Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security side-channel attack

Botnet in cyber security
2022-09-26 03:37:28

Botnet in cyber security

Introduction

Since people started using computer systems, they have become victims of cyber-attack. The reason and medium of cyber-attack vary from attack to attack like phishing attack uses email, DDOS attack is network attacks etc. In most cyber-attacks, hackers use the network as a medium to exploit user information. Online security faces many hazards, and various threats are promising technologies that were abused & “Botnet” is one kind faced by the user.

The term "botnet" is the combination of two terms or words ", robot" & "network", which refer to a robot network handled by suspicious elements for exploiting the system and fetching user information. “Botnet is the combination or network of computers that are maliciously infected and under the control of a single attacking party, also known as "bot-herder".

Botnet is a collection of malicious or infected device or their arrangement that are internet- connected and can be used for a number of nefarious purpose.”

Attackers create botnet attacks to gain something, including money or personal satisfaction. This motive is the same as those of other cyber-crime committed for all the reasons:

  • Information theft – Some attacks access sensitive data or confidential accounts to take advantage of them.
  • Financial theft – To extort and steal money.
  • Selling data to the dark web/ access to other criminals – To make money from this information. This database is usually required by other cyber criminals preparing an attack on a large scale or operating a large-scale scam campaign available on a payable amount, rental basis or as an outright sale.
  • Sabotage of services – To take websites and services offline, etc.
  • Cryptocurrency scams – Botnets are used to attain users' processing power to mine for cryptocurrency.

For these reasons, some botnets are created to prove hacker ability, where they end up being used for all types of attacks (botnet-controlled users and others), regardless of any motive.

History of botnet

Due to some of the sophisticated malware techniques, botnets are difficult to counter. In the past year, a botnet was first detected in 2008 named Conficker; being around the user, they have a notorious and largest history. It roams in the wild & infected more than 190 countries computer in business, government and consumer computers.

In august 2016 Mirai malware was detected targeting online consumer devices like IP cameras and home routers. After that, in October 2017, a malware" reaper" was detected by the checkpoint researchers by using the checkpoint's intrusion prevention system (IPS). This botnet was trying to recruit IoT devices used in a potentially large-scale attack.

Working of botnet

Botnet –“Network of malware-infected computers."

This group of malware-infected computer are controlled by a single attacking party known as a "bot-master” and threat actor that convert the swarm's components into bots called a “bot-header”.

In the first step, the bot header planned to hijack a computer system network to create a botnet, to execute various types of cyber-attacks like malware invasions, scams, brute force attacks, etc. The test goals are defined in this process, and surveillance is known as the footprinting and information gathering phase. This includes identifying the launching of attacks and how likely the organization system is to fall vulnerable to those attacks. The footprinting collects data from the host of network, vulnerabilities, TCP & UDP services and specific IP addresses. There are two types of footprinting in ethical hacking: Active & Passive

→ In active footprinting, all the information is gathered from the target directly using Nmap tools to scan's particular target's tool

→ In passive footprinting, information is accessed without directly accessing the target. They grab all the target information from public websites, social media accounts etc.

A Malware system is referred to as a zombie computer or bot. The bot master gives direction by using remote commands to the group of hacked computers. After that, bot headers utilize command programming to control their behaviour and compiled bot masters are an aid to fulfilling the ultimate ulterior motive. The bot herder commands the program, which is blindly responded to by these devices but often without the user's notice.

Usually, in a botnet, many systems are infected by a single computer using a command & control (C&C)  server operated by the header. This prepared botnet does a variety of attacks, i.e. stealing data, gaining control of the victim's computer, sending spam messages, spying on user activity by collecting photos or recording keystrokes and executing DDoS (distributed denial-of-service) assaults. Functions done by botnet are:

