless; although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data through these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet looking for these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should have not being used by any host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organizations that wish to verity if their network has any irregularity. Although they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic not to fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection through the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is a commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something; otherwise, Norton will simply leave it alone in its idle mode. Since it is a commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been proved to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate these Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 09:49, 12 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:49:37Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|200px|frame|Schematic time line of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 09:49, 12 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:47:41Z<p>Rosard: /* Life cycle of a Botnet */</p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|200px|Schematic time line of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:45:22Z<p>Rosard: /* Life cycle of a Botnet */</p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|250px|Schematic timeline of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:42:18Z<p>Rosard: /* External Links */</p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|thumb| Detailed timeline of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [http://www.symantec.com/index.jsp Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007 Segurança UOL], Internet Attacks on 2007 (portuguese)<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:41:06Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg|right|Bots]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
[[Image:Untitled-1.jpg|right|thumb| Detailed timeline of a Botnet]]<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg|thumb|right]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [www.symantec.com Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007], Internet Attacks on 2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:Untitled-1.jpgFile:Untitled-1.jpg2009-04-12T13:35:06Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:21:26Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br>[[Image:20080923-spam-botnet.jpg]]<br><br />
<br />
== Bot? What is it?? How it works???==<br />
[[Image:Talking-trojan.jpg]]<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [www.symantec.com Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007], Internet Attacks on 2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:20:41Z<p>Rosard: </p>
<hr />
<div> [[Image:20080923-spam-botnet.jpg]]<br />
<br><br />
Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???==<br />
[[Image:Talking-trojan.jpg]]<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [www.symantec.com Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007], Internet Attacks on 2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:19:57Z<p>Rosard: </p>
<hr />
<div>[[Image:20080923-spam-botnet.jpg]]<br />
<br><br />
Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???==<br />
[[Image:Talking-trojan.jpg]]<br />
<br><br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [www.symantec.com Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007], Internet Attacks on 2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T13:18:46Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
[[Image:20080923-spam-botnet.jpg]]<br />
<br><br />
<br />
== Bot? What is it?? How it works???==<br />
[[Image:Talking-trojan.jpg]]<br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
[[Image:Vk bb 0508 pic02.png]]<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
[[Image:Spam2 2.jpg]]<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
* [www.symantec.com Symantec], Symantec<br />
* [http://idgnow.uol.com.br/seguranca/2007], Internet Attacks on 2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:300_107540.gifFile:300 107540.gif2009-04-12T13:09:26Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:Vk_bb_0508_pic02.pngFile:Vk bb 0508 pic02.png2009-04-12T13:08:54Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:Talking-trojan.jpgFile:Talking-trojan.jpg2009-04-12T13:08:33Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:20080923-spam-botnet.jpgFile:20080923-spam-botnet.jpg2009-04-12T13:08:09Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:Bbc_chimera_botnet11.jpgFile:Bbc chimera botnet11.jpg2009-04-12T13:07:47Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/File:Spam2_2.jpgFile:Spam2 2.jpg2009-04-12T13:07:17Z<p>Rosard: </p>
<hr />
<div></div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T12:43:57Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== Enrolling in the Botnet War ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
=== TCPDump ===<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source [[Sniffer]] is the [[TCPDump]] (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
=== DarkNets ===<br />
The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet in the search of these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called [[Darknets]]. The term Darknet is used to determine a range of IP addresses which should been not being used by no host in the network. The truth is that network on these IP addresses is considered illegal.<br />
<br><br />
Darknets can be used by organization that with to verity if their network has any irregularity. Although, they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic to not fall easily into these traps.<br />
=== A common weak point from a Botnet ===<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been prove to be really generic to recognize and exterminate the most common Bots and its derivatives.<br />
<br><br />
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate this Botnets in a efficient way.<br />
<br><br />
