Botnet Analysis and Detection

Acknowledgements
I would like to appreciate God Almighty for his faithfulness and for the strength, without him I am nothing.
I would like to thank my supervisor Dr Hatem Ahriz for his guidance throughout the writing of this report.
I would like to thank Richboy and Ete Akumagba for their guidance and for proof reading this report.
I would like to thank my family for their support and love.

ii

Abstract
This era of explosive usage of networks have seen the rise of several opportunities and possibilities in the IT sector. Unfortunately, cybercrime is also on the rise with several forms of attack including, but not limited to botnet attacks. A Botnet can simply be seen as a network of compromised set of systems that can be controlled by an attacker. These systems are able to take malicious actions as needed by the attacker without the consent of the device owner and can cause havoc.
This paper is the first part of a two-part report and discusses on several reportedly known botnets and describes how they work and their mode of infection. Several historic attacks and the reported damage have been given to give a good picture and raise the bar on the capabilities of botnets.
Several existing tools have been considered and examined which are useful for detecting and terminating botnets. You would find that each tool has its own detection strategy, which may have an advantage on some end than others.

iii

Table of Contents
Declaration ........................................................................................................................................... i
Acknowledgements .......................................................................................................................... ii
Abstract ............................................................................................................................................... iii
Table of Contents ............................................................................................................................ iv
List of Table ....................................................................................................................................... vi
List of Figures .................................................................................................................................. vii
List of Abbreviations..................................................................................................................... viii
Chapter 1: Introduction ................................................................................................................. 1
1.1

Introduction ............................................................................................................................ 1

1.2

Definition of Terms ................................................................................................................. 2

1.3

Motivation and Problem Identification .................................................................................. 2

1.4

Aim .......................................................................................................................................... 3

1.5

Objectives................................................................................................................................ 3

1.6

Report Structure ..................................................................................................................... 3

Chapter 2: Literature Review ...................................................................................................... 5
2.1

Background ............................................................................................................................. 5

2.2

Evolution of Botnet ................................................................................................................. 6

2.3

Botnet Survey .......................................................................................................................... 7

2.3.1

Recent Botnet Attacks..................................................................................................... 7

2.3.2

Damages Caused by Botnet Attacks ............................................................................... 9

2.3.3

Motivation for Botnet Usage .......................................................................................... 9

2.4

How Botnet Works ................................................................................................................ 10

2.5

Classification of Botnet ......................................................................................................... 11

2.5.1

Classification based on Communication Topologies..................................................... 11

2.5.2

Classification based on Network Protocols................................................................... 13

2.6

Botnet Command Modes ...................................................................................................... 15

2.7

Botnet Infection Techniques ................................................................................................. 15

2.7.1

Email.............................................................................................................................. 15

2.7.2

Social Engineering ......................................................................................................... 15

2.7.3

Drive by downloads....................................................................................................... 16

2.7.4

Vulnerability exploitation.............................................................................................. 16

2.7.5

Pirated Software ........................................................................................................... 16 iv 2.8

Botnet Attacks....................................................................................................................... 16

2.8.1

DDoS Attack .................................................................................................................. 16

2.8.2

Spam Sending ................................................................................................................ 17

2.8.3

Identity Theft ................................................................................................................ 17

2.8.4

Bitcoin Mining ............................................................................................................... 17

2.9

Analysis of Botnets ................................................................................................................ 17

2.9.1

Zeus ............................................................................................................................... 18

2.9.2

Koobface ....................................................................................................................... 20

2.9.3

Stuxnet .......................................................................................................................... 22

2.10

Botnet Detection Methods ................................................................................................... 23

2.10.1

Honeynet....................................................................................................................... 23

2.10.2

Intrusion Detection Systems ......................................................................................... 24

Chapter 3: Analysis ....................................................................................................................... 26
3.1

Problem Analysis ................................................................................................................... 26

3.2

Monitoring Tools ................................................................................................................... 27

3.3

Intrusion Detection Systems (IDS) ........................................................................................ 30

3.4

Virtual Machines ................................................................................................................... 33

3.5

Professional, Social, Legal and Ethical Considerations ......................................................... 35

Chapter 4 - Project Specification ............................................................................................. 36
4.1

Planned Tools ........................................................................................................................ 36

4.2

Functional and Non-Functional Requirements ..................................................................... 37

Chapter 5 – Conclusion ................................................................................................................ 38
5.1

Summary ............................................................................................................................... 38

5.2

Conclusion ............................................................................................................................. 38

References ........................................................................................................................................ 40
Appendix ............................................................................................................................................ 47
Appendix A: Project Specification ..................................................................................................... 47
Appendix B: Project Investigation Plan ............................................................................................. 48

v

List of Table
Table 1: Description of the OSI Model (Microsoft, 2014) ............................................... 27

vi

List of Figures
Figure 1: DDoS attacks by protocol (Huawei, 2014) ......................................................... 9
Figure 2: How botnet works. (Hudak, 2010) ...................................................................... 10
Figure 3: Centralized Model (Mahmoud et al., 2015) ...................................................... 11
Figure 4: Decentralized Model (Mahmoud et al., 2015) ................................................. 12
Figure 5: Hybrid Model (Wang et al., 2010)........................................................................ 13
Figure 6: Top 10 Largest Botnet Outbreak (Damballa, 2009) ..................................... 19
Figure 7: Top 10 Largest Botnet Outbreak (Damballa, 2010) ..................................... 19
Figure 8: Copycat YouTube site that leads to a KOOBFACE downloader (Baltazar et al, 2009) ....................................................................................................................................... 21
Figure 9: Percentage of hits from Stuxnet by Country (Shearer, 2013) ................. 23
Figure 10: Wireshark Interface (Kurose and Ross, 2007) ............................................. 28
Figure 11: BandwidthD Interface (Bandwidthd.sourceforge.net, 2015) .................. 29
Figure 12: Pandora FMS Interface (Network Sniffer Pub, 2014) ................................. 30
Figure 13: Snort Logo (Schreiber, 2014) ............................................................................. 30
Figure 14: OSSEC Logo (Schreiber, 2014) .......................................................................... 31
Figure 15: Suricata Logo (Schreiber, 2014) ........................................................................ 32
Figure 16: Kismet Logo (Schreiber, 2014)........................................................................... 33
Figure 17: Bro Logo (Schreiber, 2014) ................................................................................. 33
Figure 18: Oracle Virtual Box Window (Oracle, 2013) .................................................... 34
Figure 19: VMware Window (VMware, 2015)...................................................................... 35

vii

List of Abbreviations
C&C

Command and Control

DDoS

Distributed Denial of Service

DoS

Denial of Service

FTP

File Transfer Protocol

HTTP

Hypertext Transfer Protocol

IM

Instant Messaging

IP

Internet Protocol

IRC

Internet Relay Chat

ICMP

Internet Control Message Protocol

OSI

Open Systems Interconnection

P2P

Peer to Peer

SMTP

Simple Mail Transfer Protocol

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

viii

Chapter 1: Introduction
1.1

Introduction

The Internet plays an important role in our daily activities. We find its usage in several sectors of the economy such as education, finance, banking, even our social lives. Due to the very little control and regulation over the Internet, we find several cases of misuse and abuse of this media and this continues to grow.
The Internet has not only created a helpful and useful platform for various opportunities, it has also, due to the explosive use of networks, created security concerns that can be exploited by cyber criminals to cause havoc to users and organizations. One such threat that has established itself to be one of the most popular and sophisticated security concerns in the Internet world today is
Botnets.
A Botnet is a network of computers that is capable of acting on instructions
(Nicho, 2015). Each computer in the botnet is called a bot. These bots, also known as zombies, are infected with a malware and remotely controlled by the
Botmaster (Wang et al., 2015). Once infected, a bot begins to carry out controlled tasks such as spreading viruses, generating spam, and performing network attacks which are actioned by the botmaster from a computer often called the Command and Control (C&C) server. These tasks are carried out without the consent of the device owner (Microsoft, 2013).
Despite several researches carried out on Botnet, this threat continues to grow and cause an enormous concern to Internet and network professionals. Recently a Botnet known as Beebone infected about 12,000 computers in the US. This attack was taken down through the collective effort of the European Cybercrime
Centre (EC3), the Joint Cybercrime Action Taskforce (J-CAT), Dutch Authorities and the Federal Bureau of Investigation (FBI). Beebone was a type of botnet that stole information and credentials of users that logged into their bank account, and also caused the computers to engage in other crimes (Carman,
2015).
“The primary purpose of botnets is for criminals to use hijacked computers for fraudulent online activities” (Silva et al, 2013). This report focuses on the

1

different types of Botnets, overview of threats caused by Botnets, current botnet trends as well as the methods of infection and detection.