  • Only one machine is controlled based on its IP address.
    Cybercriminals employ single-machine botnets for illicit operations as they are simple to build and run and require any infrastructure. Botnet on the single machine does the operation like opening a backdoor on the victim's PCs. The IRC- internet relay chat channel and some specialized software client manages the botnet to target only one victim. The IRC channel consists of bots and computer code (compromising blocks) programmed to do tasks in certain scenarios triggered by specific events.         
  • Multiple machines are commanded by using the IRC protocol
    Bot headers and masters control the bot using IRC protocol, which makes them rapidly enrol infected computer systems into a single group globally by scanning for exploits, ports and vulnerabilities. By using these functions, botnets participate in large-scale security attacks.
  • By using remote administration tools (RATs), more than one computer is controlled.
    Botnets are remotely manipulated using remote access tools (RAT), rouge applications installed on victims' systems without their permission or notice on their machine. Along with RATs, various malware, Trojans, spyware, fake software update website and keyloggers are utilized in the botnet system, which makes the attacker gain control of it from a remote location.
  • DDoS attacks are launched by using IP addresses.
    This botnet can be taken on lease by hackers to attack several internet forums to commit DDoS attacks without exposing their identity. The botnet triggers DDoS attacks via IRC against its target. After getting a command from the attacker, these bot assault the victim's web server, associated computer and network. 
    In short, the

 botnet follows these steps:

  1. Vulnerability exploitation is most common when attackers exploit vulnerabilities in the device, server, or standalone workstation that allow them sufficient control to launch their attack from that device.
  2. Botnet conscription- When a device needs to become a part of a botnet, it needs a method to control what each device is doing remotely. The client-server is installed to link the device to a command server.
  3. Botnet coordination – The system that controls a botnet uses the general term Command and Control (C2). Using this, a botnet client looking for a command on the predefined URL or weird and sophisticated as taking commands from an IRC channel.

Type of botnet

  1. IRC - Internet relay chat
    The botnet uses the IRC (internet relay chat) as this legitimate application automates tasks and interactions in an IRC chat room or channel (appear to be a real user). But this can be exploited to carry out botnet attacks. Any device with an IRC bot installed can be controlled through a command relayed through an IRC channel.
    Bot headers and masters use IRC to send directives to the swarm's component machines via a public IRC chain, single channel or an independent IRC server. IRC does the transmission using an IRC server (command and control or C2 server) containing channels used to control bots. Internet relay chat can be deployed as independent or separate hosted software by the channel administrator or chat room.   
  2. HTTP botnet
    HTTP (hypertext transfer protocol) botnets are web-based botnets via which the bot herder delivers the instructions, and the bots access the server for new actions and updates. Using the HTTP protocol, the bot herder can evade detection by existing detection methods (desktop firewalls) and camouflage the activities as regular internet traffic does.
  3. P2P botnet
    It refers to a peer-to-peer computer network in which two or more computers are connected and share resources like CPU cycles, content storage etc., via direct exchange through servers or authority that administers centralized resources. Each bot is a server and client to share and generate information with another botnet device. Compared with IRC or HTTP botnets, these are difficult to set up. Rather they are more resilient; they are not dependent on the centralized server, due to which attackers don't configure a specific server for this system architecture. P2P botnets retain control over the criminal actions performed by compromised devices.
  4. Automated botnet
    These botnet work without human intervention or control, i.e. they work automatically to infect victims and consume their resources. For example, they infect local CPU & network bandwidth and to launch DDoS assaults at the hacker's command. These automated botnets are difficult to detect even by antivirus protection used in the system.
  5. Spam-sending botnets
    This kind of botnet is designed to send billions or millions of unwanted spam messages to targeted recipients from infected devices all over the globe. Firstly these collect data like email addresses, numbers etc., from online forums, guest books, websites and other locations where target submit their login credentials. These botnets are controlled and commanded by a bot master for remote process execution. Botnets are often installed on compromised devices through several methods of remote code installation. To avoid identification by investigators and law enforcement, the bot-master will frequently conceal their identity using proxies, The Onion Router or Tor network, and shells. The bots are set up to authenticate command and control stations using a password and keys to enable control remotely. 
  6. Backdoor botnet
    Using the backdoor botnet technique, unauthorized and authorized users may defeat the standard security measures to attain a high level of user access or root access. This type of botnet uses the compromised machine, which is added to a collection of bots commanded by the perpetrator and corrupts other devices.
  7. Manual botnet
    Over the fully automated botnet, still, some cyber criminals may prefer a manual botnet for performing an attack on another party due to their superior control feature. The best part is they are simple to detect and track due to human interaction and to receive updates to their malicious code from a remote repository. In this, the attacker directs every step of the attack, and they make tools to start an attack from any compromised machine.