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[3] – www.symantec.com/avcenter/reference/<br />
[2] – www.bookworms.ca<br />
[6] -http://pcworld.uol.com.br/reportagens/2006/08/07idgnoticia.200607.8123032606<br />
[9] – http://menno.b10m.net/blog/blosxom.cgi/2007/01/08#botnet-muie<br />
[10] – http://hackerseguranca.blogspot.com/feeds/post/default<br />
[11] – http://idgnow.uol.com.br/seguranca/2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T07:12:58Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, [[mIRC]] based. Runs scripts in response to IRC server events Supports raw [[TCP]] and [[UDP]] [[Socket]] connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in [[C++]] where its source code is available to [[hacker]] community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 [[Symantec]] released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, [[McAfee]] was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank [[ATM]] service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, [[Microsoft]] has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to [[VeriSign]], the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the [[FBI]].<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the [[International Botnet Task Force]] since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", [[Vint Cerf]], has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending [[spam]] and [[spy ware]] and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for [[Facebook]] that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of [[Computer Science]] in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open [[ports]], and overriding [[Internet Cookies and Confidentiality|authentication mechanisms]] that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces ([[APIs]]) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
=== Phishing ===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the [[Phishing|Phisher]] sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as [[key loggers]] to record key strokes or even [[Screen Loggers]] to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match [[IP Address]]<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious [[ARR(s)]] associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War??? ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
==== TCPDump ====<br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the TCPDump (www.tcpdump.org). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
==== DarkNets ====<br />
O combate às botnets vem se tornando cada vez mais intenso. Atualmente, existem grupos dedicados especialmente a vasculhar a Internet a procura dessas redes “Zombies”. Existem até mesmo redes feitas exclusivamente para capturar botnets funcionando como uma verdadeira armadilha, essas redes são chamadas de “Darknets”.<br />
O termo “darknet” é utilizado para detonar um espaço de endereços IP que não devem ser usados por nenhum “host” na rede. Em outras palavras, tráfego nesses endereços IP são considerados tráfego ilícito. Darknet podem ser utilizadas em organizações que desejam verificar se sua rede está com algum comportamento irregular. Porém, elas estão sendo cada vez mais empregadas por pesquisadores e grupos que combatem botnets. Uma vez criada, a botnet pode utilizar alguma ferramenta de “scanning” para monitorar a rede. Isto pode revelar informações importantes.<br />
==== A common weak point from a Botnet ====<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
==== Norton Anti-Bot ====<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br><br />
== Conclusion ==<br />
O presente relatório foi elaborado com o objetivo de começar uma pesquisa sobre bots e botnets, objetivando a criação de uma ferramenta que seja capaz de detectar incidências desses malware em um host individual e/ou em uma rede completa. Vimos, no decorrer do relatório, que muitas técnicas e ferramentas voltadas para tal objetivo já estão sendo empregadas. Porém, nenhumas das que foram citadas se mostrou genérica o bastante para reconhecer os bots mais comuns e seus variantes. Vale salientar que essa pesquisa está apenas começando. Em outras palavras este documento sofrerá atualizações no decorrer do tempo e da evolução dos bots, tentando acompanhar as inovações dos que estão envolvidos em desenvolver novas armas para melhorar o combate esses tipos de ameaças. Tem-se em mente que não será uma tarefa das mais fáceis, mas o desafio será recompensador e proveitoso. Durante a pesquisa foram observadas algumas peculiaridades dos bots que se usados como arma no combate a eles mesmos pode ser de grande ajuda. Por exemplo, quando um botherder tenta infectar uma máquina que já se encontra comprometida com outro bot que não lhe pertence, esse usa comandos para que o seu bot procure e remova o bot “inimigo”, o que se chama de guerras de botnets. Uma vez descoberto como isso acontece será um grande passo na implementação da ferramenta. Um outro fato interessante é uma função do RBot e seus variantes, os quais têm a capacidade de finalizar processos relacionados a outros tipos de “malware”. Enfim existem muitos aspectos para se pesquisar e aprender sobre essa crescente ameaça, que se torna cada dia mais forte!<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[3] – www.symantec.com/avcenter/reference/<br />
[2] – www.bookworms.ca<br />
[6] -http://pcworld.uol.com.br/reportagens/2006/08/07idgnoticia.200607.8123032606<br />
[9] – http://menno.b10m.net/blog/blosxom.cgi/2007/01/08#botnet-muie<br />
[10] – http://hackerseguranca.blogspot.com/feeds/post/default<br />
[11] – http://idgnow.uol.com.br/seguranca/2007<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T03:16:38Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the [[anti-viruses]] systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “[[Proxy Server|Proxys]]” though where the IRC commands will be sent, or though a series of "hops". These layers make the [[crackers]] hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War??? ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the <ref>[www.tcpdump.org TCPDump]</ref>. This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br />
