Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Botnets - Cameron University

advertisement 
Wesley Cawman, Won Yi
Evolving Security: Botnet Integration
IT 4444: IT Capstone
April 27, 2011
Table of Contents
Abstract
p.1
Intro
p.1
Body
Expansion of Internet Users
p.1
Botnets
p.2
Future Trends
p.4
Proposed Uses
p.4
Conclusion / Future Work
p.5
References
p.5
Evolving Security: Botnet Integration
Wesley Cawman, Won Yi
Computing & Technology Department, Cameron University, Lawton, Oklahoma, USA
Abstract—If we want our systems to remain secure
today, we have to secure them the same way our
attackers are penetrating them. In order to do this,
security has to evolve beyond what it is today.
Security has to step past the defensive realm and step
into the offensive domain using bots and botnets to
secure our systems beyond anything we have ever
done before.
do, and because of that we are fighting man against
program and losing the battle. General Keith
Alexander of Cyber Command and others have noted
that the United States significantly lacks the man
power to fend off any real cyber-attacks against our
homeland or allies [11]. With that said, even with
more and more young men and women signing up in
the Armed Forces to aid in this battle, no amount of
man power will ever be significant enough if they
keep fighting man against program. A program does
not need to eat or sleep, and for this reason, we need
to begin fighting program against program, or in
other words bot against bot.
Keywords: Security, Bots, Botnets
Introduction
The main player in securing computer systems
has been humans aided by programs in the past. This
partnership has not been one where humans can just
set programs and forget them. The human factor in
this partnership has always been the delegator as well
as the main work force, while the programs aiding us
just perform commands we give them. Why does the
act of securing our systems rely so much on the
human factor, while those actively penetrating our
systems rarely rely on the human factor to get their
job done? The process of securing our systems
against intruders can no longer be done how it has
always been done; this is no longer good enough.
This paper does seek to persuade security
professionals to secure their systems offensively with
the aid of bots and botnets, but this paper also aims to
persuade those actively defending our country
through cyber warfare activities to add bots and
botnets to their arsenal. Some of the latest sources on
the inside suggest that those in charge of dictating
what cyber warfare is exactly are having a hard time
defining the term or their role in it. Cyber warfare
stemmed from what was once called information
warfare where one used electronic communications
and the internet to disrupt a country’s
telecommunications, power supply, transport
systems, and so on [21, 22, 23, 24]. Cyber warfare
today can be defined as the usage of computers and
other devices to attack an enemy’s information
systems as opposed to an enemy’s armies or factories
[5, 7, 8, 25]. These definitions are mostly vague, but
do suggest that these activities are conducted for the
most part by humans, against a nonhuman opponent.
This would not be such a bad thing if we understood
our role in cyber warfare, or if we were fighting
human against human in cyber space, but neither of
these are true. We are currently fighting a battle in
which we do not understand what we are supposed to
The first section in the body of this document
will look at a few statistics on the alarming growth in
the expansion of Internet users today. Then we will
look at a few statistics about botnets and discuss their
explosive growth in the last part of 2010. The
majority of this document will look at the different
functions of bots and botnets, defining different types
of bots, and looking at which attributes made the
more well-known bots successful. The main body of
this paper will end with a proposal for different
botnet prototypes to implement on both the offensive
security front, as well as the cyber warfare front. This
paper will conclude and end with a section
suggesting future studies in “thinking outside of the
box,” “other things botnets can do,” and “research for
botnets on mobile devices.”
1.
Expansion of Internet Users
79.66% of the total population of the United
States accesses the Internet on a regular basis, which
is around 247,890,434 out of 311,185,581 people [1,
2]. Looking at world statistics, 30.72% of the total
population accesses the Internet on a regular basis
which is around 2,128,038,074 out of 6,928,189,253
people [2, 3]. Even though the U.S. has an Internet
user percentage close to 80% in 2011, those users
only make up about 12% of the total Internet users
around the world [1, 2, 3, 17, 18, 19]. It is important
to point out that those regions with higher Internet
user percentages tend to sponsor a larger percentage
of attacks, threats and vulnerabilities as compared to
other regions with fewer Internet users per capita. As
these regions become more common the total number
of vulnerabilities cataloged will increase significantly
[4, 10, 14].
1
YEAR
U.S. Pop.
U.S. Users
U.S. % Pop.
World Pop.
World Users
World % Pop.
