1 Botnets and Network Security Defense against BotnetsBy: Nicholas Burley

2 What are botnets? Network of devices infected by malware specifically created to allow a bot master to control all these devices to perform tasks. Carry out a range of jobs including spamming, information theft, Denial of Service attacks, and click-fraud. Range from home computers to digital appliances to CCTV cameras. Do not require an experienced programmer. The botnet malware can be sold or publicly available online and can be customizable through a GUI interface. As of May 2015, an estimated sixteen to twenty-five percent of computers connected to the Internet are part of a botnet.

3 How are bots acquired? Botnet software needs to be installed on targeted machines. Exploit vulnerabilities in: Software bugs: Operating Systems or third-party software (Java) Enable buffer-overflow attacks, hacker installed backdoors, and other memory management issues. Known backdoors Users

4 How are bots acquired? Social Engineering SimpleSocial Networking Sites Twitter, Facebook, Skype Malware disguised as URLs or attachments. s Disguised as banks, news sites, online retailer. Malware disguised as MS Word or Excel.

5 How are bots acquired? Trojan Horse Worms Drive-by downloadsMalware disguised as screensavers, media, or other files. Worms Popular form to spread botnet software. Once installed on a network device, they can self-install and self- replicate across the network. s, social media, and messaging. Drive-by downloads Compromised websites embedded with botnet malware as HTML documents. When the website is entered by a user, the HTML document is downloaded without the user knowing what is happening.

6 How are botnets controlled?Command & Control (C&C), Peer-to-Peer (P2P), Hierarchical, and Hybrid. Hierarchical Requires communication to occur through the entire chain to function. Not as efficient. C&C Centralized Structure. Internet Relay Chat (IRC) channel, websites, or servers. IRC is a common way to communicate with bots because of its multicast capabilities. Many IRC networks already exist and private IRC servers can be hosted on consistently online hosting services.

7

8 https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/wang/wang_html/figure1.png

9 How are botnets controlled?P2P Harder to combat. Decentralized structure. More common because of their robust nature. Attacker can include itself as a peer and then infect another peer on the same network. The attacker does not need to communicate with the rest of the bots through a C&C mechanism. Hybrid Mixture of C&C and P2P.

10 https://www.intechopen.com/source/html/39021/media/image2.png

11 What do botnets do? Botnets can be used against businesses, governments, and services for the sake of money, political agenda, or fame. DDoS, click fraud, bitcoin mining, spamming, key logging, sniffing, screen capture, proxy functions, and information theft. DDoS Distributed denial of service attack. Extortion or simply exhaust the resources of a server so they cannot process genuine client requests to the server. Large amount of computer power. ICMP, SYN, and UDP flooding.

12 What do botnets do? Keylogging, packet sniffing, and screen capture.Password cracking and bitcoin mining Large computing power. Spamming Send large volumes of unsolicited s while remaining anonymous. Allow spammers to send these s through small SMTP servers installed on victim’s computers. Click fraud Tricks the user or allows the device to enter websites or other internet advertisement to generate revenue for the attacker. These advertisers pay the affiliated website of the attacker to display their ad and botnets essentially allow the attacker to command all the bots in his/her botnet to click the advertised website for financial gain.

13 How botnets evade detection?Fast flux, encryption, dynamic DNS, and proxy servers. Fast flux A fast flux network utilizes multiple agents to map the domain name to several IP addresses that keeps changing at a high rate. Linked multiple sets of IP addresses to a domain name and it swaps these IPs in and out of DNS records. Encryption Bots can communicate across communication protocols such as HTTP, UDP, or TCP based. Can look to be normal traffic. Botnets encrypt their C&C messages to avoid detection by payload- based intrusion detection systems.

14

15 How botnets avoid detection?Dynamic DNS Works similarly to fast flux by changing DNS records such as IP addresses associated with a domain name. A distributed DNS implementation operates several DNS services in other countries or places that are known not to focus on the destruction of botnets.

