Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Robot network

Botnet (Robot Network) is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet. Botnet is also known as "Zombie army”.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers' resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders - the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) - while some smaller types of bots do not have such capabilities.

Bot Lifecycle

IMAGE

Detecting Infected Machines

DETAILS

http://www.honeynet.org/node/53

http://www.techenclave.com/guides-and-tutorials/what-are-bots-introdcution-types-bots-5608.html

Different Types of Bots
  1. Agobot/Phatbot/Forbot/XtremBot
  2. This is probably the best known bot. Currently, the AV vendor Sophos lists more than 500 known different versions of Agobot (Sophos virus analyses) and this number is steadily increasing. Agobot uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic.

  3. SDBot/RBot/UrBot/UrXBot/...
  4. This family of malware is at the moment the most active one,currently seven derivatives on the "Latest 10 virus alerts".
  5. mIRC-based Bots - GT-Bots
  6. These bots launch an instance of the mIRC chat-client with a set of scripts and other binaries.
  7. DSNX Bots
  8. The Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. An attacker can easily write scanners and spreaders as plugins and extend the bot's features.
  9. Q8 Bots
  10. Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more.

  11. kaiten
  12. The bot itself consists of just one file. Thus it is very easy to fetch the source code using wget, and compile it on a vulnerable box using a script.

  13. -Perl-based bots
  14. There are many different version of very simple based on the programming language Perl. These bots are very small and contain in most cases only a few hundred lines of code and are used on Unix-based systems. source - Know your Enemy

Tracking Botnets - Using honeynets to learn more about Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots

These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.

What Does a Botnet Do?

A botnet can have a lot of malicious applications. Among the most popular uses of botnets are the following:

Distributed Denial-of-Service Attacks (DDoS)

Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition.

A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. In addition, the resources on the path are exhausted if the DDoS-attack causes many packets per second. Each bot we have analyzed so far includes several different possibilities to carry out a DDoS attack against other hosts. Most commonly implemented and also very often used are TCP SYN and UDP flood attacks.

Attackers have spent a lot of time and effort on improving such attacks. Now attackers do better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation.

Spamming

When you identify a spam source or phishing web site you blacklist the IP address or contact the ISP, which is right? Wrong. Today's spammers and phishers operate or rent botnets. Instead of sending spam from one source, today's spammers send spam from multiple zombies in a botnet. Losing one zombie doesn't affect the flow of spam to any great effect. Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.

Sniffing Traffic & Keylogging

Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine.

Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information such as passwords. The same applies to key-logging – capturing all the information typed in by the user such as e–mails, passwords, home banking data, online shopping account info etc.

If the compromised machine uses encrypted communication channels such as HTTPS or POP3S then just sniffing the network packets on the victim's computer is useless since the appropriate key to decrypt the packets is missing. But most bots also offer features to help in this situation. With the help of a keylogger it is very easy for an attacker to retrieve sensitive information.

Infecting New Hosts

Botnets often recruit new hosts using similar approaches as those for other malware. One of the methods that botnets use to compromise new hosts is through social engineering and distribution of malicious emails. In a common scenario, a botnet may distribute email messages with malware attached, or perhaps an embedded link to a malware binary located elsewhere. Social engineering techniques are used to trick computer users into executing the malware, which leads to the compromise of hosts.

Identity Theft

Attackers use botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations putting the blame on someone else.

Attacking IRC Chat Networks

Botnets are also used for attacks against Internet Relay Chat IRC networks, also called clone attack. In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by service request from thousands of bots or thousands of channel-joins by these cloned bots. In this way, the victim IRC network is brought down similar to a DDoS attack.

Hosting of Illegal Software

Bot compromised computers can be used as a dynamic repository of illegal material such as pirated software. The data is stored on the disk of an unaware ADSL user. Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.

Google AdSense abuse & Advertisement Addons

AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counters. this type of botnet relatively uncommon, but not a bad idea from an attacker's perspective.

