Threats from Botnets

At present, various cyberattacks based on Botnet are the most serious security threats to the Internet. As Botnet continue to evolve and behavioral research on Botnet is inadequate, the question of how to apply some behavioral problems to Botnet research and combine the psychology of the operator to analyze the future trend of Botnet is still a continuous and challenging issue. Botnet is a common computing platform that can be controlled remotely by attackers by invading several noncooperative user terminals in the network space. It is an attacking platform consisting of multiple Bots controlled by a hacker. The classification of Botnet and the working mechanism of Botnet are introduced in this chapter. The threats and the threat evaluation of Botnet are summarized

Social Networks as Command & Control Channels for Botnets

The weakest link in detecting Botnets is typically the communication channel. What if there was a possibility to leverage existing high volume communication channels such as social networks for the command and control traffic of a botnet? Utilizing a social network such as Twitter, has many advantages over alternative methods, when done properly it is easier to hide in plain site due to the high volume of normal chatter, the protocol and traffic is already established as a known protocol to many security systems and antivirus software, and it is highly available across the globe. Twitter is aware of their potential for people using their network for nefarious purposes so they have developed a series of advanced protection mechanisms that need to be bypassed. The simplest solution would be to acquire an API key for access to programmatically post and fetch messages to Twitter but that would introduce a substantial weakness to the system. In the event that the traffic was identified once, Twitter could withdraw the API key and effectively shut down the botnet. To avoid this weakness we utilized web scraping technology and the mobile web site of twitter, which has a smaller set of protection mechanisms. The system is implemented in Python utilizing an open source library, Mechanize to scrape the mobile web site. There were challenges encountered in successfully accessing Twitter\u27s web site that are shown. New social networks are being built everyday and the opportunity for utilizing these types of networks for communications of botnets presents a large opportunity and ultimately an urgent need for these network owners to become aware of the potential uses of their systems

Cybercrimes in the Former Soviet Union and Central and Eastern Europe: Current Status and Key Drivers

Some economies in the Former Soviet Union and Central and Eastern Europe (FSU&CEE) are known as cybercrime hotspots. FSU&CEE economies have shown complex and varied responses to cybercrimes due partly to the differential incentives and pressures they face. This study builds upon literatures on white-collar crime, institutional theory and international relations (IR)/international political economy (IPE) perspectives to examine the low rates of prosecution and conviction of suspected cybercriminals in some economies in the FSU&CEE and variation in such rates across these economies. The findings indicate that cybercrime cases are more likely to be prosecuted and sanctions are imposed in economies that are characterized by a higher degree of cooperation and integration with the West. Cybercriminals are less likely to be jurisdictionally shielded in such economies. Our findings also suggest that a high degree of cooperation and integration with the West would lead to access to resources to enhance system capacity and law enforcement performance to fight cybercrimes

Implementation and evaluation of a botnet analysis and detection method in a virtual environment

Botnets are one of the biggest cyber threats. Botnets based on concepts that used for the development of malware or viruses before origin of the Internet in 1990s. Botnet is a form of malware controlled by a Botmaster using Command and Control (C&C). Since emerging of one of the first botnets PrettyPark in 1999, it has been a significant enhancement in last decade for botnet development techniques by hackers. Botnets of current age are with features such as P2P architecture, encrypted traffic, use of different protocols, stealth techniques and spreading through social networking websites such as Facebook and Bebo. With enhancements in botnet development, the objectives of cyber criminals advanced to get financial as well. ZeuS is one of the well known botnets of current with a main target is to get the financial gain. It uses advanced botnet techniques such as encrypted traffic, use of HTTP protocol and stealth techniques to hide itself from the OS. Overall objective of this thesis is application of botnet analysis and detection techniques on ZeuS bot to demonstrate that how these techniques are applicable to other modern botnets such as KoobFace, Torpig, and Kelihos etc. ZeuS code leaked in May 2011 to open the doors for hackers to utilise techniques used by ZeuS to develop new bots and for researchers to learn the internal working of one of the modern botnet of the current age. In this thesis, “ZeuS toolkit with Control Panel (CP)” is used. It contains tools to create a ZeuS bot executable with user defined configuration and ZeuS Control Panel (CP) developed in PHP and MySql, to install on a machine to act as a ZeuS “C&C server”. Ethically, according to “CSSR: British Computer Society Code of Conduct”, ZeuS botnet analysis is performed in a virtual environment with two machines i.e. “Bot victim with HIDS (Host Based Intrusion Detection System)” and “C&C server” that are isolated from host machine running VMware and the Internet. Bot executed to infect “Bot victim” machine with ZeuS bot to convert it into a “zombie” being controlled by “C&C server” machine running ZeuS Control Panel (CP). ZeuS bot analysis performed in three layers i.e. binary, application and communication layer. On binary layer analysis, reverse engineering tools used to reverse engineer the ZeuS executable to explore its internal. ZeuS reversed engineered C++ code by REC was not in a meaningful form. It indicates that ZeuS binary obfuscated using some algorithm. Only basic information i.e. version and header information for ZeuS bot executable could be found using PE Explorer tool. On application layer, during ZeuS bot execution, all activities related to threads/process, file system (.dll files accessed and files created) and registry changes captured using Procmon. Important information captured by Procmon is creation of a copy of bot executable (sdra64.exe) and data file “user.ds” created in windows subfolder “/system32” and in registry “Userinit” key modified by ZeuS to enable the ZeuS execution before Windows GUI appears (execution of Explorer.exe). On communication layer, packets during bot synchronisation with botmaster and bot commands sent by “C&C server” to “Bot victim” captured for to create rules for HIDS for signature based detection on “Bot victim”. These rules implemented and raised alarm as expected successfully. Anomaly based detection requires “learning” or profiling that requires interaction of machine on Internet. Ethically it is not possible in isolated virtual environment. DNS based detection and process to reveal a “rootkit” that modifies MBR (master boot record) of the hard disk, is not applicable for ZeuS analysis. Literature review of this thesis covers all aspects of botnet analysis and detection techniques regardless of that they are not applicable in this project ethically or ZeuS bot does not support them. Objective of providing this information is to give an overview of all analysis and detection techniques that are applicable to the modern botnets of current age