1.2

Definition of Terms

This section defines some terms that will be used in this report.
Botnets: Botnets are organized networks of infected computers that are controlled by a botmaster (Fedynyshyn et al, 2011).
Bots: Bots are malicious codes running on host computers that allow the botmaster to control the host computers remotely and make them perform various functions (Silva et al, 2013). An infected system can also be referred to as a bot (Wang et al., 2015).
Botmaster: A botmaster is an individual responsible for or maintains a bot.
Some of his primary responsibilities would be keeping the bot online, making sure any errors of the bot are fixed, and that the bot does not break the channel rules (Tiirmaa-Klaar et al., 2013).
Malware: Malware is malicious software that is designed to gain access and exploit existing vulnerabilities on a computer system (Nicho, 2015).
Command and Control Server: A system or set of systems which are used to remotely send malicious commands to a botnet or a compromised network of computers. Zombie: A zombie is a computer that is infected with a bot malware and remotely controlled by its master. This can be interchanged with a ‘bot’ (McGuire and Dowling, 2013).

1.3

Motivation and Problem Identification

Several cases of botnet infection have been reported over the years and the reports show several reasons why botnets are being developed. Most recently, botnets have been developed primarily for financial gain. Most of these botnets have been developed to aggregate personal and credit card information from several users and the information are used to carry out illegal and fraudulent activities or sold on the ‘black market’ (Christodorescu, et al., 2007).
It is based on these security issues that several systems have been developed to help combat and detect infected systems on the network.
2

It is therefore important to evaluate several existing intrusion detection systems
(IDSs) as this would help inform users of the advantages and strengths of each
IDS and what kind of threats can be detected by each and how they (the users) can help keep themselves safe on the Internet.

1.4

Aim

The aim of this research is to learn how botnet operates and explore methods that could be used for botnet detection. We also aim to develop an environment that can simulate botnet behaviour and detect its presence.

1.5

Objectives

The objectives of this research would be based on the following:
1. To investigate the different types of botnets and related threats.
2. To analyse recent botnets, their associated attacks, and impact on the society. 3. To analyse the methods of infection and detection of botnets.
4. To design/implement/test an environment that can simulate the behaviour of a botnet.
5. To evaluate the effectiveness of different IDS in detecting botnet activity.

1.6

Report Structure

This report is organized into four chapters.
Chapter1 gives a general overview of botnet, the aim of this project, the motivation and problem identification, definition of terms related to this report and the report structure.
Chapter 2 starts with background information on botnet and the evolution of botnets. Other sections in this chapter describes the botnet C&C mechanism model, botnet types, and methods of infection, current botnet trends, latest botnet attacks, and botnet communication protocols. In addition to this, the detection methods are also discussed.
Chapter 3 presents the analysis of botnet, technologies available to achieve the aim, security analysis of the IDS, presents any professional, ethical, legal and social issues of botnet.
Chapter 4 presents the planned tools for the system and also functional and non-functional requirements of the project.
3

Chapter 5 summarises the project and discusses every efforts that was made.

4

Chapter 2: Literature Review
2.1

Background

Botnets are one of the most sophisticated types of cybercrime available today and regularly motivated by financial gain. As a result of this, the growth of botnet crime has increased. For example, according to a report on BBC news (1
October 2013),
“About 500,000 hijacked computers from a 1.9 million ZeroAccess botnet was taken down by Symantec. The zombie computers were used for advertising and online currency fraud and also to infect other machines.
This ZeroAccess network was used to generate illegal cash through click fraud” (Espiner, 2013).
Each botnet is controlled by its master to perform various malicious activities without the knowledge of the victim (Fortinet, 2012). The early development of malware ranged from proving the security platform for PCs in 1986 to controlling user systems remotely in 2012. The majority of the malwares perform their activities immediately or are prompted by some commands (Milosevic, 2013).
The main difference between a botnet and other malware attacks is the use of a
C&C server. The C&C server enables the zombies to communicate with the botmaster by receiving and responding to commands.
As of late, an expanding number of studies have been done to figure out how to identify botnet and disable them. According to a report on The Hacker News
(February 25, 2015), The Ramnit botnet, with a large network of over 3.2 million infected computers was taken down by a group of people in law enforcement agencies from Germany, Italy, the Netherlands and the United Kingdom. The
Ramnit botnet was said to have been on for over four years and had features like drive scanner, FTP grabber etc. The report also gave reasons why botnet reemerges even after they have been taken down. A reason being that the organisations only take-down a small part of the C&C domains that makes up the botnet, and also because the authors of the malware are not arrested. A great concern has made several researchers to write on this type of attack and suggest possible ways to reduce it (Kumar, 2015).
5

2.2

Evolution of Botnet

Botnets originally came from Internet Relay Chat (IRC), a protocol that facilitates communication channel. The early concept of bots were not for malicious purposes, they were rather designed to perform tasks such as interpreting simple commands, maintaining ownership of channels, distributing files in the IRC channel. However, recent botnets embraced the idea behind the earlier IRC bot in order to incorporate malicious behaviour such as spam, data theft, fraud etc. (Ard, 2007).
During the early stages of the Internet, a non-malicious bot called Eggdrop was developed in 1993. This bot was recognised as one of the first IRC bots to help protect channel communication. It was written in C programming language and had features that allowed users to enhance the functionality of the bot (Li et al,
2009).
PrettyPark and SubSeven was the first malicious IRC bot discovered in 1999 and since then has led to several botnet additions. PrettyPark, a worm that provides the attacker with functionalities such as retrieving operating system (OS) version, retrieving email addresses, transferring files and connecting to an IRC server remotely. SubSeven allowed attackers to remotely control infected hosts via IRC server (Ferguson, 2010).
Another early bot called Global Threat bot (GTbot) was introduced in 2000, a malicious bot that was based on the mIRC client, which could run custom scripts in response to IRC events. A feature of this bot was its support for raw TCP and
UDP sockets that provided a good platform for attackers to perform Denial of
Service attacks and port scanning (Raywood, 2010).
SDBot was discovered in 2002 by a Russian Programmer known as SD. The source code was published by the author with contact details. Due to its simplicity, the source code could be modified or enhanced to produce many variants of the SDBot. A report recorded in June 2006 by Microsoft, was said to have listed 678,000 machines infected with the SDBot (Zang et al., 2011).
Agobot was known for its modular design and significant functionalities in 2002.
It has three modules: The initial module contains the IRC bot client and the remote access backdoor. This is followed by a module to attack and shutdown any antivirus software. Finally, the last module restricts users from accessing

6

any antivirus tools websites. Each module is implemented in sequence. In addition to the Agobot family are Phatbot, Forbot, Polybot and Xtermbot (Schiller et al., 2007).
In 2003, several bots like Spybot, Rbot, Sinit, Polybot and Mytob were created.
The Spybot had functions like key logging, data mining, and sending spammed messages. The Rbot introduced the use of SOCKS proxy and also made use of tools for data stealing. Sinit was the first P2P botnet, while Polybot introduced a mechanism that bypasses detection by changing its appearance frequently
(Ferguson, 2010).
Current bots combine features of viruses and worms: They spread like worms through methods such as drive-by downloads and can also hide their presence like viruses using rootkits. A popular botnet that has caused so much damage since 2007 is the Zeus. This botnet also known as a banking Trojan was designed for stealing banking information and primarily targets Windows machines (Fildes, 2010). As the year goes by, the Zeus variants increased with a recent one known as Gameover Zeus. The Gameover Zeus was identified in
2011. It uses a decentralized network of compromised computers and web servers to execute its command and control (US-Cert, 2014).

2.3

Botnet Survey

This section highlights some recent attacks on botnets, damages caused by botnets, the motivation for botnet usage and how botnet works.
2.3.1 Recent Botnet Attacks
The history of botnets is rooted in diversity with various changes occurring both in the nature and structure of the attacks, to the motivation for the development of tools for its infliction, to the level of impact across the society. Several attacks have been reported in the past and some are outlined below.
A variant of the Zeus family, Gameover Zeus botnet is said to be the largest in existence with over 678,000 infections. The motives of the attacker behind this botnet were for financial gain (Westervelt, 2012). This botnet kept growing especially in the United States with 25 percent of the infected computers located there (Constantin, 2014).
Another popular attack is that of Wordpress website. According to BBC News, the users of the Wordpress website were targeted by trying several possible
7

passwords through brute force method with the username “admin”. This attack was aimed at building a stronger botnet that could be used for larger attacks like
DDoS (BBC, 2013).
A spam botnet Festi that started in 2009 is known to be one of the most powerful and active botnets for sending spam and performing DDoS attacks
(Rodionov and Matrosov, 2012). Festi was said to have infected 300,000 IP addresses out of a total of one million that were infected with some sort of spam-sending bot (Kirk, 2012).
Not only are computers infected with malware to form a botnet, a vulnerability can be also exploited which can affect thousands of computers. A recent vulnerability Shellshock was found in the bash shell of the likes of Linux
Operating system. The vulnerability enables hackers to execute commands that can shut down servers and computers hosted on the Internet (Green and Grut,
2014).
One of the most popular extremes of Botnet activities is the infamous DDoS attack, which is mostly initiated for political motivations, industrial espionage, as a form of blackmail and financial gains (Huawei, 2013). DDoS attack has the potential to deny service to legitimate users. The earlier DDoS attacks were performed using large botnets that could directly flood the target with traffic.
Unlike recent times, the use of amplification attacks through third parties or botnets of hijacked servers, which have higher bandwidth, are used (Wueest,
2014). A DDoS attack was reported in Forbes, this powerful botnet known as
Brobot was said to have spent almost a year attacking the financial institutions of America before it disappeared. Several experts have revealed that this botnet is back to achieve its main purpose, which is to bring down banks (Hamill,
2014). Brobot was used to launch about 200 DDoS assaults against 50 banks including JPMorgan Chase and The Bank of America between September 2012 and July 2013 (Hamill, 2014). The number of DDoS attacks caused by botnets rose to 240 percent in 2014 when compared to 2013 (Gilbert, 2014).
According to Huawei (2014), HTTP protocol remains one of the primary targets for distributing DDoS attacks. This is so because it is still the most important
Internet application protocol and most websites like online gaming that are prone to DDoS attacks still use them (Huawei, 2014).