U.S. Users of World Users
2000
281,421,960
124,000,000
44.06%
6,089,648,784
393,420,161
6.46%
31.52%
2001
285,317,559
142,823,008
50.06%
6,166,108,367
494,365,743
8.02%
28.90%
2002
288,368,698
167,196,688
58.19%
6,242,347,736
673,723,065
10.79%
24.82%
2003
290,809,777
172,250,000
59.23%
6,317,998,040
783,061,780
12.39%
22.00%
2004
293,271,500
201,661,159
68.76%
6,393,741,245
909,603,748
14.23%
22.17%
2005
296,507,061
203,824,428
68.74%
6,469,688,764
1,036,367,766
16.02%
19.67%
2006
299,398,484
207,970,356
69.46%
6,546,299,902
1,159,344,058
17.71%
17.94%
2007
301,967,681
212,080,135
70.23%
6,623,914,961
1,374,566,869
20.75%
15.43%
2008
303,824,646
220,141,969
72.46%
6,700,983,106
1,602,486,278
23.91%
13.74%
2009
307,232,863
227,719,000
74.12%
6,776,763,237
1,832,779,793
27.04%
12.42%
2010
310,232,863
239,810,003
77.30%
6,852,472,823
1,966,514,816
28.70%
12.19%
2011
311,185,581
247,890,434
79.66%
6,928,189,253
2,128,038,074
30.72%
11.65%
U.S. % Pop.
World % Pop.
80.00%
U.S. Users of World Users
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
2000
2.
2001
2002 2003 2004 2005 2006 2007 2008 2009
Internet User Comparison Chart [1, 2, 3, 17, 18, 19]
2010
2011
remotely and secretly controlled by one or more
individuals, called bot-herders [9, 26]. It was
estimated in 2008 that around one in four personal
computers in the United States was infected by a
botnet, which in turn could be used as a zombie
computer to distribute further attacks, execute code to
send spam, host and distribute malware or other
illegal files, or used to steal the identities its users [9,
15, 26]. Today the estimates are closer to one in three
computers around the globe are infected with at least
one botnet, and in 2010 alone there was a 654%
growth in the total number of unique botnet victims
towards the end of the year, as compared to the
beginning of 2010 [6]. Consequently the popularity
of always-on Internet services such as residential
broadband has only assisted in the spread of bots,
creating larger botnets by the second. This also
ensures bot-herders that a large percentage of the
computers in their botnet will remain accessible at
any given time.
Botnets
The word bot originated from the word robot
which referred to an automated software program that
performed specific tasks on a network, with some
degree of autonomy [9, 26]. Out of this basic design
bots can be crafted to preform positively beneficial
and vital functions, or negatively destructive
functions. A positive example of bots can be the
spiderbots [12] that Google uses most notably, and
other search engines, to index webpages for
searching and to also keep the most up to date listings
of those pages. The SETI@HOME program [13] is a
positive example of botnet usage where participants
voluntarily install bots on their computers to take
advantage of free resources when they become
available, in an effort to analyze radio telescope data
for evidence of intelligent extraterrestrial life.
However, more recently bots and botnets have been
used for mostly malicious purposes. Bots are
installed unwillingly and completely unknown to the
average user and assembled into entire networks of
compromised computers–botnets—that are then
2
Damballa Total Botnet Victim Growth in 2010 [6]
Botnets have become the perfect base of
operations for computer criminals [9]. These bot
programs are designed to operate under the radar,
without any detectable evidence of their existence.
The few paranoid security experts’ out there that
notice when anything changes on their system, and
always strive to have the most up-to-date and secure
system, might not even have a chance against
becoming another botnet victim. Depending on the
nature of the bot, the attacker may have almost as
much control over the victim’s computer as the
victim has, or perhaps more [9]. Not only can botherders have administrative privileges to their
victim’s computer, but with that they can remain in
the background for years while keeping their bots upto-date and operational against the latest security
patches.
often led users into battling for operator status of
popular channels. IRC networks were designed in a
way that once every single designated channel
operator disconnected from a channel, another user
on the channel would automatically be assigned as
the operator and have full control of the channel. In
an effort to gain control of popular channels
malicious users began creating scripts that would
come to perform the first denial-of-service (DoS) and
distributed denial-of-service (DDoS) attacks on IRC
servers. Malicious attackers would target specific
servers used by channel operators and use their DoS
or DDoS scripts to force an operator offline. Once an
operator was forced offline the malicious attacker or
someone else could then gain the operator status. In
time, the same bots that once executed DoS or DDoS
scripts against operators began to execute these same
scripts against targeted individual users [9].