16 https://krebsonsecurity. com/wp-content/uploads/2014/06/gameovergraphhttps://krebsonsecurity.com/wp-content/uploads/2014/06/gameovergraph.png

17 How to defend against botnets?The FBI’s cyber division said that in the first quarter of 2015, a new machine was infected with botnet malware every eighteen seconds. Botnet takedowns There are efforts from private organizations and companies such as Microsoft, their Cybercrime Center, and the Georgia Institute of Technology to take down C&C centers for botnets and take legal action against the creators of botnets. Probe the darknet for botnet reconnaissance activities that seek available IP addresses and looking for vulnerabilities in these systems. Some of the botnet reconnaissance activities will end up looking at IPs in the darknet allowing the company or organization probing the darknet to conduct behavioral analytics to find what botnet is conducting the reconnaissance. Botnets are always upgrading and changing to exploit new vulnerabilities and remain undetected.

18 How to defend against botnets?Prevention User security awareness Lowest cost and most effective. Safely use applications and web browsers. Control Internet browsers,. Anti-malware software. Firewalls Control the usage of support for scripting languages such as JavaScript. Secure operating systems (OS) with consistent OS patches. Devices and machines should push constant software security updates. DDoS defense systems ThreatSTOP botnet defense cloud service Delivers a blocklist to firewalls based on known botnet IPs and malware traffic

19 How to defend against botnets?Detection Intrusion detection systems and logging Periodic behavior of a botnet can be analyzed because of the pre-programmed nature to communicate within the structure at certain times, with certain communication protocols, and with certain port numbers Spam detection Detection system can monitor the contents of s including the body, subject, attached files, and hosting server for the Fast Flux Watch Identify fast flux agents by monitoring incoming and outgoing TCP connections on a network in real time. P2P botnets can be detected by monitoring and analyzing ports and network traffic to figure out how bots are communicating. Detect P2P botnet traffic from regular P2P traffic involves a mixture of classifiers that include a packet-level signature-based classifier, statistics-based classifier, and pattern statistics

20 How to defend against botnets?Self-healing system Add resiliency against botnets while still maintain an active network state. Recognize that it is not in a normal state, and then either restore itself to normal or wait for human intervention Honeypots or honeynets Systems designed with vulnerabilities with the intent of malware to infect the system. Collect information and analyze the data to either improve the system or gain more knowledge about the botnet.

21 Internet of Things and SecurityIoT is driving the number of botnets on the Internet up because of their lack of security including unchanged passwords and open communication channels. HP Study in July 2014 about IoT devices Eighty percent of devices did not require passwords of proper complexity and length. Seventy percent didn’t encrypt traffic communications. Sixty percent had vulnerable firmware and/or user interfaces.

22 IoT Security Changing default passwords to strong passwords.Updating devices with security patches. Disabling Universal Plug and Play on routers. Monitoring IP ports 2323/TCP and 23/TCP for attempts to gain control over devices. Monitor all traffic on port 48101, the TCP/UDP port, because this a popular port for bot communication. Antivirus software, IPS/IDS, firewalls, and content filtering. User security awareness. Network monitoring. IoT devices have a specific function and activity is very predictable. IoT devices are hard to secure because of their nature. Large range of protocols and standards.

23 Trends More botnets and more attacks will occur every year because of the huge increase of IoT and other Internet connected devices. Social networking sites Koobface is a social network botnet that is comprised of hundreds of thousands of fake accounts and distributed malicious links across Facebook and Twitter. Approximately 81% of users who received these links, opened them. Anonymous networks TOR Hidden services to communicate with other bots. Mobile phones SMS worms. DDoS attacks. Voice calls. Cloud Services Hold code for botnets and send instructions to victim’s devices.

24 Conclusion Botnets are a significant threat to network security.Number of botnets will continue to increase because of network connectable devices being added every year. IoT security needs to be emphasized. Important for security practices to be implemented whether for a household computer or a Fortune 500 company.

