BOTNETS

ABSTRACT
A Botnet is generally a collection of compromised computers (called zombie computers) which can be controlled remotely by the programmer who created the botnet, without the consent of the actual user of those computers. Earlier, botnets were created to run client programs remotely on systems within a network. But now it is more widely used for malicious purpose. Since internet users are increasing day by day, it is necessary to be aware of these malicious programs beforehand. The main aim of this seminar is to make everyone understand the importance of security measures that is necessary to counter these attacks. On the Introduction section of seminar, the usual technical terms like botnet,bot,botmaster that are used in the seminar are defined On the Second section, the life cycle of Botnet involving phases like spread phase,infection phase,Command &control phase and attack phase are described in detail. In the third section, We analyses the various attacks, evasive techniques used by botnets to avoid detection.
In the upcoming sections, the topics like detection of botnet, prevention of botnet intrusion, application of botnets will be discussed.

Contents
I. Introduction II. Botnet Lifecycle III. Analysis Of Botnet 1. Attacks made by a Botnet 2. Evasion of bots from Scanning procedures 3. Command & Control IV. V. Botnet detection Prevention of Botnet intrusion

VI. Application of Botnet VII. Conclusion

INTRODUCTION
Software for malicious attacks and intrusions (malware) has evolved a great deal over the past several years. This evolution is driven primarily by the desire of the authors to elude improvements in network defense systems and to expand and enhance malware capabilities.

Bots originated as a useful tool to use without any significant malicious overtone; they were originally developed as a virtual individual that could sit in an IRC channel and perform tasks while the user was too occupied to do so.Soon after the release of the first IRC bot, a few worms exploited vulnerabilities in IRC clients began to appear - bots were used to steal passwords, log keystrokes, and hide their identity.A Botmaster is the person who controls these infected systems maliciously from a remote location by passing commands through IRC(Internet Relay Chat).

Usually, this malware invade the system via USB,hoax,spam or even through LAN. As we all know, the plug and play feature of USB cause the widespraeding of BOTNETs. Once this malware enters into the system, it malwares along with infostealers. A hoax warn the user about a fake security threat threat or breach and make them panic. Usually, the user will be prompted to make clicks through which the BOTNET can easily intrude into the system. On the other hand, the user will not be aware about this hidden attack. Another interesting way of BOTNET spreading is through spams. For this purpose, the spams will carry a link to some vulnerable websites. If an user go through this link, the BOTNET malware can easily invade the system, without user's consent. Even LAN can spread this malware to all its connected systems.

Botnet Lifecycle
Botnet lifecycle includes 4 stages:
o o o o Spread phase Infection phase Command and control Attack phase

Spread phase A bot spread through spam, web worms and also web downloads of
malware that ocuurs to unbeknownst to users. Since the goalo0f spread face is to infect the system for the first time, bot hereders attend to either trick th e user installing the malware payload or exploit vulnerability on the usrees systems. Via applications or browsers thereby delivering the malware payloads

Infection phase:
Malware payload, once on the system uses a variety of techniques to infect the machine and obfuscate its presence. Advances in bot infection capabilities include techniques for hiding the infection and extending the life of infection by targeting the anti malware tools and services that would normally detect and remove the infection and for extending the life of infection by targeting thr anti malware tools and services that would normally detect and remove the infection. Botnets employ many of the standard malware techniques used by virus today. Polymorphism and rootkit ting are two of the most common techniques in use.

Command and control

Botnet C&C servers use one of several protocols to communicate, the most common of which upto this point has been the irc. Recently ,

however, a trend towards the use of protectred or hardened protocols has begun to emerge.botnet software can take advantage of the local browser software for much of its functionality and communications stack, leveraging, https ability to transit firewalls. Other techniques include the use of VoIP, web services and the use of scripting within the http communication stack. Another advanced technique uses a blind drop, a site on the internet such as aforum, BBC or a newsgroup, where users can leave anonymous messages. Botnet notes can post messages to these sites and the bot herders can anonymously check messages from their node and posst instruction. Social networking sites are primary targets for this kind of C&C.