The botnets we experience today can trace their
origins back to the creation of the first Internet Relay
Chat (IRC) networks [9, 26]. IRC was designed as a
real-time Internet chat protocol, designed for manyto-many, group, communication. The design of IRC
was centered on channels in which users from around
the world could access and communicate with others
in a text-based discussion forum. Servers would host
numerous channels in these IRC networks, and these
servers would be located throughout the world in
various locations for users to connect to and
communicate. The channels would be administered
by channel operators and these operators held the
abilities to block or eject disorderly users from
discussion forums. To expand beyond the basic
functions of IRC, some channel operators developed
automated scripts, or IRC bots, to assist in logging
channel statistics, running games, and coordinating
file transfers. As IRC networks became more
popular, the number of users attending discussion
forums increased, as well as the number of conflicts
between users. The growing conflict between users
Once malicious attackers began targeting
specific users the IRC bots developed one step
further into a class of bots that are considered
Command and Control (C&C) bots today. These
C&C bots are first implanted on a user’s system by
means of malware [9, 26]. Once active on the users
system, the C&C bot secretly connects to a remote
IRC server using its integrated client program and
waits for instructions. The malicious attacker serving
as channel operator can then command the bots to
collect information from their victims’ computers.
This information can include operating system
information and latest patching versions, the
computers name, the users sign-in names, email
addresses, nicknames, and dial-up user names and
passwords [9]. With time this C&C technology was
enhanced by users and lead to the development of
more sophisticated bots with additional attack
methods. The original IRC-based C&C functions are
still seen in a majority of the current generation of
IRC-based bots in operation today, and are still quite
3
the point where they’ll attempts to steal computers
from competing botnets. In obtaining as many
computers as possible, these larger botnets will
continue to patch their controlled computers to
defend them from being taken over by other botnet
competitors. Because of the huge popularity with
social networking sites, those sites will become the
command points for botnets in the future. Programs
similar to SETI@HOME will be developed where
users can opt-in personal computing resources to take
part in politically-based botnet activity. And even the
smaller botnets will become more effective, as they
will be harder to detect as users continue to improve
upon current open source botnets [20].
effective. Another reason botnets have become so
attractive to cybercriminals is because they provide
an effective mechanism for covering all traces of the
bot herder. Trying to trace the origin of an attack will
just lead you right back to the compromised
computer of an innocent user for the most part; this
problem makes it hard for investigators to proceed
any further. Organizations like Damballa Inc.,
however, pioneer in the fight against cybercrime.
Damballa currently develops and deploys new C&C
detection technologies that increase their ability to
detect additional categories of stealthy botnet
deployments [6]. As referenced above, the second
half of 2010 saw a rapid expansion in the overall total
number of unique botnet victims. This arose out of
the rapid evolution of many popular botnet Do It
Yourself (DIY) construction kits and the increased
availability of feature-rich browser exploit packs.
And cyber criminals providing specialized malware
distribution services became more proficient at
installing bot agents on behalf of their customers (i.e.
botnet operators) [6].
4.
In a paper presented at the most recent USENIX
Symposium, by several researchers at the University
of Washington, a new proposed use for friendly
botnets arose. Some could compare this idea to how
the military operates detached from the Internet,
while still filtering sought after intelligence moving
across the Internet. The idea proposed at this
Symposium was one that would use friendly
computers in a botnet structure to protect servers and
websites from outside threats. This phalanx as it is
called would place a swarm of friendly computing
systems in front of Web sites and servers [16]. All
communications intended for these sites and servers
would pass through this cluster of systems, and the
data would only be passed onto the server at the
server’s request.
Botnets around the world today are said to be
divided between two families. The first family of bots
are those that are closely controlled by individual
groups of attackers. And the second family of bots
are produced by malware kits. These malware kits
can range from being freely available open source
kits to others being developed by individual groups
and sold like legitimate commercial software
products that even come with support agreements [9].
The existence of botnet kits makes it difficult for
security researchers to estimate the exact number and
size of botnets currently in operation. Because of
these botnet kits, one variant of botnets may not be
controlled by one individual, or group, but instead by
an unidentified number of separate botnets controlled
by different people altogether, some of which might
only encompass just a handful of computers. Because
of this it is hard for security professionals to pinpoint
the exact core of the problem and attempt to remove
the operator from these IRC-based botnets [9, 26].