8

Figure 1: DDoS attacks by protocol (Huawei, 2014)

2.3.2 Damages Caused by Botnet Attacks
The cost of DDoS attacks range from an average of “$52,000 per incident for
Small-to-Medium sized businesses and an average of $444,000 for large businesses” (Kaspersky, 2014). Another cost of DDoS attacks is damage to a company’s reputation. About 38 percent of businesses recorded by Kaspersky believed that DDoS attacks damaged their company’s reputation, 29 percent believed that it damaged their credit rating while 26 percent reported an increase in their insurance premiums. With the rising of this attack, it is believed that the two most common outcomes from this damage are loss of customer trust and loss of revenue opportunities (Kaspersky, 2014).
A common goal of attackers is to gain access to a targeted system and once they do, they could steal sensitive data like username, passwords, or credit card details. They could also hinder the system from operating normally (TiirmaaKlaar et al., 2013).
2.3.3 Motivation for Botnet Usage
Botnets are flexible and it provides its users with a range of capabilities. From the recent attacks listed above, it can be drawn that a major motivation behind botnet is for financial gain. This may include stealing banking information like that of the Zeus botnet or sending spams that could attract users to malicious website that steals their personal information.
Another reason is for competition and building reputation. In some communities where several botmasters co-exist, some sort of competition may arise between them (Plus, 2010). Espionage is another motivation where stolen information is not intended to be used for money but rather to influence user’s own decisions or relationships between competitors (Czosseck and Podins, 2011).
Other motivations include for Education and research, to evade attribution and to project power in cyber space (Czosseck and Podins, 2011).
9

2.4

How Botnet Works

A basic botnet would typically include a C&C server connected to several compromised computers. The C&C server is used by botmasters to maintain communication with the bots within a target network.
1. The botmaster infects computers with bot malware in different ways: either by exploiting system weakness such as MS08-067 in windows server service, through email attachment and social engineering by tricking the user to execute the code.
2. The infected computer then downloads and executes the bot code in order to become a real bot, which is under control by a botmaster.
3. The infected computer then logs in to the C&C server and creates a session to get commands for conducting activities such as spam and
DDoS.
4. The botmaster sends commands through protocols like P2P, HTTP or IRC to the bots. The botmaster also sends any updates to the C&C server, which in turn contacts the bots to keep them updated (Zang et al., 2011).
This step is repeated by the botmaster to get thousands of bots to control remotely. Figure 2: How botnet works. (Hudak, 2010)

10

2.5

Classification of Botnet

Botnets can be classified based on communication topologies and network protocols (Tyagi and Aghila, 2011).
2.5.1 Classification based on Communication Topologies
Botnets can be classified based on the mode of communication. There are three models based

on

the

C&C

server

communication

design:

Centralized,

Decentralized and Hybrid C&C model.
1. Centralized Model
In this model, one C&C server is used for the exchange of commands and malicious data between the botmaster and bots. The main protocols used in this model are IRC and HTTP. The C&C servers are responsible for sending commands to bots, tracking their status and also for providing malware updates
(Silva et al, 2013). Centralized botnets are one of the oldest and most common types of zombie network. The botnets in this model are easier to create, easier to manage and they respond to commands quickly (Karim et al, 2014).

Figure 3: Centralized Model (Mahmoud et al., 2015)

Since all communications are done through the C&C server, it is easy to identify and eliminate the C&C server and once this happens the whole botnet becomes ineffective. Therefore, the C&C server is a central point of failure, which is the main drawback of this model (Prabhu and Shanthi, 2014).
11

2. Decentralized Model
This model was developed to overcome the drawback of the centralized model.
The decentralized model maximised a greater flexibility for botnet thus a large number of bots is handled by eliminating the need of a central server. The P2P protocol is an example of a protocol used in this model (Tanwar and Goar,
2014). Bots connect to several other infected machines on the botnet, thus a new bot is required to know the address of the other bots.

Figure 4: Decentralized Model (Mahmoud et al., 2015)

Each bot has a list of several neighbors they communicate with, and any command sent by a bot from one of its neighbors will be sent to the others. One drawback to the decentralized model is that it is more difficult to manage botnets using the P2P protocol than it is with the centralized model (Karim et al.,
2014).
3. Hybrid Model
Hybrid model is a combination of the Centralized and Decentralized model. This model is made up of bot-groups, botmaster and social websites (Tanwar and
Goar, 2014). Each bot group consist of server bots and client bots. The hybrid model works in a different way compared to the other two models. The botmaster installs malicious code into social websites. The servant bots in the bot groups gets the malware information from the social websites and send to
12

the client bots. Client bots then attack their target after they have received the malware information from the server bot (Prabhu and Shanthi, 2014).

Figure 5: Hybrid Model (Wang et al., 2010)

2.5.2 Classification based on Network Protocols
Botnets can also be classified based on the network protocols used for communication. The network protocols define the rules to be used for communication in the botnet.
1. IRC-Oriented
This was an early type of botnet that used an Internet Relay Chat (IRC) - a chat system used by computers to communicate online. The botmaster infects the first machine and that infected machine infects a network of other machines.
Each of these infected machines, also known as zombies, are connected to the
IRC server and are controlled via IRC channels as elected by the botmaster and each waits for commands on a certain channel (Tyagi and Aghila, 2011). The botmaster is logged into the IRC server alone or through proxies to disguise its connection (Team Cymru, 2009).
2. IM-Oriented
This type of botnets is not very popular; however, they are becoming the easiest and most reliable option for botmasters (Stephens, 2010). It is similar to the
IRC-Oriented type but it uses communication channels provided by IM services such as AOL, MSN or ICQ (Tyagi and Aghila, 2011). Lately, a malware was discovered on Facebook that could spread via multiple instant messaging services, including Facebook Chat, Skype, Google Talk, etc. The malware was generated through the social network via an Ajax command that makes it look like the message came from a Facebook friend (Protalinski, 2012). This type of
13

botnet has become popular for botmaster because of how easy it is for them to create new profiles (Stephens, 2010). A disadvantage of this botnet is all bots could share one account to connect to a network as well as the connection time and this would make the whole botnet react very slow (Fulz, 2009).
3. HTTP/Web-oriented
This is a new advancing type designed to control zombies over the World Wide
Web. Each bot connects to a web server that serves as a C&C server and receives commands from it. After executing the commands they send back their reply to the web server and check for new commands. It has an advantage to easily bypass firewall although when the central server is deleted the botnet can’t be controlled anymore (Fulz, 2009). The HTTP bots use the PULL approach.
The bots do not remain in connect mode after a connection has been established by them to the web server for the first time. They update themselves instead by regularly visiting the web servers to get new commands published by the botmaster (Eslahi et al, 2012).A popular example of this type is the Zeus which has proven to be one of the biggest HTTP botnet in recent times (Paganini,
2013).
4. P2P-Oriented
Botnets based on this protocol are built to communicate with each other thus eliminating the need for a centralized server. Botnets based on this protocol are more difficult to take down and are more resilient to attacks. The P2P-based botnet continues to function even if a large number of bots is removed from the network (Wang et al., 2010). The elimination of C&C centralized server prevents the botmaster from directly sending commands to bots. Commands are issues based on subscription. The botmaster publishes a set of commands in the system and all bots subscribe to the commands (Mahmoud et al., 2015).
5. Others
There are several other types of botnets that uses custom protocols for communication. These custom protocols are mostly based on transport layer protocols like the TCP/IP, ICMP, and UDP (Tyagi and Aghila, 2011). There has also been recent news on mobile botnets that uses SMS/MMS protocols for C&C communication (Mahmoud et al., 2015).