Attack Phase
The final phase of botnet life cycle is the attack phase,this is simply the distribution of spam that is carrying the infection,and when the attack is successful,the size of botnet itself increases.the botnet also have been used to send spam as part of barter & rental deals,it also has been used to perform massive Distributed Denial of Service(DDoS)

Figure1.

Ref..[1]

ANALYSIS ON BOTNET
(1)Attacks made by a Botnet
The BOTNET causes umpteen number of problems in which DoS(denial of Service) is the most serious. It makes system resources available to hacker, but deny them to the intended user.!! If the machine works in a distributed system,multiple systems block a resource to an unaffected victim system.In a nutshell, the whole network may bring down due to a single affected computer..!!

BOTNET can also be used to steal our passwords by detecting keystrokes, which can be used to many unauthorised activities. Whenever we use our private passwords for internet transactions, they will be available to malware to BOTNET .It can be misused for unauthorised transactions.

The alarming condition occurs when, this malware can spread to all other system engaged with our computer. It can also make include advertisements in our machine without user's permission. It allows spontaneous installation of harmful softwares into our system.

(2) Evasion of bots from Scanning procedures

There are many excellent strategies used by BOTENT creaters to prevent detection. Most spywares, anti-viruses, anti-malwares tries to detect vulnerabilities by matching its algorithms to that of known threats. Botnets at present are capable of making unique signature type code for each system.Usually,whenever a scanning for threats in progress, the dangerous codes will temporarily become comment lines and hence remain undetected. The entire *.exe file can be encrypted to a *.jpeg or *.zip files which are usually skipped by anivirus programs.

Most botnets are designed to act as polymorphic in nature, get self updates from botmaster and change its objectives according to botmasters request.Once the botnets enter your system it may disable the very software (anti-virus/anti-malware, etc.) which intends to stop it. Some Botnets can intrude into the operating system's MBR(Master Boot Record),this will make sure that the system is compromised even before its starting up.

(3) Command & Control

The Botnet works for its botmaster by setting up of a unique IRC client to communicate with its Botmaster.this will enable the Botmaster to control and command several bots in the infected system using a device supporting the IRC Client. The main disadvantage (Benefit for botmaster) of IRC is it usually does not have much security to control over its accessing clients. This vulnerable nature of IRC is misused for promoting illegal activities.Although the IRC servers record login time and IP address,Usually the attacker enters the IRC using multiple proxies to remain undetected.

Figure2.

Ref[2]

Detection of a Botnet
If your computer runs slower than normal. If network activity in task manager shows abnormal rate most of the time.

If your antivirus program shuts off by itself.

Run Process Explorer and examine all the process to see if any process is running that does not run on your computer normally.

Prevention of spreading of Botnets

IRC operators play central role in stopping botnet traffic Traffic fingerprinting still useful for identification(CAPTCHA)

Improve local security policy authentication practices to prevent password guessing attacks. Update all systems and verify that all systems have accepted and installed the patches. Every windows host needs a strong and active virus checker which also must have a scope given towards Spyware and Adware. Law enforcement may be invoked, especially if the incident is considered serious for legal and financial reasons. All outbound mails have to go through the official mail servers to prevent botclients from Spamming directly through internet. Develop your sources of internal intelligence.

Application of Botnets
Although we have been discussing about the different privacy concerns caused by the Botnets, we must note that it is still being employed for different Defense surveillance projects,etc.. Inorder to spy on our enemies. Botnets is also employed for the purpose of ensuring that there is no faults in a network. Botnets are also used to perform Remote Desktop Computing. Botnets are also used for ethical hacking (No personal gains) in order to recover password, play games etc

Conclusions
Continued improvements and diversication of malware are making the task of securing networks against attacks and intrusions increasingly difcult. This seminar tries to emphasize the fact that current anti malware strategies are ineffective to the current genre of botnets and malwares. We must design scanning mechanisms involving dynamic profiling of executable, instead of the current static modes. Since Prevention is better than cure, It is better to advocate secure internet browsing aided by at least one anti-virus, anti-malware, firewall etc