3.
Proposed Uses
With the phalanx in place, the idea is that the
phalanx would stop most of the traffic from an
attempted DoS or DDoS, and only a very small
amount of traffic would reach the main server,
leaving it capable of maintaining its operational
status. The paper goes on to suggest that the
computational power needed to fend off an attack
would not have to originate from systems that the
friendly server had to force into its own botnet, but
instead from the vast amounts of computing
resources at the disposal of the giant content delivery
networks. Another avenue for obtaining the
computational resources would be from volunteers
much like those of the SETI@HOME program, or
even use networks like BitTorrent to build good
phalanx botnets to stop evil botnets.
Future Trends
Tim Wilson from Information Week predicts the
following trends for botnets to take in the near future.
Concurring with the information developed from
Damballa, overall botnet activity picked up in the
latter part of 2010 and because of the recent surge in
DIY botnet kits, botnets are only predicted to
increase in their size and severity. Large botnets will
become more aggressive in their attempts to capture
more computers to command at their will, and
because of this, Wilson predicts Botnets will get to
When it comes to DDoS attacks, the best way to
fend off the attack is to fight back with greater
computational
power.
Several
cybercriminal
organizations today make vast sums of money from
online gambling sites by holding them hostage under
4
a DDoS botnet attack. There have been a few that
have come to the aid of these victims and fought back
victoriously, but without an integrated system of
good botnet computing power, the evil botnet
cybercriminals will just come back again for ransom
at another time when you cannot obtain the leased
computational power required to fend them off.
dissimilate botnet kits freely available online that are
only intended for destructive purposes, as well as the
paid for use kits. New standards for securing social
networking site should be evaluated and implemented
to fend off against the spread of botnets. And lastly,
security should become common place in ever home
at an early age, because we are all so interconnected
with the entire world today, we cannot afford to not
educate the next generation.
It would appear that the phalanx idea is exactly
what the Armed Forces has been using for years to
protect themselves from outside threats, but for how
long will even the untouchable remain free from this
rapid expansion of new botnets being developed?
Good botnets can and should be used whenever
possible to combat against evil botnets, but that is
just the start. Before our push to IPv6 there should be
a complete reworking of certain protocols and
features to prevent future IRC like botnets and others
from ever arising under this new protocol.
References
[1] Miniwatts Marketing Group. (2011). Internet
World Stats: Usage and Population Statistics.
Retrieved from http://www.internetworldstats.
com/am/us.htm
[2] U.S. Census Bureau, Population Division.
(2010). U.S. & World Population Clocks.
Retrieved from http://www.census.gov/main/ww
w/popclock.html
[3] Miniwatts Marketing Group. (2011). Internet
World Stats: The Internet Big Picture. Retrieved
from http://www.internetworldstats.com/stats.ht
m
[4] CERT Software Engineering Institute. (2011).
CERT Statistics (Historical). Retrieved from
http://www.cert.org/stats/
[5] Dictionary.com. (2011). Retrieved from http://
Dictionary.reference.com/browser/cyberwarfare?
O=100074
[6] Damballa Inc. (2011). Top 10 Botnet Threat
Report - 2010. Retrieved from http://www.
damballa.com/downloads/r_pubs/Damballa
_2010_Top_10_Botnets_Report.pdf
[7] TechTarget. (2011). Retrieved from http://
Searchsecurity.techtarget.com/sDefinition/0,,sid
_gci1405599,00.html
[8] The Free Dictionary. (2011). Retrieved from http
://www.thefreedictionary.com/cyberwar
[9] Microsoft. (2010). Microsoft Security
Intelligence Report: Volume 9. Retrieved from
http://download.microsoft.com/download/8/1/B/
81B3A25C-95A1-4BCD-88A4-2D3D0406CDE
F/Microsoft_Security_Intelligence_Report
_volume_9_Jan-June2010_ English.pdf
[10] Gehling, B., Stankard, D. (2005). eCommerce
Security. Information Security Curriculem
Development Conference ’05, ACM, 1-59593261-5/05/0009
[11] Tuutti, C., The New New Internet: The Cyber
Frontier. (2011). CACI’s Dr. Jack London on
WikiLeaks, the Insider Threat and Defining
Cyber War. Retrieved from http://www.thenew
newinternet.com/2011/02/11/cacis-dr-jacklondon-on-wikileaks-the-insider-threat-anddefining-cyber-war/
Conclusion / Future Work
Security in the future cannot be fought as it has
been today, man against programs, but instead
security should be fought with the very programs that
are used to compromise our systems. Familiarity with
the programs and tools at the disposal of our enemies
will only aid us in our future attempts to defend
ourselves against them. But in the field of security,
our stance should not always be one of defense, it
should also be one of offence at times, when it is
required. The task to take back the cyberspace which
is rightfully everyone’s, may be a task too great for
our Armed Forces, fought under current conditions.