14

2.6

Botnet Command Modes

There are two different ways through which a bot can receive commands from the botmaster.
1. Pull Mode
This mode does not maintain connection since the bots retrieve commands that are published by the botmaster from the server regularly. Once the bots send a request, if the commands are available the C&C server responds back. This mode is commonly used by HTTP botnets: the bots visit the web servers regularly to update themselves or get new commands (Rostami et al., 2014).
The commands in this mode spread slower than the push mode.
2. Push Mode
This mode was formerly used by the IRC botnet to remain in a connect state whenever it is connected to a selected channel (Eslahi et al, 2012). Since the introduction of the P2P botnet to overcome the centralized server the bots wait for commands to come and forward the same commands they receive to other bots in the botnet network (Wang et al., 2010).

2.7

Botnet Infection Techniques

One of the main aims of botnet is to infect a large number of computers and based on this, attackers go for methods that will infect the largest number of computers. This section describes the methods through which computer systems can be infected and become part of a botnet.
2.7.1 Email
One popular technique of botnet infection is through an email. Spam mails are sent to user computer with a malicious program attached or a URL link that hides a browser exploit – A malicious code that alters a user’s browser settings based on an existing flaw in the OS or software (Barroso, 2007). Once the user clicks on the content, the program is installed on the machine without his/her knowledge. 2.7.2 Social Engineering
This works well because people are trusting and helpful. The success of this depends on the ability of the attacker to manipulate the user. In this method the user is encouraged to download malicious software through a social networking

15

site like YouTube etc. Offers of free music or video downloads have been used as enticement tactics (Gibbs, 2014).
2.7.3 Drive by downloads
This mode of infection is a recent form in which websites automatically install malicious software in the background while a user visits and navigates the site.
Mostly, the initially downloaded code is typically small and difficult for the user to detect. The major part of the code is retrieved over the Internet during the execution of the first downloaded part. The user is mostly unaware of this and can thus easily become a victim and part of a botnet. This method takes advantage of a browser, app or operating system that is out of date and has a security flaw (Siciliano, 2013).
2.7.4 Vulnerability exploitation
Another

technique

through

which

computers

are

attacked

is

through

exploitation. An attacker may exploit different vulnerabilities to gain access to the machine. This can be done by scanning the network to exploit network services, scanning open ports or by scanning the whole system to check for weakness that can be exploited (Nicho, 2015). Some commonly exploited vulnerability used to spread the malicious code includes: CVE-2003-0352 Microsoft Windows RPC vulnerable to buffer overflow and CVE-2008-4250 Microsoft Windows Server Service vulnerability (TrendMicro, 2012).
2.7.5 Pirated Software
In this mode of infection, when a user downloads and executes pirated software that has been modified by a malware developer who happens to be a botmaster, the malware is installed on the user’s computer, causing the user to be part of the botnet (Fortinet, 2012).

2.8

Botnet Attacks

There are several reasons why botnets are created as well as several modes by which they affect victims and their devices. Some of the most popular attacks are discussed below:
2.8.1 DDoS Attack
DDoS is short for Distributed Denial of Service. In this mode of attack, the intention of the attacker is to overwhelm the victim’s server computer from listening and issuing any genuine response to requests made by other users who

16

may seek information from the affected server. This attack can be carried out by several or all computers in a botnet by flooding selected servers with UDP packets or ICMP ping requests (Eslahi et al., 2012). All available bandwidth on the affected computer is occupied and this leaves no room for the server to actually perform useful tasks via the network channel.
2.8.2 Spam Sending
One of the common tasks which botnets have been employed is the sending of spam messages ranging from emails and IMs, to blog comment. With several devices under the control of the botmaster, botnets can issue from millions to billions of spam messages per day (Eslahi et al., 2012). Botmasters can actually generate revenue from spammers via this mode of attack by receiving money for the spamming services of the botnet.
2.8.3 Identity Theft
This form of attack is one of the common events that take place in a botnet.
Sensitive information such as credit cards, login credentials, banking accounts, network-related information and passwords is stolen from the various affected devices and collated on the C&C server. Methods such as man-in-the-browser phishing attacks, key-loggers are used to obtain the desired information. The stolen information is mostly sold on ‘black markets’ for financial gain or utilized by the botmasters and/or other attackers to cause havoc (Soltani et al., 2014).
2.8.4 Bitcoin Mining
An attacker can take advantage of the bitcoin rewards and utilize the botnet to perform tasks on users’ computers that would fetch him bitcoins – a virtual currency that can be traded for real currency. The bit coin software would be installed on the each bot, causing the botmaster to harness the processing power of each computer to mine bitcoins (Fortinet, 2012).
Other forms of attack include: Pay-per-Click (PPC) fraud, Copyright violations, illegal hosting, Sale or Rent Services and sniffing traffic.

2.9

Analysis of Botnets

Botnet continues to grow in size and they become difficult to detect. According to the Security threat report by Sophos (2014), botnets in the past 12 months have become widespread and recently they seem to be finding some dangerous new targets (Sophos, 2014).

17

A report from Chickowski (2015) outlined 6 most dangerous new techniques that attackers are likely to use in 2015. One of which is that Real-world exploits of
Internet of things will multiply: As the number of bring your own devices increases, the more the number of vulnerabilities that will intrude into enterprises (Chickowski, 2015). An example is the Crypto ransomware that could encrypt data and also request for money to decrypt the information in a limited period of time (Neagu, 2014).
With several malicious botnets being released since 1999, there are some that are known for the danger it has caused to businesses, financial companies and even the network.
An analysis of three dangerous botnets will be carried out. Zeus, Koobface and
Stuxnet have been selected.
2.9.1 Zeus
Zeus also known as Zbot was first identified in 2007 when it was used to steal information from US department of Transportation (Shank, 2012). Zeus is a trojan-toolkit that provides all the tools that is required for cybercriminals to build a botnet and it spreads mainly through phishing and drive-by-downloads methods (Ibrahim and Thanoon, 2012). It has been known for its success in helping cybercriminals build command and control infrastructure and infect local machines because of the different capabilities it has (Lewis, 2010). Due to its weak point of a single C&C server, the latest variant have included a DGA
(Domain Generation Algorithm) which makes C&C severs resistant to takedown efforts (Neagu, 2014).
Zeus is primarily targeted at stealing banking information and this has led to the loss of millions worldwide (Wyke, 2011). It achieves this through website monitoring and keylogging by recognizing users, and recording the keystrokes used to log on to a banking site.
Zeus has infected over 3.6 million systems in the United States. In 2009 it was discovered by some security analysts that Zeus compromised more than 70,000 accounts of banks and businesses including NASA and the Bank of America
(Neagu, 2014). Also in 2009, over 1.5 million phishing messages were sent on
Facebook and over 9 million phishing emails were sent from Verizon Wireless just to spread Zeus (Shank, 2012). Due to the many botnet outbreaks in that

18

year, some findings were carried out and Zeus was among the top 20 largest botnet outbreaks.

Figure 6: Top 10 Largest Botnet Outbreak (Damballa, 2009)

In 2010, FBI discovered a major international cybercrime network that had used
Zeus to hack into computers in the United States to steal around $70 million. It was also known to be among the top 10 biggest botnets in 2010.

Figure 7: Top 10 Largest Botnet Outbreak (Damballa, 2010)

As the year goes by, this botnet has increased in its variants with the likes of
Gameover Zeus, Spyeye, Shylock, Carberp and Ice IX. Stevens and Jackson
(2010) reported that Zeus was sold as a kit for around $3000 to $4000 in the criminal underground

and

was

utilized

by

criminals

to

attack

financial

institutions. Some capabilities of Zeus include stealing data in HTTP forms,

19

stealing FTP and POP account credentials and redirecting victims from target web pages to the attackers controlled pages (Stephen and Jackson, 2010).
How Zeus Works
The Zeus botnet controllers usually have a financial target in mind before running the botnet. They usually search for data that is of interest and directly obtain value from it or better still sell the data to another criminal. Zeus uses an encrypted HTTP POST requests to a command and control web server to perform extraction of stolen data and remote commands. It uses an RC4 encryption, with a key that is fixed in the binary (Stephen and Jackson, 2010).
Components of Zeus
The aim of criminals using the Zeus malware is to act as spying agents with the intent of getting financial profits (Ibrahim and Thanoon, 2012). Zeus toolkit has five components.
1. The builder, which is used to create two files: the encrypted configuration file and the binary file, which is executable. The configuration file consists of all the necessary information that makes the bot to do anything (Wyke,
2011), while the binary file is used to make the botnet (TrendMicro,
2010).
2. Configuration files, which is used to modify the botnet parameters. It includes two files one of which is for listing the basic information and the other file identifies the targeted websites and describes the injection rules of the content (Ibrahim and Thanoon, 2012).
3. A control panel also known as the server which has a set of php scripts that are used by the botmaster to monitor the status of bots, to issue commands to them and to display the information that they have collected
(Wyke, 2011; Ibrahim and Thanoon, 2012).
4. The Zeus toolkit also has a generated encrypted configuration file which holds an encrypted version of the configuration parameters of the botnet
(Ibrahim and Thanoon, 2012).
5. A binary file component, which is generated and treated as the bot binary file that infects the victim’s machines (Ibrahim and Thanoon, 2012).
2.9.2 Koobface
The Koobface botnet was identified in 2008 after its attack on Facebook (Keizer,
2009). This botnet has grown into a complex system that uses social networking
20

sites such as Facebook, Friendster and Myspace to send spam messages containing malicious links. The success rate of Koobface was over $2 million US dollars between June 2009 and June 2010 through the use of click fraud
(Villeneuve et al., 2010).
Koobface starts its infection by sending a personal message from one infected user’s account to that of their friends with a link to a fake YouTube page and encouraging them to install a video player update that would allow them to watch the video (Thomas and Nicol, 2010; Tanner et al., 2010).

