Although they are often well-hidden, botnets represent a significant online threat. Most users are unaware that their computers are being compromised to forward transmissions of sensitive data. This article defines a botnet and explores some of the purposes for setting up a botnet. It then takes a look at some botnet detection techniques and anti-botnet solutions.
What is a Botnet?
A botnet (from “robot network”) refers to a group of computers that run an application that is controlled and manipulated by the source or owner only. While the term “botnet” generally refers to computers, or software agents, running malicious software (malware; robot software), it also may refer to a network of computers that share the processing of a legitimate program. When the malware is installed, it turns the infected computer into a zombie or drone, which must carry out commands of the bot computer. According to Umbra Data estimates, between 7 to 12% of an enterprise’s machines are bot-infected.
Botnets may range from one thousand drones to tens of thousands of drones. The larger the botnet, the more recognition and potential there is for financial gain. The source computer can rent services of the botnet to third parties. Common uses of botnets include:
• Spamming – After taking advantage of a victims’ computer systems, the botnet commander may use the drones to harvest email addresses and send spam or phishing mails.
• Traffic Monitoring – The malware may also be created for the discovery and interception of sensitive data passing through a drone machine. Such malware would sniff for user IDs and passwords.
• Denial of Service Attacks – This refers to an attempt to make resources unavailable to its users. For example, the botnet may attack a network in order to disrupt a service through overloading the resources of the drone’s computer system. Such attacks may be carried out to disable the web site of a competitor.
• Keylogging – Some bots install keylogging programs in drone computers. Such programs filter for key sequences that come before or after keywords such as “Gmail” or “PayPal.”
• Mass Identity Theft – Such thefts are often attributed to botnet attacks. This may be a phishing attack, in which the perpetrator presents himself as a legitimate company in order to obtain personal information, such as user IDs, account numbers or passwords.
• Botnet Spread – Drones in the network are often used to spread other botnets to other computers.
• Pay-per-Click Systems Abuse – Drone machines can be used to automatically click on a site upon browser activation. By artificially increasing the click counter of an ad, the botnet commander may benefit from Google Adsense, or other affiliate programs.
Recently, researchers have developed a prototype method for detecting botnets that rely on DNS domain-fluxing (also referred to as domain generation algorithm; DGA). Domain-fluxing, or DGA, is the random generation of domain names. Normally, the bot queries for thousands of domain names, but the domain owner registers one. In order to study DNS traffic for domain-flux activity in real time, researchers developed a method to look at the pattern and distribution of characters in a domain name to determine its origins (i.e. legitimate or malicious).
An alternative technique is referred to as NX Domain analysis, which was developed in 2009. With the NX response, whenever non-existent domains are generated, the TLD name server will indicate it as such. This method relies on simple machine-learning algorithms to detect new, known or suspicious bot infections. Critics point out that NX Domain analysis is limited to only DNS anomalies. This may be effective as a first signal, but is limited in scope. Another technique is a dynamic reputation system, which is another advanced solutions to the botnet problem.
There are a few different anti-botnet appliances available on the market. The most commonly known anti-botnet vendors are currently Damballa Research and FireEye. The latest anti-botnet efforts led by Umbra Data consist of a sensor network, which tracks and analyzes command and control (C&C) traffic for malicious elements. This is known as the Umbra Data Dark Side Intelligence Service.
Umbra Data’s anti-botnet strategy does away with the need for purchasing an appliance, rather publishes its findings in XML format. Their research is then fed into an organization’s data leakage protection or network security equipment. The service then produces a “block list” for any C&Cs that are malicious, as well as a “watch list” for suspicious activities. Due to budget constraints common for many organizations, Umbra’s Dark Side Intelligence Service may well be an attractive option as an anti-botnet solution.
According to Umbra Data, in many organizations, anti-botnet solutions compete with other projects, such as data-loss prevention, next-generation firewalls, network forensics and packet-capture appliances for budgetary consideration. The fact that their solution is not appliance-based may be a significant deciding factor.
Researchers Peter Greko and Fabian Rothschild demonstrated how samples of Zeus and SpyEye Trojans can be used to write code for web servers in order to mitigate those botnets. While these techniques cannot prevent bot infections themselves, they can prevent the bot commander from gathering useful or sensitive information from the drone user.
For example, the Zeus Trojan collects login information, passwords, cookies, VIEWSTATE parameters and additional information passed through a POST request in HTTP. In this way, it gathers important data from web sessions and transmits this information to its C&C servers. Greko and Rothschild’s techniques render the data unrecognizable to the botnet. The code is “bloated” so that the botnet is unable to identify or use it. Although this is not a complete solution, it does make it much more difficult for someone to harvest sensitive data.
This article looks at botnets, which are groups of computers (drones) that have been compromised to disclose sensitive data to a botnet commander. This is an online threat for home users as well as organizations. The purposes for setting up a botnet include, but are not limited to: denial of service attacks; spamming; traffic monitoring; keylogging; mass identity theft; botnet spread; and pay-per-click systems abuse. The article also introduces some responses to the threat of botnets, including botnet detection methods; anti-botnet appliances and services; and botnet mitigating methods.
CIPP Exam Preparation
In preparation for the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Privacy Concerns – Organizational Practices (CIPP/IT; II.A.b.)
• Web Security Protocols – HTTPS (CIPP/IT; III.B.c.iv.3.)
• Information Security Threats and Vulnerabilities – Malware (Foundations; II.A.f.i.)
• Sensitive Information Online Privacy Threats (Foundations; III.B.a.)