By Udita Shukla
As the age of information rears its head, stealth movements to exploit and/or paralyse the cyber network with malware, have gained considerable height. One of the most ubiquitous cyber epidemics is the botnet invasion.
What is botnet?
A botnet is essentially a collection of internet-connected devices like personal computers (PCs), servers, mobiles as well as IoT-connected devices, contaminated with malicious programs that are remotely monitored by a common type of malware. A botnet infecting an internet-connected device can be easily camouflaged by its perpetrators so that the user remains oblivious to the threat his or her private data is exposed to.
The repercussions of inaction towards this threat range from relatively harmless spam emails to the more malevolent click fraud campaigns, and worst of all, siphoning of confidential financial data, identity theft, security breaches at institutional levels and suchlike.
The botnet army
Usually, a botnet army works in two phases – accumulation and production. Accumulation involves infecting as many systems as possible, using a botnet, under the guise of a genuine, legitimate user. An individual amassing botnet is known as a bot herder.
It is estimated that latest botnets have captured hundreds of thousands of systems, with some reaching millions. The final and the most hostile (production) phase is charging the compromised systems to spew out spam, mine cryptocurrency, disrupt network activity or perform some other unauthorised activity.
Botnet infiltration
Botnet infiltration is a fairly recent advancement in the field of data security. The first step to nabbing an uninvited element is to familiarise oneself with several aspects of a botnet’s activity. This is known as botnet infiltration, which is carried out by secretly joining its command-and-control (C&C) channel. A previous study by Freiling and team was able to successfully infer the membership of botnets by directly tracking the number of bots on an individual command-and-control channel.
The primary weapon (in bonnet infiltration) is an Internet Relay Chat (IRC) which intelligently impersonates the behaviour of actual bots, subsequently attaching itself to a number of botnets. The process continues until every piece of the identifier’s information is recorded. Sometimes, a botnet’s fingerprint can simply be the total number of unique identities observed on the channel over the entire tracking period.
A research study entitled, “Insights from the Inside: A View of Botnet Management from Infiltration”, harnessed information obtained through the infiltration of the MegaD botnet. MegaD (also known as Ozdok) is a mass-spamming botnet that has been held accountable for sending out around 32 percent of worldwide spam. The team of researchers, headed by Chia Yuan Cho, was able to capture intelligence pertaining to the botnet’s dynamical architecture and spam operations. Moreover, consolidated evidence signalling the botnet’s control centre to be a group of multiple botmasters was also extracted.
Botnet management
Although promising, the technique suffers from several limitations. Firstly, botmasters may divert bot identities from floating out in the channel, which would render the entire venture fruitless. Additionally, narrowing down on an accurate number for bot population is not only arduous but also formidable, as isolating bot clones from the actual ones, and tracking temporary, sporadic migration of bots, is a nontrivial issue.
Botnet management refers to the evolution of botnet command-and-control architecture (by botmasters) into ever more sophisticated and elusive programs. It also involves the question of whether a botnet has multiple managers (botmasters).
A technique that comes in handy in bonnet infiltration is Google hacking via which an intruder can scan websites, network systems, etc. for possible security vulnerabilities and later exploit the same to gain illegitimate access. Defences against botnets employ Google hacking to pinpoint additional command-and-control servers managed by botnets.
Symptoms of a botnet disease
Some noticeable symptoms of botnet intrusion include automatic connections with established C&C servers for instructions, generation of IRC traffic via specific ports and Simple Mail Transfer Protocol (SMTP) traffic/e-mails, simultaneous identical domain name system (DNS) requests, and the most apparent decelerating workstation performance or internet access.
At an enterprise level, there is no current silver bullet to crush the botnet empire. An organisation fortifies its intra-house networks wth multiple layers, and the right combination of protection tools, to run botnet-free data and communication systems.
An organisation should understand a botnet intrusion in their network if it detects an abrupt and simultaneous visit to external sites from its host systems. This indicates that a possible botnet-driven DDOS (Distributed Denial-of-Service) attack is being launched from the victimised network. Similarly, mass outbound traffic happening over SMTP indicates that spam-mailing may be the case. Therefore, network-based security tools need to be tuned in for identifying these symptoms for successful fortification against botnets.
Some data security professionals opt for a honey-net (a false intrusion loophole) as a bait to lure botnets into their systems. This is especially suitable for big companies which need to safeguard valuable information or insulate themselves against a possible lawsuit from a victim of a botnet-based attack originating from their network.
Cyber attacks and lessons learnt
A United States college website succumbed to a series of denial-of-service (DDoS) attacks in March 2017, that shut down its access for a period of fifty-four hours. A new variant known as the Mirai malware botnet was employed to disrupt the network, by directing an average traffic flow of about 30,000 RPS (Requests Per Second), whilst the highest peak was at 37,000 RPS. The attack is said to have generated more than 2.8 billion requests.
In May 2017, a new ransomware called WannaCry invaded the United Kingdom’s National Health Service (NHS), as well as two hundred thousand outdated Windows-based devices in about one hundred and fifty countries. The attackers demanded a ransom of USD 300 to USD 600 in bitcoins to their victims. This is just one of the numerous instances that have kept bureaucratic circles and data security firms on their toes, in the recent past.
These are just a few of the many data breaches that shook data security firms, disrupted business conglomerates and showed the world the ugly side of keeping everything digital. Going by the nature of cyber attacks, protection against botnets needed to be approached from the accumulation and production phases separately, and with different strategies for each.
The most obvious and traditional approach is the implementation of the set of controls that detect and dismiss the installation of botnet software on client systems, thereby, restraining botnets from consolidating a foothold on the network. The production phase should be dealt with security programs and procedures which have been created keeping in mind a scenario of a successful botnet penetration into the host system. This implies that the first layer of defence has already been quashed and the existing botnets have begun replicating themselves or even phishing data.
Need of the hour
The major driving force behind the burgeoning instances of cyber attacks is the increasing digitisation of information, currency and services. As indispensable and fruitful a digital economy is, the cons that follow it are equally unavoidable. Financial data stored in the form of binary bits attract more hackers as there can always be a possibility of a yet undetected security lacuna.
Additionally, the facility of using proxy servers is a big fish for an intruder since it allows a data theft to go by the name of the compromised host system. We need to understand that an all-pervasive digital infrastructure in today’s world makes data all the more susceptible.
A mid-year report by Risk Based Security (RBS) in July 2017, stated 2,227 incidents of data breaches as of June 2017, which included six billion records finding their way into hackers’ hands. The number surpasses the total number of medical and financial records stolen in the whole of 2016.
With cyber-criminals becoming less and less apparent in their operations, and the sudden deluge of regular updates to botnet C&C servers and their signatures, botnet detection mechanism research requires substantial intellectual and monetary investment. Since the present levels of cyber-reach and digitisation will expand and diversify in future, data security demands a concerted effort from both the bureaucratic and R&D community.
Featured Image Source: Pixabay
Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius