International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
Analyzing Bot Family Behavior & its
Detection
Punit Sharma#1, Sanjay Tiwari#2, Anchit Bijalwan#3, Emmanuel Pilli#4
#12
Deptt. Of CSE ,AIET Jaipur,#3Deptt of CSE,UTU dehradun,#4Deptt of CSE MNIT Jaipur
Abstract- Botnet have become one of the most
significant threats to the internet.It is automated
process that interacts with other network services.This
paper examine the crime & analyzing the behaviouer of
various bots.In this paper we have explained the life
cycle phases creation,infection,waiting & executing.This
paper also include the related work on botnet &
classified the existing bot into various categories &
explained the terminology in particular bots.Based on
exhaustive survey we try to categorise the whole bot &
the tool applied on it.This paper focuses on bot families
& their detection techniques.
Keywords-C&C,IRC,IM,TTL
I.INTRODUCTION
Among all media of communications, Internet is most
vulnerable to attacks owing to itspublic nature and virtually
without centralized control. Botnets have become one of
the most significant threats to the Internet.The term bot,
derived from the word ‘ro-bot’. It is an automated process
that interacts with other network services. Its generic form
is used to describe a single script or set ofscripts or a
program which is designed to perform predefined functions
automatically and
repeatedly after being triggered
intentionally or through a system infection. A typical use of
bots is to gather information such as web crawlers, or
interact automatically with IM(Instant messaging),
IRC(Internet Relay Chat), or other web interfaces. They
may also be used to interact dynamically with websites.
Although bots originated as a useful feature for carrying
out repetitive and time consuming operations but they are
being exploited for malicious intent. Bots that are used to
carry out legitimate activities in an automated manner are
called benevolent bots and those that are meant for
malicious intent are known as malicious bots. Benevolent
bots among various other activities are used by search
engines to spider online website content and by online
games to provide virtual opponent .
‘Botnet’ is a network of compromised computers (bots)
running malicious software, usually installed via all kinds
of attacking techniques such as trojan horses, worms and
viruses[1].Such zombie computers are remotely controlled
by an attacker who is known as boatmaster[2][3]. Botnets
with hudge number of computers have tremendous
cumulative bandwidth and computing capability. They are
ISSN: 2231-5381
exploited by botmasters for initiating various malicious
activities, such as email spam, distributed DOS attacks,
password cracking and key logging. Botnets have become
one of the most significant threats to the Internet. Today,
centralized botnets are still widely used. In a centralized
botnet, bots are connected to several servers (called C&C
servers) to obtain commands. This architecture is easy to
construct and efficient in distributing botmaster’s
commands.
The term botnet can be used to refer to any group of bots,
such as IRC bots, the word is generally used to refer to a
collection of compromised machines running programs,
usually referred to as worms, Trojan horses, or backdoors,
under a common command and control infrastructure.A
botnet is built in two stages,bot creation & bot propagation.
Bot creation-This stage largely depends on skills and
requirements of an attacker. The attacker may Choose to
write its own code or simply extend or customize an
existing bot.
Bot propagation-In this stage vulnerable systems and tools
to exploit them are located which are then used to gain
backdoor access to these systems facilitating installation of
bot malware by uploading or commanding the victim
machine to download a copy of the bot malware (Shannon
& Moore –2004). This infection stage involves use of
various direct and indirect techniques to spread bot
malware. These include attack through software
vulnerabilities, vulnerabilities caused by other infections,
social engineering through the use of email, instant
messaging and malicious web page content. The bot
malware is also propagated through peer to peer networks,
open file sharing, and direct client to client file exchange.
This paper examine the crime & analyzing the behaviouer
of various bots.In section II we discuss the background
studies.In this section we have explained the life cycle
phases creation,infection,waiting & executing.Section III
include the related work specific on botnet . In Section IV
we classified the existing bot into various categories &
explained the terminology in particular bots.Based on
exhaustive survey we try to categorise the whole bot & the
tool applied on it.This paper focuses on bot families & their
detection techniques.
II.BACKGROUND STUDIES
A.Life cycle of Botnet.Schiller et al.[4] have specified and
detailed the Life Cycle in various phases mentioned below.
http://www.ijettjournal.org
Page 81
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
1. Creation. In this phase, the bot master develops malware
software. In some cases, an existing software code is used
and custom features are implemented to finalize a malware
code. As part of the test and debugging, dry runs are
performed on the test network before deploying the bot.