Evolution of Malware Threats and Techniques: a Review

The rapid development of technology, and its usage, in our everyday lives caused us to depend on many of the aspects it offers. The evolution of the Internet in recent decades has changed human life drastically as accessing knowledge, communication, and social interaction, became readily available. Nowadays, we have become dependent on our PCs and smart devices in accomplishing everyday tasks. People are using these devices to store valuable information. This information became the target of cybercriminals who are constantly creating new ways to gain unauthorized access to it. In the past few decades, cybercrime and the construction of malicious software (malware), have seen a significant rise. In this research, we present a literature review of the historical evolution of malware. We describe the common characteristics and propagation methods for the types of malware in each phase of its evolution. Furthermore, we illustrate the purpose of its creation and the damages it has caused. The purpose of this study is to provide researchers with background about malware and its evolution leading up to present day threats

Experimental host-and network-based analyser and detector for Botnets

Botnets are networks of malware-infected machines that are controlled by an adversary are the cause of a large number of problems on the internet [1]. They are increasing faster than any other type of malware and have created a huge army of hosts over the internet. By coordinating themselves, they are able to initiate attacks of unprecedented scales [2]. An example of such a Botnet can be made in Python code. This Botnet will be able to generate a simple attack which will steal screenshots taken while the user is entering his confidential information on a bank website. The aim of this project is firstly to detect and analyse this Botnet operation and secondly to make statistics of the Intrusion Detection System detection rate.Detecting malicious software in the system is generally made by an antivirus which analyses a files signature and compares it to their own database in order to know if a file is infected or not. Other kinds of detection tools such as Host-based IDS (Intrusion Detection System) can be used: they trigger abnormal activity but in reality, they generate many false positive results. The tool "Process monitor" is able to detect every process used by the system in real time, and another tool "Filewatcher", is able to detect any modification of files on the hard drive. These tools aim to recognize whether a program is acting suspiciously within the computer and this activity should be logged by one of these security tools. However, results from the first experiment revealed that the host-based detection remained unfeasible using these tools because of the multiples of processes which are continuously running inside the system causing many false positive errors.On another hand, the network activity has been monitored in order to detect, using an Intrusion Detection System, the next intrusion or activity of this Botnet on the network. The experiment is going to test the IDS by increasing network activity, and will include attacks to some background traffic generated at different speeds. The aim is to see how the IDS will react to this increasing type of traffic. Results show that the CPU utilisation of the IDS is increasing in function of the network speed. But even if all the attacks have been successfully detected under 80Mb/s, 5% of the packets have been dropped by the IDS and could have contained some malicious activity. This paper concludes that for this experimental setup which uses a 2.0 GHz CPU, to have a secure network with 0% of packet drop by the IDS, the maximum network activity should be of 30Mb/s. Further development in this project could be to experiment with different CPU performances assessing how the IDS will react to an increasing network activity and when it will start dropping packets. It would allow companies to gauge which configuration is needed for their IDS to be totally reliable with 0% dropped packets or semi-reliable with less than 2% dropped packets