== Conclusion ==<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T03:09:54Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the [[Internet|internet network]], which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as [[viruses]], [[Computer worms|worms]], [[Trojan horses]] and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called [[Zombie computers]]), usually installed via worms, Trojan horses, or through [[Back doors]], under a common [[command-and-control]](C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on [[Windows]] OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on [[Linux]] or [[Mac]] OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel ([[IRC]], [[Web Server]] or [[Peer to Peer File Sharing|P2P Server]]), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic [[DNS]] ([[DDNS]])<br />
* Register a [[static IP]]<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data [[integrity]], [[availability]] and [[confidentiality]] of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". These layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War??? ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the <ref>[www.tcpdump.org TCPDump]</ref>. This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br />
== Conclusion ==<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T02:52:39Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". These layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War??? ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the <ref>[www.tcpdump.org TCPDump]</ref>. This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br />
== Conclusion ==<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T02:49:37Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". These layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War??? ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the TCPDump ([www.tcpump.org TCPDump]). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br />
== Conclusion ==<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T02:46:53Z<p>Rosard: </p>
<hr />
<div>Each phase our world, has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". These layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do to fight in the Botnet War!!! ===<br />
Monitoring the network traffic, at the first instance, can look useless although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the TCPDump ([[www.tcpump.org| TCPDump]]). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in its idle mode. Since its commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 10:46, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T02:20:31Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes it's detection challenging. There are some tools that have been used against this threat, some in open source, other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br />
=== What can I do? Let's go to the Botnet War!!! ===<br />
Monitoring the network traffic, at the first instance, can look useless. Although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source sniffer is the tcpdump ([www.tcpump.org]). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of it's biggest weakness is that due to it's inheritance of the C&C structure, once the higher level bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in it's iddle mode. Since it's a commercial software, it has the benefits such as assistance and update patches as new Bot definitions are found.<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T01:41:18Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes it's detection challenging. There are some tools that have been used against this threat, some in open source, other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br><br />
<br />
=== What can I do? Let's go to the Botnet War!!! ===<br />
Monitoring the network traffic, at the first instance, can look useless. Although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source sniffer is the tcpdump ([www.tcpump.org]). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of it's biggest weakness is that due to it's inheritance of the C&C structure, once the higher level bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in it's iddle mode. Since it's a commercial software, it has the benefits such as assistance and update patches as new Bot definitions are found.<br />
<br />
== References ==<br />
* Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets (portuguese version)<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Phishing Phishing], Phishing<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet Alternative Technologies for Ethernet], Alternative Technologies for Ethernet<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing], Phishing<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Internet_Control_Message_Protocol Internet Control Message Protocol], IMCP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Denial_Of_Service_Attacks Denial of Service Attacks] DNS Attacks<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Cryptography_in_Information_Security Cryptography], Cryptography<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Proxy Proxy Servers], Proxy Server<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Network_firewall Network Firewall], Network Firewall<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Malware Malwares], Malwares<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Peer_To_Peer_Network_Security Peer to Peer Network Security], Peer to Peer Network Security<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Simple_Mail_Transfer_Protocol Simple Mail Transfer Protocol], SMTP<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Email_Security Email Security], Email Security<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-12T01:12:43Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
* Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details<br />
* Register a dynamic DNS (DDNS)<br />
* Register a static IP<br />
* Bot Herder infect PC's with the Bot(s)<br />