Figure 8: Copycat YouTube site that leads to a KOOBFACE downloader (Baltazar et al, 2009)

The KOOBFACE downloader also known as the video player update is an executable file that installs the Koobface worm on the compromised computers.
Its purpose is to connect to the KOOBFACE C&C server and to download the
Koobface components that are required by the C&C Baltazar et al, 2009).
The KOOBFACE downloader uses cookies to tell which social networking site the compromised user is connected to and then reports all found cookies to the
KOOBFACE C&C. The KOOBFACE C&C then decides the additional components to

21

download depending on the cookies found (Baltazar et al, 2009). The components include:
1. Web Server: This component makes the infected machine to be part of the
KOOBFACE botnet as a web server. Once this happens, the KOOBFACE C&C is informed of its running time and in turn instructs the web server to act as a proxy or relay server so it can distribute other KOOBFACE components (Baltazar et al, 2009).
2. Data Stealers: This component is part of the TROJ_LDPINCH malware family, which steals licenses such as Windows digital product IDs and software credentials from FTP, IM and Email applications. The stolen data is then encrypted and sent to the Trojan’s C&C server (Baltazar et al, 2009).
3. CAPTCHA Breakers: CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of challenge that distinguishes human beings from software bots that tries to use brute force attacks to get into applications. KOOBFACE gets the CAPTCHA image test from one of its C&C servers and forces infected users to solve them. A timing message is included in the image that prompts the computer to shut down if the user has not solved the test after three minutes. Even after the three minutes time out KOOBFACE does not shutdown the computer, instead it waits till the user solves the
CAPTCHA test. KOOBFACE is mainly after the validation than the right/wrong answer (Baltazar et al, 2009).
4. Web Search Hijackers: This redirects user’s search queries usually carried out on search engines such as Google and Yahoo to suspicious search portals
(Baltazar et al, 2009).
5. Rogue DNS Changers: This component points the DNS server of the infected machine to a rogue DNS server which diverts any legitimate page of a website visited by the infected user to a phishing page (Baltazar et al, 2009).
The expansion of these components depends on the free link-sharing behaviours seen on common social networking sites (Baltazar et al, 2009).
2.9.3 Stuxnet
Stuxnet is another popular worm that was known for targeting Industrial Control
Systems in order to take control of industrial facilities such as power plants

22

(Shearer, 2013).

It was first discovered in 2010 and has since then been a

threat to different countries especially Iran.

Figure 9: Percentage of hits from Stuxnet by Country (Shearer, 2013)

This worm mostly targets Windows systems by infecting them via USB sticks and not Internet connected computers. It also targets a specific industrial control software configuration that is made by Siemens on these computers (Fildes,
2010).

2.10 Botnet Detection Methods
Several methods of botnet detection have been proposed based on different researches that have been carried out on botnets and how to prevent and detect them. These methods have been broadly classified into Honeynet and Intrusion
Detection Systems (IDSs).
2.10.1 Honeynet
A Honeynet is a collection of Honeypots designed to lure attackers. Each
Honeypot is configured to be a potential bot by making it an attractive target with security vulnerabilities. These vulnerabilities can be operating systems with loosely configured firewalls and/or out of date software with known security issues. A Honeypot is used to learn more about the attacker’s intent and the mode of attacks and to prevent such from occurring in live systems and/or to divert attackers from production machines. Each Honeypot is filled with fake information that is used to deceive the bot malware into thinking it to be useful sensitive information. The malware is then studied and used to prevent attacks on live production systems (Karim et al., 2014; Gibbs, 2014; Martin, 2001).

23

2.10.2 Intrusion Detection Systems
Another method of detecting botnets is to setup software that monitors the host system for malicious activities and activities that defy certain pre-defined network and system related policies.
Intrusion Detection Systems (IDSs) are further subdivided into signature based and anomaly based detection.
1. Signature-Based Detection
Signature based detection is a form of IDS detection which detects known botnets based on their modes of attacks and their methods of operation. This form is dependent on previous knowledge and implies that systems that use this mode of detection stay up to date with the knowledge base and repository of botnet signatures. This happens to be a disadvantage of this method of detection, as it always requires an up to date database in other to detect recent botnet attacks (Karim et al., 2014; Zang et al., 2011; Trivedi and Noorani,
2015).
2. Anomaly-Based detection
This form of detection involves monitoring network and systems for irregularities and malicious activities. Unusual system and network behaviour that could show the existence of bots and that break some pre-defined policy are detected and analysed. Behaviours such as high network latency and high traffic on unusual ports are some of the symptoms that could break some network/communication policy. Anomaly-Based is yet further divided into Host-Based and Network Based detection techniques (Karim et al., 2014; Zang et al., 2011; Trivedi and Noorani,
2015).
a. Host-Based detection
This detection strategy involves monitoring individual systems and analysing the internals of the system in terms of processing overheads and system/kernellevel calls. When certain irregular activities are detected, an alert is raised
(Karim et al., 2014; Zang et al., 2011; Trivedi and Noorani, 2015).
b. Network-Based detection
The network-based detection strategy involves monitoring the network for suspicious malware activities. Several techniques are being used to detect the
24

existence of a botnet. Active monitoring is a technique that involves injecting test packets into the network to check the network quality. This technique can be used with a timeout strategy to detect DDoS attacks. Passive monitoring on the other hands requires monitoring incoming packets to extract botnet related packets and detect suspicious network activities (Karim et al., 2014; Zang et al.,
2011; Trivedi and Noorani, 2015).
Other techniques of botnet detections are DNS-based and Data mining based detection techniques (Trivedi and Noorani, 2015).

25

Chapter 3: Analysis
This section specifies a brief description of a botnet attack as well as the tools/methods that will be used to complete the design, implementation and results collection for this project. It also discusses the OSI Model as related to botnet. 3.1 Problem Analysis
There are several botnet attacks and this was discussed in the Literature Review of this report. A popular one is the DDoS and that is the focus for our design.
With the rise in DDoS attacks, attackers aim to work with the OSI (Open
Systems Interconnection) model and popularly attack the application layer. The
DDoS attack in this layer can be difficult to detect because they act like genuine website traffic. The Application Layer uses protocols such as HTTP, FTP and
SMTP and techniques like HTTP GET and HTTP POST to cause denial of services.
Attacks in this layer can be difficult to detect because they act like genuine website traffic. “The possible impact of this attack is to reach the resource limits of services” (US-CERT, 2014).
The OSI Model is a reference model for how applications communicate over a network. This model has seven layers and they are briefly described in the table below (Microsoft, 2014).

26

OSI Layer

Description
This layer provides an interface that allows applications

7 Application

to communicate on the network. It offers the services that will be used by applications.

6 Presentation

This layer presents data in a format that is required by the application layer.

5 Session

It creates, maintain and terminate a session.
This layer describes how data is sent. It manages the

4 Transport

delivery of packets from the network layer.
It works with the logical address also known as the IP

3 Network

address of packets. It finds the best path to a destination. This layer converts the packet received from the

2 Data Link

network layer to frames. It works with the physical address also known as the MAC address of devices.
This layer is the lowest layer of the OSI model. It is

1 Physical

concerned with the transmission and reception of bits.

Table 1: Description of the OSI Model (Microsoft, 2014)

For the purpose of this project, we are going to be working with the Zeus botnet.
A writer on Hacking-tutorial gave more information on Zeus. The writer of Zeus was retiring and then gave the rights for Zeus to be sold to his biggest competitor Spyeye (Valentino, 2013). Zeus source code was posted on GitHub on May 2011 and since then it’s been posted on several other sites like thehackernews, Facebook and leakforum.

3.2 Monitoring Tools
A good way to reduce this attack is to monitor the activities on the network.
Some tools that would be useful are defined below.
27

1. Wireshark
Wireshark also known as Ethereal is a tool that can capture both incoming and outgoing packets and also provides detailed information about each packet captured (IBM, 2012). It offers great features such as the ability to capture live packet data, import packet from different file format, save captured data, filter packets based on a given criteria and display packets with detailed protocol information (Sharpe, 2004).
Wireshark has five components, which include a packet-listing window, packetdetails window, packet-contents window, command menus and a filter field
(Kurose and Ross, 2007). It works on both Windows and Linux Operating
System.

