We often hear about cyber security incidents like- an army of infected systems/ zombie machines waging DDoS attack and bringing down the sensitive websites of enterprises, Government, military or banks. It has now become a trend in the cyber security space that malicious actors including state sponsored attackers form a network of the infected systems to remotely control and manage this huge network and use this army to achieve their malicious intents. Have we thought about how this army of infected machines are created and how they are operating and how we can handle this threat? Welcome to the world of Botnets! Wikipedia defines "botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another. The word botnet is a combination of the words robot and network”. In the world of IT security , the botnets hold a larger meaning than a set of interconnected distributed systems. Bot represent a malware infected system and botnets represent an army of malware infected systems ready to wage war on their target, based on the command of the bot master who created them. Or simply, Botnet can be said as the Swiss army tool for malware. Attacks using botnet infrastructure are increasing as the creation of botnet infrastructure requires not much effort and the cost included in this is very minimal, especially at a time when underground services like ‘Malware as a Service’ are becoming prevalent. The seriousness of a botnet attack depends on the number of infected machines in the network and those systems which are capable of interacting and executing the command and control instructions of the master. Botnets can be used in cyber-attacks especially Distributed Denial of Service, Spyware attacks, Email spamming, click fraud, cyber espionage for data extraction including email address book, financial data, credit card information, login account details, intellectual properties, classified government and military information etc. Some of the r notorious botnets that have caused serious harm for organizations recently includes Car berp, Dork bot, Spam soldier etc. Read our Whitepaper on Botnet Filtering on ASA. .
In botnet attacks the bot machine gets infected by a virus receiving through a spam email or phishing email or the user unknowingly downloads it when he/she visits a website. The originator of a Botnet is commonly referred to as a "bot herder" or "bot master", who can be a human being, a group of people or event state sponsored actors who have malicious objectives. Once the network of systems or botnet is infected, the attackers can take the control of these systems automatically to achieve their malicious motives. The botnet communication and infiltration can be classified into three main categories
• The client server model communication through IRC channels (centralized Botnet): The communication is centralized in nature, where every bot is connected to the centralized command server. The bot master controls the Botnet remotely, often through an IRC server or a channel on a public IRC server – known as the command and control (C&C) server. The bots that work in a centralized model are comparatively easy to diffuse as the network of bots will work in sleeper cells model. With the single point of failure or once the master server is destructed the network will not perform any malicious attacks.
• Peer to Peer communication model (Decentralized Botnet): In P2P model of botnet architectures the bots works autonomously and are not necessarily connected to a single centralized server but on a bot to bot communication model. Each node communicates with a set of bot systems and exchange commands. This represents an evolved and strengthened model of botnet attacks as every bot can act as a master and it is impossible to cease the attacks by diffusing one centralized bot master. If the botnet operates only through P2P, it is nearly impossible to track the original attackers behind the scene.
• Hybrid Model: The hybrid model is a mix of centralized and Peer to peer model of botnet architectures.
The major components of a Botnet include:
• A bot
• Communication protocols
• Target/ Victims
There are various active and passive mechanisms for botnet detection. The principal botnet detection techniques are based on the analysis of the traffic between the bot and the bot master. Botnets which uses HTTP service for their communication are comparatively difficult to detect as the communication between the bot and the master will be in encrypted format. To prevent botnet attacks, we require a collective effort from security researchers, enterprises, security product companies, regional & international law enforcement bodies, domain registrars & registries, cloud service providers and end users. A collective and coordinated effort is needed to detect, notify, remove, remediate the botnet attacks and take precautionary efforts to avoid such instances in the future. Awareness about the cyber security landscape including potential cyber risks and threats must be given to the end users. Keeping a defense in depth approach, by detecting and protecting impending threats and following an integrated approach to cyber security and Cyber intelligence. sharing is essential for any organization to defend the malware attacks including botnets. After all, Defense in depth approach is all about securing even the weakest link on the organizational network as well as systems. Check out Happiest Minds’ integrated platform for Cyber Risk Protection (CRPP).
In the last few years, we have seen a huge evolution in the field of botnets. Botnets are already evolved and showed their presence in the world of mobile platforms. Zeus, Droid Dream, Tigerbot etc. are some of the mobile bots which have carried out successful botnet attacks in the mobile to mobile platforms. The next happening in botnet evolution is in the field of internet connected devices. Securing Internet of Things is a larger concern for the global world. The evolution of IoT botnets is adding to this burning concern of cyber security professionals. Advanced malware infected botnets can be used to exploit the vulnerabilities in the IoT devices especially Internet protocol video cameras, digital video recorders, internet embedded devices Wi Fi routers etc. to compromise sensitive information. The ‘Mirai botnet’ incepted in August 2016 has already launched multiple high-profile, high-impact DDoS attacks impacting various Internet properties and services. As IoT devices are used by a society which is a mix of technical as well as non-technical in nature we need to think about how effectively IoT devices are following a secure standard and have proper logging and monitoring mechanism in place. It is high time for thinking about integrating the cyber security basics with in our education systems. Proper awareness and training are also required to be a part of it so that we can brace ourselves against such malicious attacks to a larger extent.