** Bot propagates the infection according to the configuration settings<br />
** Bot scans for vulnerabilities that it may encounter<br />
** Idle<br />
** Performs actions received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.<br />
*** The chain of command may be compromised above the level.<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes it's detection challenging. There are some tools that have been used against this threat, some in open source, other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.<br />
<br />
=== Some sings of infection by Bots ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doesn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br><br />
<br />
=== What can I do? Let's go to the Botnet War!!! ===<br />
Monitoring the network traffic, at the first instance, can look useless. Although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots we can modify the flow of data though these ports or maybe even verify if they are open when they should be closed, for example.<br />
<br><br />
A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source sniffer is the tcpdump ([www.tcpump.org]). This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of sniffers capture "noise packets" from other hosts which implies in a harder analysis.<br />
<br><br />
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):<br />
* # tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6667<br />
By reaching the conclusion of infection though the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel.<br />
One of it's biggest weakness is that due to it's inheritance of the C&C structure, once the higher level bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Norton Anti-Bot ===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. Unfortunetelly, its design only takes action if the Bot software actually does something, if not, Norton will simply leave it alone in it's iddle mode. Since it's a commercial software, it has the benefits such as assistance and update patches as new Bot definitions are found.<br />
<br />
== References ==<br />
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
<br><br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing]<br><br />
* [http://en.wikipedia.org/wiki/Phishing Phishing]<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T21:30:11Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
<br />
* Initial setup of configuration settings of the Bot<br />
* Register a Dynamic DNS<br />
* Infect a PC with a Bot<br />
** Bot propagates according to the configuration settings<br />
** Scans for vulnerabilities<br />
** Idle<br />
** Performs actions as received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
*** The chain of command may be compromised above the level.<br />
<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
The biggest weak point known is that due to it's inheritance of the C&C structure, once the higher level bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
=== Some Signals of Bots running ===<br />
* High invisible to visible user ratio<br />
* High user to channel ratio<br />
* Server display name doedn't match IP Address<br />
* Suspicious nicks, topics and channel names<br />
* Suspicious DNS name used to find server(s)<br />
* Suspicious ARR(s) associated with DNS name<br />
* Connected hosts exhibiting suspicious behavior<br />
* TCP port 6667 open when an IRC client is not running<br />
* IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.<br />
<br><br />
<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br />
<br><br />
A better user could also monitor network traffic and see what ports are in use. <br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
<br />
== References ==<br />
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
or ISBN-13: 978-1-59749-135-8<br />
<br><br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
<br />
== See Also ==<br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
* [http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing]<br><br />
* [http://en.wikipedia.org/wiki/Phishing Phishing]<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T20:24:35Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
<br />
* Initial setup of configuration settings of the Bot<br />
* Register a Dynamic DNS<br />
* Infect a PC with a Bot<br />
** Bot propagates according to the configuration settings<br />
** Scans for vulnerabilities<br />
** Idle<br />
** Performs actions as received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
*** The chain of command may be compromised above the level.<br />
<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
<br />
== References ==<br />
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
ISBN-13: 978-1-59749-135-8<br />
<br><br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
<br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
[[http://en.wikipedia.org/wiki/Phishing]]<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service Facebook Botnet risk Revealed],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service Sun Grid hit by a network attack], Denial of service at Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service DoS may shut down the Internet],DoS can shut down the internet<br />
* [http://pt.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://en.wikipedia.org/wiki/Botnet Botnet], Botnets<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own Botnet with a open source software] Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm Botnet attacks: Denial of Service], Botnet and denial of service<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service A million zombies threaten US national security], A million zombies threaten US national security<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Multi-agent systems]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T20:18:28Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
<br />
* Initial setup of configuration settings of the Bot<br />
* Register a Dynamic DNS<br />
* Infect a PC with a Bot<br />
** Bot propagates according to the configuration settings<br />
** Scans for vulnerabilities<br />
** Idle<br />
** Performs actions as received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
*** The chain of command may be compromised above the level.<br />
<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
<br />
== References ==<br />