Botnets can also be used to gain financial advantages. This works by setting up a fake website with some advertisements. The operator of this website negotiates a deal with some hosting companies that pay for clicks on ads. With the help of a botnet, these clicks can be "automated” so that instantly a few thousand bots click on the pop-ups. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the "clicks” are executed each time the victim uses the browser.

Manipulating Online Polls

Online polls are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person.

Zombie Network

A zombie is a computer that has been infected by a piece of malicious software such as a Trojan horse or another type of malware. Once infected, the zombie's sole purpose is to perform a malicious task on behalf of the attacker. Zombies can be used to bring down corporate networks, websites, and send mass amounts of spam to individual users.

Simply Zombie is a computer containing a hidden software program that enables the machine to be controlled remotely, usually to perform an attack on another computer.

A 'bot' is a type of malware which allows an attacker to gain complete control over the affected computer. There are literally tens of thousands of computers on the Internet which are infected with some type of 'bot' and don't even realize it.

Attackers are able to access lists of 'zombie' PC's and activate them to help execute DoS (denial-of-service) attacks against Web sites, host phishing attack Web sites or send out thousands of spam email messages. Should anyone trace the attack back to its source, they will find an unwitting victim rather than the true attacker.

Crackers transform computers into zombies by using small­ programs that exploit weaknesses in a computer's operating system.

In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Once the victim receives the program, he has to activate it. Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC).

Mobile phones the next target for BotNet hackers

Recently mobile botnets was brought in notice as viruses, worms, trojans and spyware targeting the mobile platform. Mobiles seem overtake desktop and laptop computers as the preferred way of connecting to the internet.

If no-one has found any vulnerability on a particular mobile OS or application, it doesn't mean that it is fully secure and doesn't need to be updated.

At this point in time, most information stored on mobile devices is still synchronized with desktop PCs. This means that an attacker can still gain access to most confidential information such as e-mail by compromising a desktop machine. However, should this prediction come to fruition, it would be likely that some information is exclusively stored on the mobile devices themselves. As the device is always available, it would make sense to store potentially sensitive calendar or password information purely on this device.

Vulnerability of mobile technology against mobile botnet

The vulnerability of mobile technologies and protocols against this new threat needs to be understood. Are they more or less protected than wired machines against the different components of these types of botnet-based attacks? In order to assess vulnerability, one would first need to consider a complete botnet implementation as an end-to-end system.

The use of botnets consists of four major components:

That's why it is important all mobile operating systems and applications is the ability to push security updates to the mobile phones with ease, and automatically. Mobile operators need to be proactive in filtering possible threats or scams at the gateway level. Mobile users should exercise caution when installing applications on their phones and opening links.

Resolve the issues

DETAILS

http://www.techenclave.com/guides-and-tutorials/what-are-bots-introdcution-types-bots-5608.html

  1. Agobot/Phatbot/Forbot/XtremBot
  2. This is probably the best known bot. Currently, the AV vendor Sophos lists more than 500 known different versions of Agobot (Sophos virus analyses) and this number is steadily increasing. Agobot uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic.

  3. SDBot/RBot/UrBot/UrXBot/...
  4. This family of malware is at the moment the most active one,currently seven derivatives on the "Latest 10 virus alerts".

  5. mIRC-based Bots - GT-Bots
  6. These bots launch an instance of the mIRC chat-client with a set of scripts and other binaries.

  7. DSNX Bots
  8. The Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. An attacker can easily write scanners and spreaders as plugins and extend the bot's features.

  9. Q8 Bots
  10. Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more.

  11. kaiten
  12. The bot itself consists of just one file. Thus it is very easy to fetch the source code using wget, and compile it on a vulnerable box using a script.

  13. -Perl-based bots
  14. There are many different version of very simple based on the programming language Perl. These bots are very small and contain in most cases only a few hundred lines of code and are used on Unix-based systems. source - Know your Enemy:

Print Email Download Reference This Send to Kindle Reddit This

Share This Essay

To share this essay on Reddit, Facebook, Twitter, or Google+ just click on the buttons below:

Request Removal

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal:

Request the removal of this essay.


More from UK Essays

Doing your resits? We can help!