Types of botnet attacks

DDoS attackThese are the most associated attacks with botnets used to hammer a website with queries, crash it, and overload the site and key online services. It results in reputational and financial repercussions. A system shows these signs of being affected by a DDoS attack: Website load slowlyWhen the user tries to load the website, it shows the message "503 services unavailable."
Phishing attacks and spamA botnet is a way to carry out phishing campaigns and automated spam in which millions of attacks are sent to thousands of organizations. With only a one per cent success rate, thousands of devices are impacted by these attacks. Victims of a phishing attack can report them to relevant authorities: Phishing emails can be reported to Federal Trade Commission at spam@ uce.gov and Anti-phishing working group –APWG at [email protected].Phishing messages can be reported to the number 7726(SPAM)
Brute force credential stuffing attacksBrute force credential stuffing attacks are programmed to compromise an account with several different login combinations. Attackers use the data commonly or leak passwords for login, and as multiple devices are attempting to get into the account, couldn't able to use traditional lockout methods.
Crypto mining and clippingIn the past few years, crypto clipping, mining or currencies has created new opportunities for the malicious hacker. They use botnets as mining machines, affecting the device and network efficiency.
Targeted intrusionHackers use the botnet to hack the information to target a specific company. If a single device can infiltrate the organization's network, then it's capable of stealing funds and creating financial damage to the organization.  

Architecture of botnet

  1. Client-Server Model
    It is the commonly used model in botnet arrangement. In this, the infected devices (more than one system, security camera, speaker etc.) are connected to a control server or to a criminal command which issues commands to the botnet via one or two communication protocols, i.e. HTTP (Hyper-text transfer protocol) or IRC (Internet relay chat). 
  2. The P2P botnet
    This botnet model has a direct connection to the devices without centralization of any server or else. Therefore it is a decentralized model in which commands are not sent from a single static source. The compromised device can send instructions to other bots on the network.

Botnet attack example

Some of the dangerous and famous botnet attacks are as follows:

  • Zeus attack – Zeus attack emerged in July 2007. Ethical hacking is a preventive measure taken by the author of the target system to defend the system from malicious activities on data privacy. It is a method of detecting vulnerabilities, data breaches, potential threats and loopholes that can act as backdoors for intruders in the system. It follows ethical or moral values without any ill intent of snatching data unofficially. In performing Ethical hacking, follows the regional or organizational cyber law/rules to infiltrate the system and document the steps involved. They check for the vulnerabilities like changes in a security setting, breaches in the authentication protocol, injection attacks, and exposure of sensitive data and components used in the system or network used as an access point.
  • Mirai attack – This botnet attack was founded in 2016 and is mainly associated with IoT devices. It is used in most disruptive DDoS attacks targeting online customers' devices.  
  • Mariposa – Mariposa is one of the famous botnet attacks that emerged in 2009, committed online scams, and launched DDoS assaults. In this victim's account, credentials are stolen so its operations could sell them on the dark web.
  • Storm – Storm botnet attack was identified in 2000 with a massive network ranging from 250000to 1 million infected devices. It was one of the first P2P botnets that handled attacks from DDoS to identify theft.
  • 3ve – It's a different type of botnet attack discovered in 2016, which generate fake clicks on an online advertisement hosted by fake websites. They can't do this to steal data or money.