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
ISBN-13: 978-1-59749-135-8<br />
<br><br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
<br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
[[http://en.wikipedia.org/wiki/Phishing]]<br />
<br />
== External Links ==<br />
* [http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1|"Norton AntiBot"], Norton Anti-Bot<br />
* [http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"],Dutch Botnet Suspects Ran 1.5 Million Machines<br />
* [http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service],Facebook risk application<br />
* [http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service], Denial of service of Sun Grid<br />
* [http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service],DoS can shut down the internet<br />
* [http://pt.wikipedia.org/wiki/Botnet]|Botnets<br />
* [http://en.wikipedia.org/wiki/Botnet]|Botnets<br />
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software],Build your own Botnet<br />
* [http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm|Attacks], Botnet and denial of service<br />
* [http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service], A million zombies threaten US national security]<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Multi-agent systems]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
<br><br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T20:11:11Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
<br />
* Initial setup of configuration settings of the Bot<br />
* Register a Dynamic DNS<br />
* Infect a PC with a Bot<br />
** Bot propagates according to the configuration settings<br />
** Scans for vulnerabilities<br />
** Idle<br />
** Performs actions as received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
*** The chain of command may be compromised above the level.<br />
<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whoever user bought the original key.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
<br />
== References ==<br />
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7<br />
ISBN-13: 978-1-59749-135-8<br />
<br><br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
<br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
[[http://en.wikipedia.org/wiki/Phishing]]<br />
<br />
== External Links ==<br />
[[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1|"Norton AntiBot"]] <br><br />
[[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"|Dutch Botnet Suspects Ran 1.5 Million Machines]] <br> <br><br />
[[http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service|Facebook risk application]]<br />
[[http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service|Denial of service of Sun Grid]]<br />
[[http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service|DoS can shut down the internet]]<br />
[[http://pt.wikipedia.org/wiki/Botnet|Botnets]]<br />
[[http://en.wikipedia.org/wiki/Botnet|Botnets]]<br />
[[http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software|Build your own Botnet]]<br />
[[http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm|Attacks, Botnet and denial of service]]<br />
[[http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service|A million zombies threaten US national security]]<br />
<br />
[[Category:Computer network security]]<br />
[[Category:Spamming]]<br />
[[Category:Multi-agent systems]]<br />
[[Category:Botnets]]<br />
<br />
<br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)<br />
--[[User:Rosard|Rosard]] 16:00, 11 April 2009 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T19:44:43Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.<br />
<br><br />
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.<br />
<br><br />
<br />
=== Life cycle of a Botnet ===<br />
<br />
* Initial setup of configuration settings of the Bot<br />
* Register a Dynamic DNS<br />
* Infect a PC with a Bot<br />
** Bot propagates according to the configuration settings<br />
** Scans for vulnerabilities<br />
** Idle<br />
** Performs actions as received by other Bots above it in the chain of command<br />
** Bot dies:<br />
*** Bot may be taken over by another Botnet<br />
*** The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
*** The chain of command may be compromised above the level.<br />
<br><br />
<br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. <br />
<br><br />
On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even ScreenLoggers to view the infected pc's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== How to Fight Botnets ==<br />
A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.<br />
<br><br />
<br />
<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://en.wikipedia.org/wiki/Phishing<br />
<br><br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T19:05:30Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. <br />
<br><br />
On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>First</td><br />
<td>A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application</td><br />
</tr><br />
<br />
<tr><br />
<td>Second</td><br />
<td>The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)</td><br />
</tr><br />
<br />
<tr><br />
<td>Third</td><br />
<td>A Spammer purchases access to the Botnet from the Bot Herder</td><br />
</tr><br />
<br />
<tr><br />
<td>Fourth</td><br />
<td>The Spammer sends command instructions via the IRC server to the infected PCs</td><br />
</tr><br />
<br />
<tr><br />
<td>Fifth</td><br />
<td>When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers</td><br />
</tr><br />
<br />
</table><br />
<br />
===Phishing===<br />
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.<br />
<br><br />
<br />
=== Game and software keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application.<br />
<br><br />
<br />
=== Id, password and information theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even ScreenLoggers to view the infected pc's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).<br />
<br><br />
<br />
=== Distributed denial of Service attack (DDoS) ===<br />
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".<br />
<br><br />
<br />
=== Scrumping ===<br />