25 References [1] Kerner, Sean Michael. "Zbot Botnet Uses Fast Flux Technique to Avoid Detection." Eweek, 12 June 2016, p. 3. [2] Bou-Harb, Elias, et al. "Big Data Behavioral Analytics Meet Graph Theory: On Effective Botnet Takedowns." IEEE Network, vol. 31, no. 1, Jan/Feb2017, pp EBSCOhost, doi: /MNET NM. [3] Negash, Neamen and Xiangdong Che. "An Overview of Modern Botnets." Information Security Journal: A Global Perspective, vol. 24, no. 4-6, Aug. 2015, pp EBSCOhost, doi: / [4] Akkaladevi, Somasheker and Ajay K. Katangur. "Defending against Botnets." Journal of Applied Global Research, vol. 3, no. 7, Dec. 2010, pp EBSCOhost, mutex.gmu.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN= &site=ehost-live. [5] Greengard, Samuel. "The War against Botnets." Communications of the ACM, vol. 55, no. 2, Feb. 2012, pp EBSCOhost, doi: / [6] Lemos, Robert. "Botnets Keep Springing Back to Life After Takedowns, Damballa CTO Says." Eweek, 22 Nov. 2013, p. 2. EBSCOhost. [7] Liping, Feng, et al. "Modeling and Analysis of Peer-To-Peer Botnets." Discrete Dynamics in Nature & Society, Jan. 2012, pp EBSCOhost, doi: /2012/ [8] Alhomoud, Adeeb, et al. "A Next-Generation Approach to Combating Botnets." Computer ( ), vol. 46, no. 4, Apr. 2013, pp EBSCOhost, doi: /MC [9] Naraine, Ryan. "The Botnet Battlefield. (Cover Story)." Eweek, vol. 23, no. 41, 16 Oct. 2006, pp EBSCOhost. [10] "IOT DEVICES FOUND to CARRY out DDOS ATTACKS. (Cover Story)." Computer Security Update, vol. 17, no. 10, Oct. 2016, pp EBSCOhost. [11] "Atom AMPD Integrates Threatstop's Botnet Defense." Computer Security Update, vol. 13, no. 1, Jan. 2012, pp EBSCOhost. [12] Geer, David. "Malicious Bots Threaten Network Security." Computer ( ), vol. 38, no. 1, Jan. 2005, pp EBSCOhost. [13] Silva, Karine K. "How Industry Can Help Us Fight against Botnets: Notes on Regulating Private-Sector Intervention." International Review of Law, Computers & Technology, vol. 31, no. 1, Mar. 2017, pp EBSCOhost, doi: / [14] SCHNEIER, BRUCE. "BOTNETS of Things." MIT Technology Review, vol. 120, no. 2, Mar/Apr2017, pp EBSCOhost. [15] Bertino, Elisa and Nayeem Islam. "Botnets and Internet of Things Security." Computer ( ), vol. 50, no. 2, Feb. 2017, pp EBSCOhost. [16] Ye, Wujian and Kyungsan Cho. "P2P and P2P Botnet Traffic Classification in Two Stages." Soft Computing - a Fusion of Foundations, Methodologies & Applications, vol. 21, no. 5, Mar. 2017, pp EBSCOhost. [17] Botnet Attack. New Scientist, vol. 232, no. 3097, 29 Oct. 2016, p. 7. EBSCOhost. [18] ZEITLIN, SAM. "Botnet Takedowns and the Fourth Amendment." New York University Law Review, vol. 90, no. 2, May 2015, pp EBSCOhost. [19] AsSadhan, Basil and José M.F. Moura. "An Efficient Method to Detect Periodic Behavior in Botnet Traffic by Analyzing Control Plane Traffic." Journal of Advanced Research, vol. 5, no. 4, July 2014, pp EBSCOhost. [20] Lee, Taejin, et al. "Detection of Malware Propagation in Sensor Node and Botnet Group Clustering Based on Spam Analysis." International Journal of Distributed Sensor Networks, vol. 2015, 27 Sept. 2015, pp EBSCOhost. [21] Al-Duwairi, Basheer N. and Ahmad T. Al-Hammouri. "Fast Flux Watch: A Mechanism for Online Detection of Fast Flux Networks." Journal of Advanced Research, vol. 5, no. 4, July 2014, pp EBSCOhost. [22] Albanesius, Chloe. "Kaspersky Confirms Widespread Mac Infections via Flashback Trojan." PC Magazine, Apr. 2012, p. 1. EBSCOhost. [23] Rossow C., Dietrich C.J. (2013) ProVeX: Detecting Botnets with Encrypted Command and Control Channels. In: Rieck K., Stewin P., Seifert JP. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA Lecture Notes in Computer Science, vol Springer, Berlin, Heidelberg. [24] Lemos, Robert. "IoT Devices Evolving Rapidly as Favorite DDoS Attack Tool, Experts Say." Eweek (November 15, 2016): 1. Academic Search Complete, EBSCOhost (accessed April 18, 2017). [25] Campbell, MacGregor. "Mobile botnets show their disruptive potential." New Scientist 204, no (November 14, 2009): 26. Academic Search Complete, EBSCOhost (accessed April 18, 2017).