Prevention and detection of the device from botnet

  • Updating the operating system
    System holders should update the system at regular intervals and use the features of updated software because with each updated version user is granted enhanced security patches to deal with system vulnerabilities.
  • Download from a trusted source
    Downloading files from untrusted or infected sources may give way to botnet attacks; therefore, in professional communication, users must make PDF password–protected so that they don't act as a medium for botnet attacks.
  • Leverage network intrusion detection system(NIDS)
    Some tools are used to prevent botnet attacks in the network, such as a network intrusion detection system to detect viruses, cyber-attacks, port scans on a computer network and denial of services assaults by continuously monitoring the network traffic and identifying unusual patterns in incoming packets.
    Network intrusion detection system monitor outgoing and incoming network traffic from and to network devices. Any suspicious activity or violation detected in the network can be reported to an administrator or collected using a SIEM – security information and event management system. NIDS is designed with interconnected parts like Hardware sensors, software components and standalone appliances that provide advanced and real-time intrusion detection capabilities.
  • Investigation of failed login attempts
    Botnets are programmed to steal information by testing all the stolen passwords and usernames to obtain illegal access to the user. This tracking creates a baseline for attackers and signals the IT team about botnet assault. One of the major risks in online business is the ATO (account takeover) attacks, so botnet attack notifications can't be triggered by "low to slow" attacks from many distinct IP addresses.
  • Paying attention to website security
    A website is the medium of communication, and a website with no security wall or robust encryption is a hub for a botnet. So to maintain the confidentiality of the website, its security must be robust.
  • A purposeful botnet detection system
    The best method of preventing botnets is to invest in comprehensive botnet mitigation and anti-botnet services that are stated as the best approach to safeguard websites and servers by identifying botnets in real time. For example, Data Dome's AI-powered solution uses real-time behavioural analysis to identify traffic anomalies and abstract botnet activities before reaching web services.
    A proper botnet detection system scans thousands of websites, gathers information, and evaluates billions of daily requests. Powerful machine learning is used in this system to constantly improve the algorithm that helps detect both known and unknown botnets before they can harm the system.    
  • Admin setting should be updated with passwords across all the devices
    Sometimes, the user uses the same password to operate all the devices, giving way to botnet attacks. Therefore they should use a different password for each device and timely update them for security purposes.
  • Don't buy devices with weak security.
    A device with weak security should not be used for functioning as they are an easy target for botnet attacks.
  • Monitoring the network continuously.
    To prevent botnet attacks, security seekers must constantly watch their network in search of any unexpected activity. To monitor the network, experts must have deeper knowledge about the regular dynamics and how everything normally operates 24/7/365. For this purpose, network traffic analysis tools are used to deploy analytics and data-collection tools to identify botnet assaults and maintain up-to-date logs on network performance and user behaviour.
  • Using of protection firewall
    Using a firewall as antivirus protection is one of the best ways to stay safe from botnets because a firewall automatically blocks insecure connections in terms of protection from malware.
  • Implementing two-factor authentication and strong credentials
    To reduce the likelihood of a botnet attack two, factor authentication or using a strong password are great methods to keep malware away from the device & keep them safe. Using this, users can verify email communication and downloads through multiple channels, preventing the botnet from performing surreptitious activities.

Symptoms showed by computers are a part of a botnet.

When a system is affected by a botnet, it showed up some symptoms; let's understand them in detail:

  1. The system cannot be updated
    • An update of the system includes the patches that prevent it from the latest cyber security threats and internal damage from vulnerabilities. A system with botnet malware can block operating system updates so that system vulnerabilities can't be patched.
  2. Program run slowly
    • When the program starts working slowly unusually, this indicates that the system is in great need of a service or is infected with a hidden malicious program that uses most of the system's processing bandwidth.
  3. When the system is idle, its fan operates loudly.
    • When the user device fan increases speed while using fewer resources, it's an indication that cybercriminals are leveraging the extra bandwidth availability to increase the botnet attack intensity.
  4. The system shut down very slowly.
    • The system affected by botnet malware will shut down at a slower speed than usual speed due to interference with malicious background activity.
  5. Hacking of the Facebook
    • Bots are programmed to seek out other devices to infect, including hacking a victim's social media account and, with that account sending malware-infected links to all the friends. When friends click the sending link, they are added to the botnet.
  6. Attack or hacking of the email account from an unknown account
    • As like other attack uses email account for attacks, botnets also use an email account to spread the infection to other computers. To prevent email hacking, users must log out of their email accounts after each session instead of directly closing the browser.  
  7. The user in the task manager notices suspicious activity
    • Sometimes a high amount of disk resources are utilized by the unrecognizable programs. If a program is not recognized with a required bandwidth (disk rate about 3-5MB/s), then search its name on Google to confirm it's not a critical process you shouldn't close, but if it is not, then immediately terminate the process. This suspicious activity can be checked by opening the task manager and then clicking on the Disk tab to sort the program by the highest disk usage.
  8. Slow down of running programs in the system
    • This could be a great sign that computer processors are majorly held by malicious programs that decrease the running tendency of other programs.