Botnets: Implementation, Detection, Countermeasures and Analysis of Virtual Network Attacks

IntroductionThe project is about the cyber security threat of botnets; which are used to compromise computers (creating bots using malware giving the attacker a remote control mechanism, without the owners’ knowledge) for illegal purposes, for financial gain. E.g. phenomena such as key loggers for stealing online banking details, phishing emails, bitcoin mining and disruption to Internet services i.e. Distributed Denial of Service attacks (DDoS) which is also used as ransomware (threatening for money otherwise launching DDoS attacks).

The problem of threats can be solved by determining provision of adequate defences against botnets by investigating existing detection strategies and countermeasures. Then contributing ideas, to suggest a new initiative of a Wide Area Network that involves intrusion prevention systems and honeynets that cover the whole network for members, of this system, joining for a small fee. The aim is to put forward these suggestions for implementation to organisations that can put this into practice in the future, by documenting improvements to policy.

Detection of BotnetsThere are different techniques for botnet detection methods that can be categorised. Detection is an important step which precedes any countermeasures for the counteraction of botnets, unless prevention strategies are taken and are successful. This will involve intrusion prevention systems; new and advanced systems improvise next-generation firewalls such as the Palo Alto designed for enterprise level protection. Specially crafted packets are designed by attackers to evade detection by custom intrusion detection systems, firewalls and intrusion prevention systems, but they can be picked up by the monitoring done by a next-generation firewall using stateful packet inspection implemented alongside an intrusion prevention system.

Other detection techniques include honeynets, botnet infiltration and malware reverse engineering. A honeynet is a collection of honeypots that work and function cohesively together as traps, which are network nodes that provide a fake network but look real from the perspective of an attacker, on the network at different points to optimise the possibility of capturing data from an attack.

Botnet Technical CountermeasuresMost of them are focussed on the command-and-control infrastructure of botnets, for example, by filtering botnet-related traffic, sinkholing domains with the assistance of DNS registrars and obtaining the shutdown of malicious servers in data centres, to exemplify. The countermeasures can impose perceived legal complications that can arise when the techniques are applied. Collaboration of organisations and governments are making use of initiatives to counteract threats and develop countermeasures against organised cyber crime.

Various countermeasures include: Blacklisting, Distribution of Fake/Traceable Credentials, Border Gateway Protocol (BGP) Blackholing, DNS Sinkholing, Direct Take Down of Command-and-Control Server, Port 25 Blocking, Walled Gardens, Infiltration and Remote Disinfection, Peer-to-Peer Countermeasures and Packet Filtering on Network and Application Level.

Results: Botnet Implementation An artefact was developed creating and implementing the Solar botnet. The attacks launched were on a specific virtual network created for this purpose. This was achieved by configuring an email server (SquirrelMail) with its supporting DNS server (both configured in Linux), through which emails sent to the user email accounts which contained the bot executable file as an attachment, was used to infect the machines; adding them to the botnet as bots. The data captured from the login showed in the botnet’s logs revealing passwords, similar to harvesting online banking credentials.

Figure 2: Solar Botnet Logs Email Login Data Capture Information View

Student Name: Cevdet BasaranStudent No: 1203167Supervisor Name: Dr Haider M. al-KhateebCourse: BSc (Hons) Computer Security and Forensics

Problem StatementThere is a tremendous amount of financial damage due to botnets [1]. The problem can be addressed by taking down as many botnets as possible. (Refer to the thesis for more references).

AimTo eliminate botnet threats and malware. To create and implement a botnet attack to develop defensive strategies and replicate the psychology of a bot master (attacker) to comprehend the mind-set of cyber criminals to outsmart them.

Objectives• To create and implement a botnet.• To investigate techniques to detect botnets.• To apply countermeasures to eliminate or mitigate botnet attacks.• To investigate quantum botnet research.

Methodology• Qualitative analysis in the survey of botnets describing

existing botnets, their properties and operation.• Quantitative analysis on the artefact development, i.e.

number of bots, data capture analysis and statistics.

Figure 1: Typical Botnet Architecture Network Diagram [2] (Microsoft Symantec Corporation; Dell Secure Works, 2013)

References[1] Computer Economics (2014) Annual Worldwide Economic Damages from Malware Exceed $13 Billion. Available at: http://www.computereconomics.com/article.cfm?id=1225 (Accessed: 17 October 2014).

[2] Microsoft Symantec Corporation; Dell SecureWorks (2013) Diagram showing the typical structure of a Botnet computer network. Available at: https://uk.images.search.yahoo.com/images/view (Accessed: 23 December 2014).