Botnet explanation

L

LabZero

Thread author


What is a Botnet ?


The Botnets are networks of infected computers used to launch large-scale attacks. The main attacks related to the world of botnets are DDoS, spam and theft of personal data.

In the world of botnets, there are two categories of actors, the botmaster, who through a command and control server (C&C) manage the network and direct actions, and the bots (zombie), infected machines waiting for commands to cause involuntary attacks.


The Botnets can be divided into two classes, through subdivision for architecture:


Centralized botnets.


The architecture is simpler, all bots are connected directly to the C&C. The server C&C manages the list of all infected machines, check their status and their operational information. This type of botnet is extremely vulnerable, once done the reverse engineering of a bot, you have all the information you need to make the takedown of C&C and dismantle the network; There are some extensions to this structure, where multiple servers are used to command and control, but the advantages are negligible.


Decentralized (P2P) Botnet


In this case, bots are not necessarily connected to the server C&C but all together constitute a communication network in which commands are sent zombie by zombie. Each node of the network is a bot, which communicates only with a list of nodes "neighbours". In this case to manage the botnet is require access to at least one client. The strength of these schemes is the difficulty that is when you are interested in to dismantle the entire network; reverse engineering of a single bot is no longer enough to identify all computers involved nor dismantle the C&C server.

In parallel to the classification for architecture, we can differentiate bots for protocol or method used to transmit the data.


Botnet IM oriented.


To make easier the communication (not having to implement a new communication protocol), some bots are communicating through instant messaging services (ICQ, MSN, AOL, etc.), this scheme lends itself extremely well to be implemented in decentralized models.


Web-based botnets or http


Are centralized architectures, where the C&C server is installed on a remote machine that responds to http requests from clients; the advantage of this design is that the http traffic is hardly detected as suspicious. A foresight often used is to drive traffic through HTTPS protocol so that traffic analysis is more complex.


Botnet-web service.


Extends the concept of web-based botnets, using popular web services (pastebin, evernote, Flickr, ...) as C&C server; this allows the botmaster is never revealed, bots perform the requests apparently totally lawful web services that can be filtered or identified.


Botnet on social networks.


Same IM botnets oriented structure, in this case we use social networks and web communications, the benefits are the same as the botnet web-service merged with advantages of a distributed botnet.


Botnet via TOR


In this case it takes advantage of the anonymity provided by TOR to hide the traffic that is generated. The best add-on is one in which it implements a web-based botnets in the command and control server resides on a hidden service. In the latter implementation dismantle the botnet is an extremely arduous task. One could predict future development of P2P botnet implementations through hidden services.



I'll explain the benefits and criticality of each architecture type described earlier.


Centralized botnets.


This botnet has caught on due to the extreme simplicity of implementation, but this simplicity is a great weakness, as already seen, simply delete the server central command and control to destroy the entire network structure. Among these we recognize botnets IRC and web-based ones.


P2P Botnets


This type of architectures are extremely durable, the first and most obvious is critical in the event that you lose access to the botmaster P2P network may not be able to regain control of the botnet. We must therefore consolidate the Protocol so that any bot can, according to authentication (public/private key), send commands to the entire network.

If the list of "neighbours" is clear or if there are ways to "find" the nodes in the network, you can implement attacks that require the enumeration of bots; a first approach is to dismantle the network passing by peers in peer (highly unlikely in practice, but not impossible, just think of a business, in which it becomes easy to locate other machines compromised); were described and analyzed P2P botnet attacks that allow peer through enumeration methods of sinkholing and partitioning; through these two attacks makes it less effective or harmless the entire network, reaching possibly to exclude the botmaster by network.


IM oriented botnets


The main difficulty, common to several other schemes is due to install Instant Messaging service on the infected computer and then allow their exit traffic through the victim's network. Blocking of bots is simple as you just filter network traffic for that Protocol, in particular the services of IM are often auto-filtered business scopes.


Web-service Botnets and botnet on social networks.


The substantial advantage of these botnets comes from traffic that can hardly be detected or filtered. Also guarantees a good level of protection to the botmaster, which can hardly be identified because it interacts directly with bots. You can relatively quickly dismantle the botnet structure if you have an enumeration of account form involved, by request from the competent authorities to the provider of the service.


Botnet via TOR.


Here the advantages and vulnerabilities are closely related to the resistance of the hidden services, so any weakness in TOR Protocol can open the doors to the dismantling of the botnet. The main disadvantages are installing TOR on zombie computers and the possibility that traffic to the TOR relay is blocked.



In this thread I have picked up the main types of botnet architectures and analyzed, generally, the strengths and vulnerabilities of each of them. It is clear that the structures in this time have become increasingly sophisticated, aiming to improve the resistance of the network and at the same time to reduce the detection ratio and in my opinion the prevention with a user-oriented approach to security is the best solution.

Hello :)
 
  • Like
Reactions: smokey, Venustus, frogboy and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Mozi malware botnet goes dark after mysterious use of kill-switch
Replies
1
Views
530
News Archive
ForgottenSeer 97327
F
Gandalf_The_Grey
    • Wow
    • HaHa
    • Like
Security News Three million malware-infected smart toothbrushes used in Swiss DDoS attacks
Replies
2
Views
1,014
Security News
MuzzMelbourne
MuzzMelbourne
vtqhtr413
    • Like
    • +Reputation
Security News TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service
Replies
4
Views
932
Security News
Jonny Quest
Jonny Quest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top