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.<br />
<br><br />
<br />
== Life cycle of a Botnet ==<br />
<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://en.wikipedia.org/wiki/Phishing<br />
<br><br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T18:28:43Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.<br />
<br><br />
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
<br />
== Types of attacks and profit ==<br />
<br />
=== Spam ===<br />
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. <br />
<br><br />
On the table bellow, there is the flow of steps to a Botnet use spam to profit:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Steps</th><br />
<th>Action</th><br />
</tr><br />
<br />
<tr><br />
<td>1</td><br />
<td>A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application -- the bot.</td><br />
</tr><br />
<br />
<tr><br />
<td>2</td><br />
<td>The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).</td><br />
</tr><br />
<br />
<tr><br />
<td>3</td><br />
<td>A spammer purchases access to the botnet from the operator.</td><br />
</tr><br />
<br />
<tr><br />
<td>4</td><br />
<td>The spammer sends instructions via the IRC server to the infected PCs, ...</td><br />
</tr><br />
<br />
<tr><br />
<td>5</td><br />
<td>...causing them to send out spam messages to mail servers.</td><br />
</tr><br />
<br />
</table><br />
<br><br />
<br />
=== Game and Software Keys ===<br />
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application.<br />
<br><br />
<br />
=== Id Theft ===<br />
As the introduction mentioned, information is the most valuable resource of our new century. By stealing an Id from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes.<br />
<br><br />
<br />
=== KeyLoggers ===<br />
<br />
<br><br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br><br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br><br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br><br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service<br />
<br><br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T16:44:55Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
<br><br />
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.<br />
<br><br />
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that malicious codes will be download and executed on the compromised machine.<br />
<br><br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.<br />
<br><br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the father of the Internet, Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
== Profitable? How?? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T16:26:21Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the father of the Internet, Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
== Profitable? How?? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
[[Image:http://en.wikipedia.org/wiki/File:Zombie-process.svg|thumb|right|200px|Using a botnet to send spam]]<br />
<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T16:25:29Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? Why should I worry?? Who's out there for us??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the father of the Internet, Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
== Profitable? How?? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
[[http://en.wikipedia.org/wiki/File:Zombie-process.svg]]<br />
[[Image:Zombie-process.svg|thumb|right|200px|Using a botnet to send spam]]<br />
<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://pt.wikipedia.org/wiki/Botnet<br />
<br><br />
http://en.wikipedia.org/wiki/Botnet<br />
<br><br />
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software<br />
<br><br />
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm<br />
<br><br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T16:13:28Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br />
== How Big is this problem anyways? Why should I worry?? Is there anything being done by someone to prevent and stop this??? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.<br />
<br><br />
=== Vint Cerf ===<br />
On September 2007, the father of the Internet, Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.<br />
<br><br />
== Profitable? How?? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service<br />
<br><br />
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service<br />
<br />
<br />
<br />
<br />
<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T15:52:51Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br />
== How Big is this problem anyways? Is there anything being done by someone to prevent and stop this?? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== Microsoft ===<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force.<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day, the company said on Wednesday.<br />
To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment.<br />
<br><br />
== Profit? How?? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T15:46:13Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? ==<br />
=== Symantec ===<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
=== McAfee ===<br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
=== VeriSign ===<br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
=== International Botnet Task Force ===<br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force.<br />
<br><br />
=== Sun Microsystems' Grid ===<br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day, the company said on Wednesday.<br />
To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview.<br />
<br><br />
=== Facebook ===<br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment.<br />
<br><br />
== How it turned in to an illegal way of profit? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T15:42:56Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:<br />
<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is this problem anyways? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."<br />
<br><br />
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.<br />
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force.<br />
<br><br />