Creation
Executing
Life
cycle of
Botnet
Infection
Waiting
Fig. 1 Life cycle of Botnet
B. Infection. The life of a botnet client begins when it
has been exploited. A prospective bot client can be
exploited via a malicious code that the user is tricked into
running, which can be attached against un-patched
vulnerabilities or through back doors left open by Trojan
worms or remote access Trojans and password guessing, as
well as with brute force access attempts.Once a victim’s
machine becomes infected with a bot, it is known as a
zombie. There are many possibilities forinfecting victim
computers, including the following eight :
• Software Vulnerabilities: With this method, the attacker
exploits the vulnerability encountered in a running service
in order to automatically gain access and install his
software without any user interaction. This method was
used by most worms.
• Un-patched Vulnerabilities: To support spreading via an
attack against un- patched vulnerabilities, most botnet
clients include a scanning capability so that each client is
able to expand the botnet. These scanning tools first check
for open ports. They then take the list of systems with
open ports and use vulnerability specific scanning tools to
scan those systems that have open ports associated with
known vulnerabilities.
• Drive by download: The attackers host their files on the
web server and entice people to visit the site. When the
user loads a certain page, the software is automatically
installed without user interaction, usually by exploiting
browser bugs, missed configurations, or unsecured
ActiveX controls.
• Trojan Horse: The attacker bundles his malicious
software with seemingly benign and useful software, such
as screen savers, antivirus scanners, or games. In this case,
the user is fully aware of the installation process, but he
does not know about hidden bot functionality.
ISSN: 2231-5381
• Email attachment: This method is the less popular
method. The attacker sends an attachment that will
automatically install the malware software when the user
opens it, usually without any interaction.
• Phishing emails: This method is used when the user is
lured or goaded to a Web site that installs a malicious code
in the Background, sometimes while convincing the user to
give them their bank user ID and password, account
information, and other such information.
• Spam: An instant message is sent to you by someone you
know with a message like “You got to see this!” followed
by a link to a Web site that downloads and executes a
malicious code on the computer.
• Rallying: After infection, the bot starts up for the first
time and attempts to contact its C&C Server. The term
C&C stands for “Command and Control”, which is defined
as the act of managing and taking the botnet clients. In the
centralized botnet, this could be the IRC or HTTP server.
In the decentralized P2P Botnet, the bots perform a boot
strapping protocol required to locate other peers and join
the network. Most bots are very faults-tolerant having
multiple list of back up servers to carry out attempts if the
primary ones become unavailable; this process known as
Calling Home. In other words, it is a process that involves
the moment when the botnet client initiates contact with the
Botnet Command and Control (C&C) Server. Rallying is
the term used when botnets perform first time logging to a
C&C server. In this phase, the new botnet client may
request updates. The updates could be updating exploiting
software, C&C Server names list, IP addresses, and/or
Channel names. This will ensure that the botnet client can
be managed and can be recovered should the current C&C
server be taken offline. The following steps secure the
botnet from removal.
• Retrieve Anti Virus (A/V) Step: In order to secure a
new client from removal, the botnet client requests location
of the latest antivirus (A/V) tool from the C&C Server.
The controlled bot client would download this software
and execute it to remove the A/V tool, hide from it, or
render it ineffective. The fact of shutting down the A/V
tool may raise suspicions if the user is observant. Some
bot clients will run a dll (a dynamic link library), that
neuters the A/V tool. With an Anti-A/V dll in place the
A/V tool may appear to be working normally except that it
never detects or reports the files related to the botnet client.
It may also change the Host file and LM Host file so that
attempts to contact an A/V vendor for updates will not
succeed.
• Securing the Botnet: With this step, the bot herder will
secure the botnet. The hacker might check to see what else
might be available there. In some cases (e.g. Rbot
Infection), the bot herder uses a batch file called find.bat
which tells tell the bot herder if another hacker has been
there before or where he or she put his or her tools in this
client. It may also tell the bot herder about other things on
the computer that could be useful.
http://www.ijettjournal.org
Page 82
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
C. Waiting .In this Phase, the botnet has joined with the
C&C network, which is related to the connectivity and/or it
communication infrastructure.