We must learn to multiply our forces with what little
we have, and work together in this fight against evil.
The day may come that we no longer have to worry
about security because our enemies are so cut throat
with each other that they’ll implement every known
strategy at their disposal to keep their bots in their
botnets protected from competitors, but if that day
actually comes, we should all be ashamed as
professionals in the field of security. In our rapidly
expanding cyberspace, if security is not demanded
from everyone, then it is guaranteed to no one.
We should all strive in the field of security to
achieve beyond what we already have accomplished.
Research into the idea of implementing a phalanx of
friendly botnets should be furthered, or similar Bot
Security Networks (BSN’s) where the security is
controled outside vulnerable systems, and the
primary systems are seperated from external threats.
New ways to detect and overthrow botnet C&C
servers should be pursued as well as ways to
5
[12] Wikipedia. (2011). Referenced from http://en.
wikipedia .org/wiki/Web_crawler
[13] SETI. (2011). Retrieved from setiathome.
berkeley.edu/
[14] Stamm, S., Sterne, B., Markham, G. (2010).
Reining in the Web with Content Security Policy.
WWW 2010, ACM, 978-1-60558-799-8/10/04
[15] Reynolds, G. (2010). Ethics in Information
Technology 3rd Edition. Chapter 3: Computer and
Internet Crime
[16] Rapoza, J. EWeek.com. (2008). Botnets vs.
botnets: Understanding and use the tools of the
enemies to catch them.
[17] U.S. Census Bureau, Population Division.
(2010). U.S. & World Population Clocks.
Retrieved from http://www.census.gov/popest/
States/NST-ann-est2006.html
[18] U.S. Census Bureau, Population Division.
(2010). U.S. & World Population Clocks.
Retrieved from http://www.census.gov/ipc/www/
region.php
[19] WorldBank. (2011). Retrieved from http://data.
worldbank.org/indicator/IT.NET.USER/
countries?display=graph
[20] Wilson, T. Information Week. (2011). Retrieved
from http://itauditsecurity.wordpress.com/2011
/02/21/bot-net-trends/
[21] Lewis, B. (2008). Information Warfare.
Retrieved from http://www.fas.org/irp/eprint/
snyder/infowarfare.htm
[22] IWS- The Information Warfare Site. (2011).
Retrived from http://www.iwar.org.uk/
[23] Dictionary.com. (2011). Retrieved from http://
dictionary.references.com/browser/information
+warfare
[24] WordNet Search – 3.0. (2011). Retrieved from
http://wordnetweb.princeton.edu/perl/webwn?s=
information warfare
[25] Wikipedia. (2011). Retrieved from http://en.
wikipedia.org/wiki/Cyber_warfare
[26] Microsoft. (2010). Microsoft Security
Intelligence Report: Volume 8. Retrieved from
http://download.microsoft.com/download/8/1/B/
81B3A25C-95A1-4BCD-88A4-2D3D0406CDE
F/Microsoft_Security_Intelligence_Report
_volume8_July-Dec2009_ English.pdf
6
Related documents
Motivation behind botnets
Motivation behind botnets
Jason and Abhishek`s presentation on botnets
Jason and Abhishek`s presentation on botnets
Defending: Taxonomy of Botnet Threats
Defending: Taxonomy of Botnet Threats
BotnetPres
BotnetPres
first_2014_-_karl-_fernando_-_boeira
first_2014_-_karl-_fernando_-_boeira
Active Botnet Probing to Identify Obscure Command and
Active Botnet Probing to Identify Obscure Command and
Botnets - Information Security Group
Botnets - Information Security Group
files\final_report - Department of Electrical Engineering and
files\final_report - Department of Electrical Engineering and
Year 3 Term 5 Newsletter - Goddard Park Primary School
Year 3 Term 5 Newsletter - Goddard Park Primary School
G.Kirubavathi PERSONAL PARTICULARS Date of birth 12th March
G.Kirubavathi PERSONAL PARTICULARS Date of birth 12th March
Download
advertisement