Figure 10: Wireshark Interface (Kurose and Ross, 2007)

28

2. BandwidthD
BandwidthD is a tool used to track network usage. The information of the network is then gathered and displayed visually using graphs and tables at real time. As seen in figure 11 below, for the reading to be easily understood by the reader, each protocol (such as HTTP, UDP and ICMP) is coded with different colours. BandwidthD runs separately as a background service (Network Sniffer
Pub, 2014). It runs on most operating system including Windows and Linux.

Figure 11: BandwidthD Interface (Bandwidthd.sourceforge.net, 2015)

3. Pandora FMS
Pandora FMS is a performance and availability monitoring software that monitors network, servers, applications and communication (Tabona, 2015). It has features such as a graphical report which is based on its own SQL backend, local and remote inventory management and a very high capacity (Sourceforge,
2015).

29

Figure 12: Pandora FMS Interface (Network Sniffer Pub, 2014)

3.3

Intrusion Detection Systems (IDS)

As earlier discussed in the Literature review, there are different types of IDS and one of the objectives of this project is to evaluate the efficiency and effectiveness of the IDS in detecting the bot’s activity. A list of available IDS that can be used during the course of this project is discussed below.
1. Snort

Figure 13: Snort Logo (Schreiber, 2014)

Snort is an Open Source Network Intrusion Detection and Prevention System
(Schreiber, 2014) that is capable of performing real-time analysis and packet logging on Internet Protocol (IP) networks. Snort uses signature, anomaly and protocol methods to detect cyber-attacks (Arora, 2013). It can be used to carry out content searching, protocol analysis and detecting attacks.
30

Snort can be used as a packet sniffer, a packet logger and as a network intrusion detection system (Snort, 2015). It runs on most operating systems including Windows, Linux and Apple Mac OS X (Sectools.org, 2015).
Advantages
1. Snort is easy to install and run as well as the rules are easy to write
(Scriptrock, 2015; Arora, 2013).
2. It has a large community of users and its open source nature allows security professionals to develop and customize their own rules and contribute them to the community (Scriptrock, 2015).
3. Snort gives a good overview of what is going on in the network
(Israelsson et al, 2015).
4. It provides a way of logging packets from potential attacks which can be used in the future (Israelsson et al, 2015).
Disadvantages
1. Snort has no GUI for its rule manipulation (Arora, 2013).
2. Snort uses a ruleset and this can quickly go out-of-date.
3. Snort does not have the ability to tell the difference between a normal and out of place traffic from each host in the network because it only looks for things that are defined in its ruleset (Israelsson et al, 2015).
2. OSSEC

Figure 14: OSSEC Logo (Schreiber, 2014)

OSSEC is an Open Source Host-based IDS that carries out log analysis, integrity checking for file, monitoring policy, rootkit detection, real-time alerting and active response (Ossec.net, 2015). OSSEC uses both signature and profile-based methods to detect attacks (Arora, 2013).

It runs on most operating systems

including Mac OS, Linux, Solaris and Windows.

31

Advantages of this system includes (Arora, 2013)
1. It holds security information and event manager that can be used to centralize log management on huge network.
2. The system uses a log scanning engine which is very powerful.
3. It has features which can meet the requirements of the payment card industry (PCI).
A disadvantage of this system is the limited number of alerts it can send, which can be exploited at the beginning before the actual attack is launched later
(Arora, 2013).
3. Suricata

Figure 15: Suricata Logo (Schreiber, 2014)

Suricata is a Network IDS, IPS and Network Security Monitoring Engine. A great feature of Suricata is its capability to inspect multi-gigabit traffic (Suricata,
2012). Other features include a built in hardware acceleration, logging HTTP
Requests and TLS Certificates packets and file extraction (Schreiber, 2014).
Suricata has some advantages which include its high efficiency and its advanced multi-threading capabilities (Scriptrock, 2015). It also uses Snort’s rulesets. A disadvantage is the false alarms it can cause in some cases and its expensive nature on system resources which can result to slow network connections
(Arora, 2013).

32

4. Kismet

Figure 16: Kismet Logo (Schreiber, 2014)

Kismet is a Wireless Network Detector, Sniffer, and Intrusion Detection System
(Kismetwireless.net, 2015). Kismet can identify networks by passively sniffing them and can also discover hidden networks that are in used (Sectools.org,
2015). Kismet works on different operating systems including Android.
5. Bro

Figure 17: Bro Logo (Schreiber, 2014)

Bro is quite different from the other IDS. It is a signature and anomaly-based
IDS that uses its analysis engine to convert captured traffic into a series of events such as a connection to a website (Schreiber, 2014). Some programming skills might be required for this tool and this can take time to learn, Other than this its platform can be tailored for a variety of network security cases
(Scriptrock, 2015).

3.4 Virtual Machines
After several researches gathered on the Literature review, we can conclude that botnet is very dangerous and as a result of this it is necessary to set up an environment that simulates its behaviour and work towards detecting its presence before damage could be caused to the system or network.
Because of the increasing evolution of botnet design and its scalability, if run on a physical machine, could cause it to spread to other machines on the network making it difficult to control. To avoid these risks, a virtual machine will be used to implement the simulation (Sikorski and Honig, 2012).
33

A Virtual Machine is software that simulates the environment of a physical computer by running an operating system and applications. The experience a user would have on a dedicated computer is the same as with virtual machine
(Rouse, 2014). There are several types of virtual machines that can be used for this project and they are defined below.
1. Virtual Box
The virtual box is cross-platform virtualization software that allows multiple operating systems run on a PC at the same time. This virtual machine runs on
Windows, MAC OS X, Linux and Oracle host systems. It is ideal for developing, demonstrating, deploying and testing solutions across several platforms on one machine (Oracle, 2013).
Its support for a wide range of guest platforms makes it user friendly
(Fitzpatrick, 2010). Other features include a screen-recording facility, flexible networking options and sharing of folders between the guest and host. A benefit of this machine is its ability to extend the lifetime and functionality of existing computers (Oracle, 2013).

Figure 18: Oracle Virtual Box Window (Oracle, 2013)

2. VMware
The VMware comes in two packages: VMware player and VMware workstation
(Fitzpatrick,

2010).

VMware

workstation

34

provides

users

with

unmatched

operating system support, great performance and huge user experience
(VMware, 2015).
VMware workstation allows several operating systems on the same PC to run applications at the same time without rebooting. It provides an easy evaluation of new operating systems and testing of software applications (VMware, 2015).

Figure 19: VMware Window (VMware, 2015)

Other virtual machines include QEMU used for Linux machines and Windows virtual PC (Fitzpatrick, 2010).

3.5

Professional, Social, Legal and Ethical Considerations

There are no professional, social and legal issues to be considered. Considering the aspect of compromising the computers, we need to tackle the ethics of this system. The malicious botnet like Zeus steals information and performs other illegal activities. Therefore, allowing it run on a physical machine would result to problems such as loss of data and slow performance. To avoid this, the implementation will be carried out in an isolated environment.

35

Chapter 4 - Project Specification
This section specifies the tools that will be used for the completion of this project and the functional and non-functional requirements of the system.
This project is about designing an environment that runs an actual bot and testing the efficiency and effectiveness of the IDS in detecting the bot’s activity.
In doing this, some steps need to be carried out.
1. Install a VMware Workstation version 11.0.
2. Install Operating Systems such as Windows XP, Windows 7 and Windows
8 on the VMware workstation.
3. Install the tools for monitoring the bot’s activity.
4. Install open source Intrusion Detection System tools.
5. Run the Zeus botnet source code on one of the Operating System.
6. Install a web server that would act as the C&C server.

4.1

Planned Tools

In this project, Wireshark and BandwidthD would be used to monitor the activities of the Zeus botnet. Wireshark is used, because I have had my hands on the tool before now and I found it easy to use and understand, also because it is free. BandwidthD is used because of the graphs it provides which can be useful in analysing my results.
Snort will used as the Intrusion Detection System because it is an Open-source and most widely used IDS and as a result it would not be difficult for me to learn about it.
A WAMP web server would be used as the C&C server for the Zeus.
VMware Workstation is used as the virtual machine because it is easy to install and use. I have had my hands on it also and found it very easy because it

36

allowed me to run applications on each OS at the same time. VMware workstation 11 the latest version will be used.

4.2

Functional and Non-Functional Requirements

The Functional Requirements are the expected functions of the system.
1. The IDS should be able to detect the presence of the bot.
2. The monitoring tools should be able to monitor the activities of the botnet and provide adequate information.
3. The IDS should monitor the network continuously.
4. The IDS should provide enough information of the activity it detects.
5. The IDS should be able to work with other security tools that will be installed on the system.
6. The IDS should be able to provide an automated response to suspicious activity. The Non-Functional Requirements include:
1. The IDS should detect in real time.
2. The IDS should detect the bot before it affects the system or steals any information from the system.
3. The IDS should be easy to use and learn.
4. The IDS should generate an alert when it has detects the bot.
5. The interfaces of the IDS should be easy to use.
6. The IDS should prevent attacks from affecting the internal network users.
7. The IS should be able to adapt to changes.
8. The IDS should run continuously without supervision.