The bots wait for
commands from the botmaster. During this time, network
traffic passes between the botnet victims and the C&C
Servers. In an IRC botnet this traffic would consist mainly
of periodic keep- alive messages from the server. Each
botnet family has a set of commands that it supports.
D. Executing.Once the bot receives a command from the
botmaster, it executes it and returns any results to the
botmaster via the C&C network. Common commands, such
as those in the following list, are in line with major uses of
botnets:
• Scanning for new victims.
• Sending spam.
• Sending DoS floods and setting up traffic redirection.
III.RELATED WORK
Freiling et al.[5] expressed bot infection methods are all
most similar to other classes of malware which recruit the
vulnerable systems by exploiting
vulnerabilities of
software, trojan insertion, social engineering techniques
leading to download malicious bot code [6]
Bijalwan et al.[7] made a exhausted survey on botnet
forensic. Author proposed the advanced approach related
to botnet detection, analysis & demonstrate a noble
approach of botnet investigation & defence mechanisms.
Thapliyal & bijalwan et al.[8] made a generic framework
specific on botnet forensic.
Feily et al.[9] classified Botnet detection and tracking has
been a major research topic in recent years. Various
solutions have been proposed in Malware research and
academia.
Y.W law et al.[10] collects digital traces from both the
network & physical memory of the infected network host.
Author co-relate this information to identify the resident
botnet malware(host base approach).
Govil et al.[11] presented his efforts disseminates &
understanding of botnet,types of botnet,characterstics
Author highlighted various detection mechanismto seek
inside into their efficiency & subsequent issues about
botnet(criminology of botnet & their detection)
IV.CLASSIFICATION OF BOT FAMILIES
A.SDBot-The SDBot family of bots has been around for
almost five years (since 2002), and has grown to include
hundreds of variants and offshoots. These bots were
developed in open source malware programs, which
contribute to provide longevity to this bot. The original
SDBot author released the source code for the bot and
included his contact information, thereby providing a
means of public collaboration and evolution in order to
continue developing and improving the code. SDBot
security relies on spreading itself primarily via network
shares using blank or common passwords. Therefore,
systems with solid security and more complex passwords
will not be compromised by SDBot.
ISSN: 2231-5381
Bot Families
SD Bot
R Bot
Agobot
Spybot
Mybot
Hybot
Fig. 1 Classification of Botfamilies
B.Agobot (aka Gaobot or Phatbot)This malware was
designed with the modular functionality. This bot performs
infecting process in three stages:
1. First, Agobot infects the computer with the bot client
and an open backdoor in order to allow the attacker to
communicate with, and control the machine.
2. The second phase attempts to shutdown processes
associated with antivirus and security programs.
3. The final phase tries to block access from the infected
computer to various antivirus and security related Web
sites.
The modular approach makes sense from a design
perspective because it allows the developer to update or to
modify one portion, or module, without having to rewrite
or recompile the entire bot code.
C.Spybot.Spybot is an evolution of SDBot. The main
differences between SDBot and Spybot are that Spybot
adds a number of spyware-like capabilities such as
keystroke logging, email address harvesting and Web
surfing activities.
D. Mytob The Mytob family of worms is an example of
the converging world of malware. The originators of
Mytob took a mass mailing worm and combined it with bot
functionality based on the SDBot family. This hybrid
combination results in faster propagation and more
compromised systems waiting for a bot herder to give them
instructions.
E.Hybot-A bot net which recover CNC channel in a
tolerable delay in case of most of critical resources are
destroyed.Hybot[6] exploit hybrid CNC structure,hybrid
P2P & URL flux to ensure both robtness & effectiveness.
http://www.ijettjournal.org
Page 83
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
TABLE I
DESCRIPTION OF BOT
S.No.
Tools
Descriptiopn
1
SD bot
SD bot is a worm that provide a remote attacker full access on the victim’s computer.it uses an
IRC protocol to establish a connection.
2
R Bot
Rbot was the first of the bot families to use compression & encryption algorithms.
3
Agobot
Agobot is also frequently known as Gaobot,is a family of computer worms.Axel”Ago” Gembe,a
German programmer,was responsible for writing the first version.
4
Spybot
The spybot is a large family of computer worms of varying characterstics.Although the acctual
number of version is unknown.Its briefly heid the record of most variants.
5
Mybot
The Mytob family of worms is an example of the converging world of malware. The originators
of Mytob took a mass mailing worm and combined it with bot functionality based on the SDBot
family.
6
Hybot
A bot net which recover CNC channel in a tolerable delay in case of most of critical resources are
destroyed
ISSN: 2231-5381
http://www.ijettjournal.org
Page 84
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
TABLE II
ANALYSIS OF VARIOUS BOT
Bot family
McAfee
Symantec
Alia
ses
TrendMic
ro
Kaspersk
y
Infection Method
Advantages
Sign
System
folder
of
com
pro
mise
s
Unexpect
ed
Traffic
Propagation
SD Bot
IRC-SDBot.
R Bot
W32/SDbot.worm.g
en.g.
Ago Bot
32/Gaobot.worm.
Spy Bot
W32/Spybot.worm.
gen.
My bot
W32/Mytob.gen
@MM.
Backdoor.S
DBot
W32.Spybot.worm.
W32.HLLW.Gaobot.gen.
.
W32.
Worm.
Spybot.
W32.Mytob@m
m.
Worm_R_Bot.
Worm_Agobot.Gen. 34
Worm_Spybot.gen.
36
Worm_Mytob.g
en.
Backdoor.RBot.gen.
Backdoor.Agobot.gen.
Worm.P2P.SPYBo
t. Gen.
NetWorm.Win3
2.Mytob.Gen.
shares
insecure
networks or
uses known
vulnerability
exploits
place
a
copy
of
itself in the
systems
folder
exploit
weak
passwords and poor
security
propagate using Peer to Peer
(P2P) networking systems
spreads via
networks
P2P
arrives via email
with some sort
of file
attachment.
copies itself into the
System
(C:\Windows\Syste
m32) directory
Agobot will drop a copy of
itself into System folder on
the target system.
place a copy of
Bling.exe.
Netwmom.exe.
Wuamgrd.exe.
into System folder
place a copy(
wfdmgr.exe ) of
itself
into
System folder
establish an
IRC
connection
via TCP port
6667
and
port 7000
establish an IRC
connection via TCP
port 113.
open backdoors on the
infected systems and establish
communication
with
designated IRC servers.
Spybot
will
connect
to
a
designated
IRC
server
functionality
comes
from
SDBot malware
Attempt to
connect to
administrati
ve
shares
like
PRINT,C,D,
E,ADMIN
OR IPC
Looking for open
connection, scans on
Port 139 and 445
Attempts to spread Malware
via P2P networks
Looking for openly
and poor secured
connection
Spreads
email
BKDR_SDB
ot.
Bckdoor.IR
C.SDBot.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 85
via
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
TABLE III
BOTNET DETECTION TECHNIQUE
S.No.
Detection
Technique
Unknown
Bot
Detection
NO
Protocol &
Structure
Independent
NO
Encrypted
Bot
detection
NO
Real-time
Detection
NO
Low
False
Positive
NO
1
Anomalay
based
2
Signature
based
YES
NO
YES
NO
YES
3
DNS based
YES
NO
YES
NO
YES
4
Mining
based
YES
YES
YES
NO
YES
4.2Botnet detection Technique
According to information published in the Survey of
Botnet and Botnet Detection[5], Botnet detection and
tracking has been a major research topic in recent years.
Different solutions have been proposed in Malware
research and academia.
4.2.1Signature-based Detection: Binkley[7] proposed an
anomalay based algorithm for detecting IRC based botnet
meshes.Knowledge of useful signatures and behavior of
existing botnets is useful for botnet detection.The Intrusion
Detection System (IDS) monitors network traffic in order
to find signs of intrusion.However,signature-based
detection techniques can be used for detection of known
botnets.
4.2.2 Anomaly-based Detection: Wurzinger et al.[8]
developed a system that generates signature for Bro IDS[9]
using network traffic traces of bots.Anomaly-based
detection techniques attempt to detect botnets based on
several network traffic anomalies such as high network
latency, high volumes of traffic, traffic on unusual ports,
and unusual system behavior that could indicate presence
of malicious bots in the network. In anomaly detection, the
goal is to find objects that are different from most other
objects.
