Botnet (Robot Network) is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet. Botnet is also known as “Zombie army”.
Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources. An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access. Computer may be part of a botnet even though it appears to be operating normally.
Zombie Network
A zombie is a computer that has been infected by a piece of malicious software such as a Trojan horse or another type of malware. Once infected, the zombie’s sole purpose is to perform a malicious task on behalf of the attacker. Zombies can be used to bring down corporate networks, websites, and send mass amounts of spam to individual users.
Simply Zombie is a computer containing a hidden software program that enables the machine to be controlled remotely, usually to perform an attack on another computer.
A ‘bot’ is a type of malware which allows an attacker to gain complete control over the affected computer. There are literally tens of thousands of computers on the Internet which are infected with some type of ‘bot’ and don’t even realize it.
Attackers are able to access lists of ‘zombie’ PC’s and activate them to help execute DoS (denial-of-service) attacks against Web sites, host phishing attack Web sites or send out thousands of spam email messages. Should anyone trace the attack back to its source, they will find an unwitting victim rather than the true attacker.
Crackers transform computers into zombies by using small programs that exploit weaknesses in a computer’s operating system.
In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Once the victim receives the program, he has to activate it. Meanwhile, the activated program attaches itself to an element of the user’s operating system so that every time the user turns on his computer, the program becomes active. The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user’s Internet activity. Many of these programs work over an Internet Relay Chat (IRC).
Mobile phones the next target for BotNet hackers
Recently mobile botnets was brought in notice as viruses, worms, trojans and spyware targeting the mobile platform. Mobiles seem overtake desktop and laptop computers as the preferred way of connecting to the internet.
If no-one has found any vulnerability on a particular mobile OS or application, it doesn’t mean that it is fully secure and doesn’t need to be updated.
At this point in time, most information stored on mobile devices is still synchronized with desktop PCs. This means that an attacker can still gain access to most confidential information such as e-mail by compromising a desktop machine. However, should this prediction come to fruition, it would be likely that some information is exclusively stored on the mobile devices themselves. As the device is always available, it would make sense to store potentially sensitive calendar or password information purely on this device.
Vulnerability of mobile technology against mobile botnet
The vulnerability of mobile technologies and protocols against this new threat needs to be understood. Are they more or less protected than wired machines against the different components of these types of botnet-based attacks? In order to assess vulnerability, one would first need to consider a complete botnet implementation as an end-to-end system.
The use of botnets consists of four major components:
I. Infection of a machine with malicious botnet code.
II. Connection to the command and control channel set up by the attacker.
III. Downloading of secondary payload on command of the attacker.
IV. Performing an attack or additional scanning, gathering information.
These events usually happen sequentially, with a loop between the attack execution and the command and control channel.
That’s why it is important all mobile operating systems and applications is the ability to push security updates to the mobile phones with ease, and automatically. Mobile operators need to be proactive in filtering possible threats or scams at the gateway level. Mobile users should exercise caution when installing applications on their phones and opening links.
What Does a Botnet Do?
A botnet is nothing more then a tool, there are as many different motives for using them as there are people. The most common uses were criminally motivated (i.e. monetary) or for destructive purposes. Botnet can do anything you can imagine doing with a collection of networked computers. The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Based on the data captured, the possibilities to use botnets can be categorized as listed below.
· Distributed Denial-of-Service Attacks (DDoS)
· Spamming
· Sniffing Traffic & Keylogging
· Infecting New Hosts
· Identity Theft
· Attacking IRC Chat Networks
· Hosting of Illegal Software
· Google AdSense Abuse & Advertisement Addons
· Manipulating online polls
Distributed Denial-of-Service Attacks (DDoS)
Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition.
A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. In addition, the resources on the path are exhausted if the DDoS-attack causes many packets per second. Each bot we have analyzed so far includes several different possibilities to carry out a DDoS attack against other hosts. Most commonly implemented and also very often used are TCP SYN and UDP flood attacks.
Attackers have spent a lot of time and effort on improving such attacks. Now attackers do better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation.
Spamming
When you identify a spam source or phishing web site you blacklist the IP address or contact the ISP, which is right? Wrong. Today’s spammers and phishers operate or rent botnets. Instead of sending spam from one source, today’s spammers send spam from multiple zombies in a botnet. Losing one zombie doesn’t affect the flow of spam to any great effect. Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.
Sniffing Traffic & Keylogging
Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine.
Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information such as passwords. The same applies to key-logging – capturing all the information typed in by the user such as e–mails, passwords, home banking data, online shopping account info etc.
If the compromised machine uses encrypted communication channels such as HTTPS or POP3S then just sniffing the network packets on the victim’s computer is useless since the appropriate key to decrypt the packets is missing. But most bots also offer features to help in this situation. With the help of a keylogger it is very easy for an attacker to retrieve sensitive information.
Infecting New Hosts
Botnets often recruit new hosts using similar approaches as those for other malware. One of the methods that botnets use to compromise new hosts is through social engineering and distribution of malicious emails. In a common scenario, a botnet may distribute email messages with malware attached, or perhaps an embedded link to a malware binary located elsewhere. Social engineering techniques are used to trick computer users into executing the malware, which leads to the compromise of hosts.
Identity Theft
Attackers use botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations putting the blame on someone else.
Attacking IRC Chat Networks
Botnets are also used for attacks against Internet Relay Chat IRC networks, also called clone attack. In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by service request from thousands of bots or thousands of channel-joins by these cloned bots. In this way, the victim IRC network is brought down similar to a DDoS attack.
Hosting of Illegal Software
Bot compromised computers can be used as a dynamic repository of illegal material such as pirated software. The data is stored on the disk of an unaware ADSL user. Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.
Google AdSense abuse & Advertisement Addons
AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counters. this type of botnet relatively uncommon, but not a bad idea from an attacker’s perspective.
Botnets can also be used to gain financial advantages. This works by setting up a fake website with some advertisements. The operator of this website negotiates a deal with some hosting companies that pay for clicks on ads. With the help of a botnet, these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser.
Manipulating Online Polls
Online polls are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person.
Related posts:
- What is Trojan Horse and how to recover from a Trojan Horse Infection
- What is an Open Proxy Server and How to Close a Proxy Server
- What is IPS and how Intrusion Prevention System Works
- Top 10 Best Internet Security Softwares
- What is Sniffer and how to detect sniffing in computer network
- Wi-Fi Security – How to secure your Wi-Fi Network
- What is Rootkit and How to Detect and protect from Rootkits
- How to Activate Chinese Mobile IMEI Number Online
- What is a firewall and different types of Firewall
- What is Clickjacking and How to Stop Clickjacking Exploit Attack
|
|
Follow us on Twitter
Bookmark on del.icio.us
Become a Fan of Facebook
Add to Google Reader