37

Chapter 5 – Conclusion
5.1 Summary
This paper has been able to review several types of botnets, botnet attacks and existing tools, which are available for detecting and monitoring botnet attacks.
The stage has been set for the next phase of the project which would involve practically analysing tools and applications which have already been developed for monitoring and detecting the presence of bot malware in a system. Several applications would be used and a comparison would be made on how efficient they are able to meet the functional and non-functional requirements listed above. A virtual environment would be created for proper analysis and would utilise the knowledge derived from this study, which would form the basis for realising the aim and objectives of this project.

5.2

Conclusion

Since the discovery of PrettyPark and SubSeven in 1999, botnets have continued to gain popularity and have causing a great concern to security experts, regular users and organizations. Financial institutions are one of the most targeted by botnet developers.
Botnets were not originally designed to be used for malicious reasons and can still be used to carry out useful tasks like automating processes and aggregating several useful information. However, the Internet is loosely regulated and thus, this has created opportunities for cybercrime.
Recent botnets have caused several losses to businesses and individual. Several companies that have been affected by botnet attacks have lost money, some in millions of dollars; others have lost business opportunities and client trust.
Individuals have lost money and sensitive information has been stolen, violating privacy rights. In general, recent botnets have mostly caused havoc to their victims. Several systems have been proposed and developed to help detect and terminate botnets. These systems use several strategies by either passively detecting the botnets based on their signature or by certain policy violation in
38

network and CPU, or actively creating an environment to detect and learn how botnets work in other to prevent them on live systems.

39

References
1. Ard, C., 2007. Botnet analysis. The International Journal of Forensic
Computer Science, 2(1), pp. 65-74
2. Arora, H., 2013. Introduction to intrusion prevention systems. [online] IBM.
Available at: http://www.ibm.com/developerworks/library/se-intrusion/seintrusion-pdf.pdf [Accessed 19 Jun. 2015].
3. Baltazar, J., Costoya, J. and Flores, R., 2009. The real face of koobface: The largest web 2.0 botnet explained. Trend Micro Research, 5(9), pp. 10
4. Bandwidthd.sourceforge.net, 2015. Bandwidth. [online] Available at: http://bandwidthd.sourceforge.net/ [Accessed 20 Jun. 2015].
5. Barroso, D., 2007. Botnets-the silent threat. European Network and
Information Security Agency (ENISA), 15, pp. 171
6. Bro.org, 2014. The Bro Network Security Monitor. [online] Available at: https://www.bro.org/ [Accessed 19 Jun. 2015].
7. Carman, A., 2015. SMC Magazine. ‘International effort takes down 'Beebone' botnet’. Online Article on April 09, 2015 Available at: http://www.scmagazine.com/europol-and-fbi-collaborate-to-removebotnet/article/408297/ [Accessed 27 Jun. 2015]

8. Chickowski, E. (2015). 6 Most Dangerous New Attack Techniques in 2015.
[online] Dark Reading. Available at: http://www.darkreading.com/vulnerabilities---threats/6-most-dangerousnew-attack-techniques-in-2015/d/d-id/1320120 [Accessed 8 Jun. 2015].
9. Christodorescu, M. et al., 2007. Malware Detection. Springer Science &
Business Media.
10. Czosseck, C. and Podins, K., 2011. A Usage-Centric Botnet Taxonomy.
Proceedings of the 10th European Conference on Information Warfare and
Security. pp. 70
11. Eslahi, M., Salleh, R. and Anuar, N.B., 2012. Bots and botnets: An overview of characteristics, detection and challenges. Control System, Computing and
Engineering (ICCSCE), 2012 IEEE International Conference on. IEEE. pp.
349-354

40

12. Fedynyshyn, G., Chuah, M.C. and Tan, G., 2011. Detection and classification of different botnet C&C channels. Autonomic and Trusted Computing.
Springer. pp. 228-242
13. Ferguson, R., 2010. The botnet chronicles: A journey to infamy. Trend
Micro-White Paper, 1, 3-11.
14.Fildes, J. 2010. Stuxnet worm 'targeted high-value Iranian assets' - BBC
News. [online] BBC News. Available at: http://www.bbc.co.uk/news/technology-11388018 [Accessed 10 Jun. 2015].
15. Fitzpatrick, J., 2010. Five Best Virtual Machine Applications. [online]
Lifehacker. Available at: http://lifehacker.com/5714966/five-best-virtualmachine-applications [Accessed 20 Jun. 2015].
16. Fortinet, 2012. FORTINET white paper on Anatomy of a Botnet (White
Paper)
Available at: http://www.fortinet.com/sites/default/files/whitepapers/Anatomy-of-aBotnet-WP.pdf [Accessed 02 Jun. 2015]
17. Fulz, C., 2009. Impacts, threats and incidents caused by Botnets. [online]
Kaspersky. Available at: http://www.kaspersky.com/images/impacts_threats_and_incidents_caused_b y_botnets.pdf [Accessed 28 May 2015].
18. Gibbs, P., 2014. [online] Sans. Available at: http://www.sans.org/readingroom/whitepapers/detection/botnet-tracking-tools-35347 [Accessed 12 Jun.
2015].
19. Huawei, 2013. 2013 Botnets and DDoS Attacks Report. [online] Available at: http://enterprise.huawei.com/ilink/enenterprise/download/HW_315881 [Accessed 27 May 2015].
20.

Huawei, 2014. 2014 Botnets and DDoS Attacks Report. [online] Available

at: http://e.huawei.com/en/marketingmaterial/global/products/enterprise_network/security/anti-ddos/hw_315881
[Accessed 27 May 2015].
21.

Hudak, T., 2006. KoreLogic Security. ‘An Introduction into the World of

Botnets’. Presentation on July, 2006. Available at: https://www.korelogic.com/Resources/Presentations/botnets_issa.pdf [Accessed 25 May 2015]
22. Ibrahim, L.M. and Thanoon, K.H., 2012. Detection of Zeus Botnet in
Computers Networks and Internet. vol, 6, pp. 84-89

41

23. IBM, 2012. Wireshark - The best open source network packet analyzer (Part
I) (Real world open source). [online] Available at: https://www.ibm.com/developerworks/community/blogs/6e6f6d1b-95c346df-8a26b7efd8ee4b57/entry/wireshark_the_best_open_source_network_packet_anal yzer_part_i60?lang=en [Accessed 18 Jun. 2015].
24. Israelsson, P., Karlsson, J. and Giamarchi, G., 2005. A quick overview of
Snort. [online] it. Available at: https://www.it.uu.se/edu/course/homepage/sakdat/ht05/assignments/pm/pr ogramme/Introduction_to_snort.pdf [Accessed 19 Jun. 2015].
25. Karim, A. et al., 2014. Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University SCIENCE C, 15(11), pp. 943-983
26. Kaspersky., 2014. [online] Available at: http://media.kaspersky.com/en/B2B-International-2014-Survey-DDoSSummary-Report.pdf [Accessed 15 Jun. 2015].
27. Keizer, G., 2009. Koobface worm to users: Be my Facebook friend. [online]
Network World. Available at: http://www.networkworld.com/article/2263981/collaborationsocial/koobface-worm-to-users--be-my-facebook-friend.html [Accessed 10
Jun. 2015].
28. Kismetwireless.net, (2015). Kismet. [online] Available at: https://www.kismetwireless.net/ [Accessed 19 Jun. 2015].
29. Kurose, J. and Ross, K., 2007. Wireshark Lab: Getting Started. [online]
Available at: http://www.eng.tau.ac.il/~netlab/resources/booklet/Wireshark_INTRO.pdf [Accessed 19 Jun. 2015].
30. Li, C., Jiang, W. and Zou, X., 2009. Botnet: Survey and case study.
Innovative Computing, Information and Control (ICICIC), 2009 Fourth
International Conference on. IEEE. pp. 1184-1187
31. Mahmoud, M., Nir, M. and Matrawy, A., 2015. A Survey on Botnet
Architectures, Detection and Defences. International Journal of Network
Security, 17(3), pp. 272-289
32. Mcguire, M. and Dowling, S., 2013. Cyber crime: A review of the evidence.
Summary of key findings and implications.Home Office Research report, 75
33. Milošević, N., 2013. History of malware. arXiv preprint arXiv:1302.5392,