4.2.3 DNS-based Detection: DNS-based detection
techniques are based on particular DNS information
generated by a botnet.DNS-based detection techniques are
similar to anomaly detection techniques as similar anomaly
detection algorithms are applied on DNS traffic. This
technique generates many false positives due to
misclassification of legitimate and popular domains that
use DNS with short time-to-live (TTL). DNS techniques
are mostly useful for botnet tracking and measurement to
understand botnet technology and characteristics, but do
not necessarily detect bot infection.
4.2.4 Mining-based Detection: One effective technique
for botnet detection is to identify botnet C&C traffic.
However, botnet C&C traffic is difficult to detect. In fact,
since botnets utilize normal protocols for C&C
communications, the traffic is similar to normal traffic.
Therefore, anomaly-based techniques are not useful to
identify botnet C&C traffic[5].
V. CONCLUSION
This paper is an exhaustive analysis of bot families. In this
research Based on exhaustive survey we try to categorise
the whole bot & the tool applied on it We also tried to
focus on the various existing detection technique & their
behaviour.Even if investigation techniques is the
challenges.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
ISSN: 2231-5381
P. Wang, S. Sparks, and C. C. Zou, "An advanced
hybrid peer-to-peer botnet," Dependable and Secure
Computing, IEEE Transactions on, vol. 7, no. 2, pp.
113-127.
A. Ramachandran, N. Feamster, and D. Dagon,
"Detecting
botnet
membership
with
dnsbl
counterintelligence," Botnet Detection, pp. 131-142,
2008.
E. Cooke, F. Jahanian, and D. McPherson, "The zombie
roundup: Understanding, detecting, and disrupting
botnets," in Proceedings of the USENIX SRUTI
Workshop, 2005, p. 44.
C. Schiller and J. R. Binkley, Botnets: The killer web
applications: Syngress, 2011.
F. C. Freiling, T. Holz, and G. Wicherski, Botnet
tracking: Exploring a root-cause methodology to
prevent distributed denial-of-service attacks: Springer,
2005.
A. Ramachandran and N. Feamster, "Understanding the
network-level behavior of spammers," in ACM
SIGCOMM Computer Communication Review, 2006,
pp. 291-302.
A. Bijalwan, M. Thapaliyal, E. S. Pilli, and R. C. Joshi,
http://www.ijettjournal.org
Page 86
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 2 - Mar 2014
"Survey and Research Challenges of Botnet Forensics,"
International Journal of Computer Applications, vol.
75, 2013.2009
[8]
[9]
[10]
[11]
[12]
M. Thapliyal, A. Bijalwan, N. Garg, and E. S. Pilli, "A
Generic Process Model for Botnet Forensic Analysis,"
in Proceedings of the Conference on Advances in
Communication and Control Systems-2013, 2013.
M. Feily, A. Shahrestani, and S. Ramadass, "A survey
of botnet and botnet detection," 2009, pp. 268-273.
F. Y. W. Law, K. P. Chow, P. K. Y. Lai, H. K. S. Tse,
S. Goel, O. Akan, P. Bellavista, J. Cao, F. Dressler, D.
Ferrari, M. Gerla, H. Kobayashi, S. Palazzo, S. Sahni,
X. Shen, M. Stan, J. Xiaohua, A. Zomaya, and G.
Coulson, "A Host-Based Approach to BotNet
Investigation?
Digital Forensics and Cyber Crime." vol. 31, O. Akan,
P. Bellavista, J. Cao, F. Dressler, D. Ferrari, M. Gerla,
H. Kobayashi, S. Palazzo, S. Sahni, X. Shen, M. Stan, J.
Xiaohua, A. Zomaya, and G. Coulson, Eds.: Springer
Berlin Heidelberg, 2009, pp. 161-170.
J. Govil and G. Jivika, "Criminology of BotNets and
their
detection and
defense
methods,"
in
Electro/Information
Technology,
2007
IEEE
International Conference on, 2007, pp. 215-220.
P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel,
and E. Kirda, "Automatically generating models for
botnet detection," Computer Security–ESORICS
2009, pp. 232-249, 2009.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 87