Botnets

From GEST-S482 Digital Business
Jump to navigation Jump to search

Botnets

A botnet is a network of connected devices that are each running one or more bots. Botnets are usually used to perform DDoS attacks, seal data, ... They are often rented by cyber criminals.


What is a Botnet

The word Botnet is a mixture of the words "robot" and "network". It is a network ofcomputer bots designed mainly to manage chat channels or to offer various servicesto users (such as games for example Being connected to a network allows them togive each other the status of channel operator in a secure manner, to effectivelycontrol attacks by flood or others. Sharing lists of users, bans, as well as any sort ofinformation, makes their use more efficient. In addition they also allow web indexingdue to the huge volume of data to be processed, it is essential.

Botnet architecture

Botnets architecture.png

Main uses of malicious Botnet

Malicious botnets are mainly used to:

  • Relay spam for illegal trade or for the manipulation of information (for examplestock prices).
  • Perform phishing operations aimed at recovering personal information in orderto impersonate.
  • Identify and infect other machines by spreading viruses and malware.
  • Participate in mass denial of service (DDoS) attacks to make a service unavail-able.
  • Abusively generate clicks on an advertising link within a web page.
  • Capture information on compromised machines for resale of information.
  • Use the computing power of the machines or perform distributed computingoperations, notably launching a brute force attack (ex: Dictionary attack).
  • Steal user sessions by credential stuffing: This attack automates connectionattempts using thousands or even millions of pairs of previously discoveredidentifiers / passwords.Main uses of malicious BotnetMalicious botnets are mainly used to:
  • Relay spam for illegal trade or for the manipulation of information (for examplestock prices).
  • Perform phishing operations aimed at recovering personal information in orderto impersonate.
  • Identify and infect other machines by spreading viruses and malware.
  • Participate in mass denial of service (DDoS) attacks to make a service unavail-able.
  • Abusively generate clicks on an advertising link within a web page.
  • Capture information on compromised machines for resale of information.
  • Use the computing power of the machines or perform distributed computingoperations, notably launching a brute force attack (ex: Dictionary attack).
  • Steal user sessions by credential stuffing: This attack automates connectionattempts using thousands or even millions of pairs of previously discoveredidentifiers / passwords.
  • Conduct illicit trade operations by managing access to sites for the sale ofprohibited or counterfeit products via fast-flow techniques.
  • Mining crypto currencies, such as bitcoin10.

Hacker's motivations

  • Spam: to send more mails.
  • DDoS: to send more attacks on a server to make it stop working.
  • BruteForcing: find a password faster.
  • The Cryptomoney Mining.

Botnets and DNS

Why would a botnet use the DNS protocol? To facilitate access to hosts on an IPnetwork, a mechanism was implemented around the 85s to associate a name with anIP address. This is the Domain Name Space (DNS) tool. This protocol acts at layer3 of the OSI model by transforming a domain name (eg google.com) into an IPv6 orIPv4 address of respective size 128 bits and 32 bits. This protocol has known manyflaws due to its too "verbose" system. This vulnerability is often the initial stepduring a penetration test, it allows to collect a lot of useful information, especiallyin the context of the discovery of interesting targets. An efficient means must beput in place to allow communication between the botnet’s bots and the CC server.The most naive way to provide it is to use a fixed set of hard-coded IP addresses inmalicious binary files. The Domain Name System (DNS) is very famous for botnetsto localize command and control (CC) servers, which greatly enhances the survivalof a botnet to escape detection.

Detection of Botnet

Domain flux detection

Domain Generation Algorithms (DGA) allow to generate a very large number ofdomain names in order to maintain the invisibility of the botnet by constantlychanging the domain name of the CC server. This makes the identification of thisserver more difficult. By using this technique, the hacker can transfer CC servers tomultiple domain names in a flexible way. Infected computers will attempt to contactsome of its domain names daily to receive updates or commands to execute fromtheir host. The use of public keys provides an additional defense against updatesfrom other third parties that will not be taken into account because they are notsigned.

Fast flux detection

The fast flux service network architecture is strongly adopted by botnet users as itallows to increase and extend the life of botnet domain names. The basic conceptof a Fast Flux network is to have several IP addresses associated with a domainname and then to change them constantly. It makes it possible to mask the originalsource of these instructions, which will exploit the network via a series of proxiesmaking it more difficult to identify the network of attackers. Each domain name inthe botnet is mapped with different sets of IP addresses, which means that requestsfrom legitimate users are processed by machines other than those contacted by theusers. Most existing methods for detecting fast flux networks are based on the oldproperty.

DNS tunneling

DNS tunneling is a method that allows malicious users to bypass the firewall inorder to exchange messages from one network to another. Data is added to DNSqueries in order to take control of the network and/or filter confidential data out ofthe targeted company. This protocol works by using a payload (the data portionof a packet) to transport packets offering the actual service, which is not normallyprovided by the network. In addition, there are several types of DNS tunneling:FTP-DNS tunneling, HTTP-DNS tunneling, HTTPS-DNS tunneling and POP3-DNS tunneling.

Malware associated with botnet C&Cs

Malware botnet 2019.PNG
Rank Malware Note % change
1 Lokibot Credential Stealer +74%
2 AZORult Credential Stealer +190%
3 Nanocore Remote Access Tool (RAT) +181%
4 Pony Dropper/Credential Stealer -23%
5 TrickBot e-banking trojan +173%
6 Gozi e-banking trojan +76%
7 Emotet Dropper/Backdoor -23%
8 RemocsRAT Remote Access Tool (RAT) +143%
9 Predator Stealer Credential Stealer -
10 Adwind/JBifrost Remote Access Tool (RAT) -78%
11 NetWire Remote Access Tool (RAT) +98%
12 KPOTStealer Credential Stealer -
13 ArkeiStealer Credentiall Stealer +197%
14 NjRAT Remote Access Tool (RAT) +290%
15 AgentTesla KeyLogger/Credential Stealer -4%
16 QuasarRAT Remote Access Tool (RAT) -
17 Dridex e-banking trojan -
18 HawkEye Credential Stealer -
19 IcedID e-banking trojan -
20 CoinMiner Various crypto currency miners -8%
- Others Other malware families -

References

  1. Spamhaus, Spamhaus Botnet Threat Report 2019, <https://www.spamhaus.org>, 28 January 2020
  2. Xingguo Li, Junfeng Wang and Xiaosong Zhang Botnet Detection Technology Basedon DNS, 25 September 2017
  3. Greg Farnham Detecting DNS Tunneling article <https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152>, 25 February 2013

Where to go?

Main page Exercises - Next Session Tools to be more secured