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day, the company said on Wednesday.<br />
To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview.<br />
<br><br />
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.<br />
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment.<br />
<br><br />
== How it turned in to an illegal way of profit? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T00:36:22Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how an human-machine assist application went from being a simple code to <br />
<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br><br />
<br />
== How Big is the problem? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
<br />
== How it turned in to an illegal way of profit? ==<br />
<br />
== Life cycle of a Botnet ==<br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
<br />
== Types of attacks ==<br />
<br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
<br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.<br />
<br><br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-11T00:16:25Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Backdoors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. <br />
<br><br />
The table bellow shows the evolution and how an human-machine assist application went from being a simple code to <br />
<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Timeline</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered. First worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven Trojan/bot. A remote control Trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot. Written in C++ where its source code is available to hacker community though a small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB. My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br />
== How Big is the problem? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
<br><br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
<br />
== How it turned in to an illegal way of profit? ==<br />
<br />
<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-10T23:48:19Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Backdoors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious overtones. Bots were originally developed as a virtual individual<br />
that could sit on an IRC channel and do things for its owner while the owner was busy elsewhere.<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Evolution Time</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>Pretty Park discovered first worm to use an IRC server as a means of remote control</td><br />
</tr><br />
<br />
<tr><br />
<td>1999</td><br />
<td>SubSeven trojan/bot A remote control trojan added control via IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>2000</td><br />
<td>GT Bot, mIRC based Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>SDBot, written in C++ Source code available to hacker community Small single binary</td><br />
</tr><br />
<br />
<tr><br />
<td>2002</td><br />
<td>AgoBot, Gaobot Introduces modular design 1st module break-sin downloads 2nd module 2nd module turns off anti virus Hides from detection, downloads 3rd module. Module 3 has attack engines/payloa</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>SpyBot Spyware capabilities (keylogging, data mining for email addresses lists of URLs, etc.)</td><br />
</tr><br />
<br />
<tr><br />
<td>2003</td><br />
<td>RBot Most Prevalent Bot today Spreads through weak passwords, easily modifiable, Uses packaging software</td><br />
</tr><br />
<br />
<tr><br />
<td>2004</td><br />
<td>PolyBot A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection</td><br />
</tr><br />
<br />
<tr><br />
<td>2005</td><br />
<td>MYTOB My Doom mass emailing worm with Bot IRC C&C</td><br />
</tr><br />
<br />
</table> <br />
<br />
== How Big is the problem? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
<br><br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
<br />
== How it turned in to an illegal way of profit? ==<br />
<br />
<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-10T23:41:38Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Backdoors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
<br />
== Botnet? What is it?? How it works??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
<br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
<br />
== History of Botnets ==<br />
Like many things on the Internet today, bots began as a useful tool without malicious overtones. Bots were originally developed as a virtual individual<br />
that could sit on an IRC channel and do things for its owner while the owner was busy elsewhere. IRC was invented in August of 1988 by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland.<br />
<br><br />
<br />
<table border="1"><br />
<br />
<tr><br />
<th>Evolution Time</th><br />
<th>Bot technology</th><br />
</tr><br />
<br />
<tr><br />
<td>1988</td><br />
<td>Invention of IRC</td><br />
</tr><br />
<br />
<tr><br />
<td>1989</td><br />
<td>Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users</td><br />
</tr><br />
<br />
</table> <br />
<br />
<br />
== How Big is the problem? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.<br />
<br><br />
In March of 2006, McAfee was called to reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the<br />
engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the<br />
following resulting problems:<br />
* Numerous network outages of up to six hours<br />
* Customer threats of lawsuits<br />
* Customer business disruptions<br />
* Lengthy outages of bank ATM service<br />
<br><br />
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it. <br />
<br><br />
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”<br />
<br><br />
<br />
== How it turned in to an illegal way of profit? ==<br />
<br />
<br />
<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-10T23:15:22Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br><br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Backdoors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.<br />
<br><br />
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.<br />
<br><br />
== Botnet? What is it?? How it work??? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.<br />
<br><br />
== Hard to exterminate...why? ==<br />
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.<br />
It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.<br />
<br><br />
== How Big is the problem? ==<br />
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006 Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not<br />
usually detected until the Bot Herder had abandoned the computer which actually means that the actual number is much larger than what Symantec can report.<br />
<br><br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-10T05:32:04Z<p>Rosard: </p>
<hr />
<div>Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.<br />
<br />
== Bot? What is it?? How it works???== <br />
A Bot is a type of malicious software that after successfully invading a machine through its running processes (Most likely machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS), behaves like a “worm” process capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication.<br />
<br><br />
At this point, these infected machines can work only as tool that are used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain information from uses, or also, to integrate these Bot Clients to a much greater threat and risk, such as the Botnets.<br />
<br />
== Botnet? What is it?? How it work? ==<br />
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots, which are used for invasion of the clients are also being protected by their Bot Headers, and this integrate this invasion technique into a more powerful and a sophisticated way of a mass invasion of a network.<br />
<br><br />
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. On the next sections, this article will focus on what measurements are being taken to control this terrible plague that is in some SPN's(Simple Private Networks) thoughout our internet. We have to detain this threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality on a network.<br />
<br />
*Bot<br />
*Bot Herder<br />
*Zombie<br />
*Scrumping<br />
<br />
===Bot===<br />
<br />
A Bot is short for robot. In the context of this wiki page a bot is a malicious program that installs itself unbeknownest to the owner of the pc, sets up an IRC or HTTP server and is ready to perform illegal activities.<br />
===Herder===<br />
A person who controls all the bots in the botnet.<br />
===Zombie===<br />
An infected computer.<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/BotnetsBotnets2009-04-10T03:37:21Z<p>Rosard: Botnets moved to Bots & Botnets</p>
<hr />
<div>#REDIRECT [[Bots & Botnets]]</div>Rosardhttp://wiki.cas.mcmaster.ca/index.php/Bots_%26_BotnetsBots & Botnets2009-04-10T03:37:21Z<p>Rosard: Botnets moved to Bots & Botnets</p>
<hr />
<div>A Botnet is a collection of infected computers that can be used to attack organizations and distribute illegal information due to the sheer number of computers that is contained within them. Botnets are hard to prevent as the computers that become bots usually bear no resemblance in their locations in the physical world. <br><br />
<br />
They are a major threat to computing, due to the sheer amount of computers that can be controlled. In 2005 the Dutch police shut down a botnet that controlled 1.5 million computers. 1.5 million computers could shut down any website in the world if they all attempted to access its services at the same time. <br />
== Definitions == <br />
*Bot<br />
*Herder<br />
*Zombie<br />
*Scrumping<br />
<br />
===Bot===<br />
<br />
A Bot is short for robot. In the context of this wiki page a bot is a malicious program that installs itself unbeknownest to the owner of the pc, sets up an IRC or HTTP server and is ready to perform illegal activities.<br />
===Herder===<br />
A person who controls all the bots in the botnet.<br />
===Zombie===<br />
An infected computer.<br />
===Scrumping===<br />
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.<br />
== How it works ==<br />
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough. <br><br />
<br />
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect. <br><br />
<br />
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders. <br><br />
<br />
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.<br />
<br />
== Attacks ==<br />
*DDoS<br />
*Spamming<br />
*Phishing <br />
===DDoS===<br />
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money. <br />
===Spamming===<br />
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages. <br><br />
<br />
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.<br />
<br />
===Phishing===<br />
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.<br />
== Life Cycle == <br />
*Initial setup of configuration settings of the bot<br />
*Register a Dynamic DNS<br />
*Infect a PC with a bot<br />
**Bot propagates according to the configuration settings<br />
**Scans for vulnerabilities<br />
**Idle<br />
**Performs actions as received by other bots above it in the chain of command<br />
**Bot dies:<br />
***Bot may be taken over by another botnet<br />
***The bot's owner's PC realizes the PC is a zombie, kills the bot.<br />
***The chain of command may be compromised above the level.<br />
== Bot Management ==<br />
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.<br />
<br />
== How to Fight Botnets ==<br />
===Norton Anti-Bot===<br />
[[Image:Norton_AntiBot.jpg|thumb|140px|right|<br />
'''Norton Anti-Bot''']]<br />
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.<br />
===General Tips===<br />
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications. <br><br />
<br />
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Botnet "Botnet"]<br><br />
== See Also ==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Alternative_Technologies_for_Ethernet "Alternative Technologies for Ethernet"]<br><br />
[http://www.cas.mcmaster.ca/wiki/index.php/Phishing "Phishing"]<br><br />
<br />
== External Links ==<br />
[http://www.symantec.com/norton/products/overview.jsp?pcid=is&pvid=nab1 "Norton AntiBot"] <br><br />
[http://www.techweb.com/wire/security/172303160 "Dutch Botnet Suspects Ran 1.5 Million Machines"] <br> <br><br />
--[[User:SJakubowski|SJakubowski]] 23:17, 13 April 2008 (EDT)</div>Rosard