42

34.Neagu, A., 2014. The top 10 most dangerous malware that can empty your bank account,
35.Network Sniffer Pub, 2014. The Top 20 Free Network Monitoring and Analysis
Tools for Sys Admins. [online] Available at: http://networksniffer.blog.com/2014/02/08/the-top-20-free-networkmonitoring-and-analysis-tools-for-sys-admins/ [Accessed 20 Jun. 2015].
36. Nicho, M., 2015. Network Security, CMM528 [Lecture 4 Notes]. MalwareGetting to know your enemy. The Robert Gordon University, School of
Computing, Retrieved from: http://campusmoodle.rgu.ac.uk/pluginfile.php/3436520/mod_resource/conte nt/1/Week%20-%204%20Malware%20-%20Part%201.pdf [Accessed 30 May
2015]
37.Nicho, M., 2015. Network Security, CMM528 [Lecture 2 Notes]. Scanning –
Finding your way. The Robert Gordon University, School of Computing,
Retrieved from: http://campusmoodle.rgu.ac.uk/pluginfile.php/3373025/mod_resource/conte nt/3/ch03%20Scanning.pdf [Accessed 01 June 2015]
38.Oracle.com, 2013. ORACLE VM VIRTUALBOX. [online] Available at: http://www.oracle.com/us/technologies/virtualization/oraclevm/oracle-vmvirtualbox-ds-1655169.pdf [Accessed 20 Jun. 2015].
39.Ossec.net, 2015. OSSEC | Home | Open Source SECurity. [online] Available at: http://www.ossec.net/ [Accessed 19 Jun. 2015].
40.

Paganini, P. (2013). Security Affairs. 'HTTP-Botnets: The Dark Side of an

Standard Protocol!' Online Artice on April 22, 2013.Available at: http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-thedark-side-of-an-standard-protocol.html (Accessed 03 Jun. 2015)
41.

Protalinski, E., 2012. The next web. 'Malware warning: There’s a bot

going around Facebook Chat, Skype, other IM services'. Available at: http://thenextweb.com/facebook/2012/08/30/malware-warning-theres-botgoing-around-facebook-chat-skype-messenger-im-services/ [Accessed 03
Jun.2015]
42.

Raywood, D., 2010. SMC Magazine. 'A condensed history of the botnet'.

Online Article on November 29, 2010. Available at: http://www.scmagazineuk.com/a-condensed-history-of-thebotnet/article/191636/ [Accessed 30 May 2015]

43

43.Rouse, M., 2014. What is virtual machine? - Definition from WhatIs.com.
[online] SearchServerVirtualization. Available at: http://searchservervirtualization.techtarget.com/definition/virtual-machine [Accessed 17 Jun. 2015].
44.Schiller, C. and Binkley, J.R., 2011. Botnets: The killer web applications.
Syngress.
45.Schiller, C.A. et al., 2007. Chapter 5 - Botnet Detection: Tools and
Techniques. In: C.A. SCHILLER, J. BINKLEY, D. HARLEY, G. EVRON, T.
BRADLEY, C. WILLEMS and M. CROSS, eds. Botnets. Burlington: Syngress. pp. 133-215
46.Schreiber, J., 2014. Open Source Intrusion Detection Tools: A Quick
Overview. [online] Alien Vault. Available at: https://www.alienvault.com/blogs/security-essentials/open-source-intrusiondetection-tools-a-quick-overview [Accessed 19 Jun. 2015].
47.Scriptrock.com, 2015. Top Free Network-Based Intrusion Detection Systems
(IDS) for the Enterprise. [online] Available at: https://www.scriptrock.com/articles/top-free-network-based-intrusiondetection-systems-ids-for-the-enterprise [Accessed 19 Jun. 2015].
48.Sectools.org, 2015. Intrusion detection systems – SecTools Top Network
Security Tools. [online] Available at: http://sectools.org/tag/ids/ [Accessed
19 Jun. 2015].
49.Sharpe, R. (2004). Chapter1.Introduction. [online] Wireshark. Available at: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.ht ml [Accessed 19 Jun. 2015].
50.Shearer, J., 2013. W32. Stuxnet.
Writeup.symantec.com/security_response.Web,
http://www.symantec.com/security_response/writeup.jsp?docid=2010071400-3123-99 [Accessed 08 Jun. 2015].
51.Siciliano, R., 2013. What is a "Drive-By" Download? - McAfee. [online]
McAfee. Available at: https://blogs.mcafee.com/consumer/drive-by-download
[Accessed 8 Jun. 2015].
52.Sikorski, M. and Honig, A., 2012. Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software. No Starch Press.
53.Silva, S.S.C. et al., 2013. Botnets: A survey. Computer Networks, 57(2), pp.
378-403

44

54.Snort.org, 2015. Snort FAQ. [online] Available at: https://www.snort.org/faq
[Accessed 19 Jun. 2015].
55.Soltani, S. et al., 2014. A survey on real world botnets and detection mechanisms. International Journal of Information and Network Security
(IJINS), 3(2), pp. 116-127
56.Stevens, K. and Jackson, D., 2010. Zeus banking trojan report. Atlanta, DELL
Secureworks. Retreived from: http://www.secureworks.com/cyber-threatintelligence/threats/zeus/ [Accessed: 06 Jun. 2015]
57.SourceForge, 2015. Pandora FMS: Flexible Monitoring System. [online]
Available at: http://sourceforge.net/projects/pandora/ [Accessed 20 Jun.
2015].
58.Microsoft, 2014. The OSI Model's Seven Layers Defined and Functions
Explained. [online] Available at: https://support.microsoft.com/enus/kb/103884?wa=wsignin1.0 [Accessed 20 Jun. 2015].
59.Stephens, K., 2010. Malware Command and Control Overview. [online] NSCI.
Available at: http://www.nsci-va.org/WhitePapers/2010-12-30Malware%20C2%20Overview-Stephens.pdf [Accessed 10 Jun. 2015].
60.Suricata, 2012. Features. [online] Available at: http://suricataids.org/features/ [Accessed 19 Jun. 2015].
61.Tabona, A. 2015. The Top 20 Free Network Monitoring and Analysis Tools for
Sys Admins. [online] GFI Blog. Available at: http://www.gfi.com/blog/thetop-20-free-network-monitoring-and-analysis-tools-for-sys-admins/
[Accessed 20 Jun. 2015].
62.Tanner, B.K., Warner, G., Stern, H. and Olechowski, S., 2010. Koobface: The evolution of the social botnet. eCrime Researchers Summit (eCrime), 2010.
IEEE. pp. 1-10
63.Tanwar, G.S. and Goar, V., 2014. Tools, Techniques & Analysis of Botnet.
Proceedings of the 2014 International Conference on Information and
Communication Technology for Competitive Strategies. ACM. pp. 92
64.Thomas, K. and Nicol, D.M., 2010. The Koobface botnet and the rise of social malware. Malicious and Unwanted Software (MALWARE), 2010 5th
International Conference on. IEEE. pp. 63-70
65.Tiirmaa-Klaar, H., Gassen, J., Gerhards-Padilla, E., & Martini, P. (2013).
Botnets: How to fight the ever-growing threat on a technical level. In Botnets
(pp. 41-97). Springer London.

45

66.Trend Micro, 2010. ZeuS: A Persistent Criminal Enterprise. [online] Available at: http://www.trendmicro.com/cloud-content/us/pdfs/securityintelligence/white-papers/wp_zeus-persistent-criminal-enterprise.pdf
[Accessed 7 Jun. 2015].
67.Trivedi, B. and Noorani, Z., Botnet and Detection Technique.
68.Tyagi, A.K. and Aghila, G., 2011. A wide scale survey on botnet. International
Journal of Computer Applications, 34(9), pp. 9-22
69.US-CERT, 2014. DDoS Quick Guide. [online] Available at: https://www.uscert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
[Accessed 20 Jun. 2015].
70.

Valentino, V. (2013). Remote Administration Tool Zeus BotNet (RAT) |

Ethical Hacking Tutorials, Tips and Tricks. [online] Ethical Hacking Tutorials,
Tips and Tricks. Available at: http://www.hacking-tutorial.com/hackingtutorial/remote-administration-tool-zeus-botnet-rat/#sthash.OsuNsUTr.dpbs
[Accessed 10 Jun. 2015].
71.Villeneuve, N., Deibert, R. and Rohozinski, R., 2010. Koobface: Inside a crimeware network. Munk School of Global Affairs.
72.Vmware.com, 2015. VMware Workstation: Multiple Operating Systems Linux,
Windows 8 & More | VMware United Kingdom. [online] Available at: http://www.vmware.com/uk/products/workstation/ [Accessed 19 Jun. 2015].
73.Wang, P., Aslam, B. and Zou, C.C., 2010. Peer-to-peer botnets. Handbook of
Information and Communication Security. Springer. pp. 335-350
74.Wang, P., Sparks, S., & Zou, C. C. (2010). An advanced hybrid peer-to-peer botnet. Dependable and Secure Computing, IEEE Transactions on, 7(2), 113127.
75.Wang, P. et al., 2015. Analysis of Peer-to-Peer Botnet Attacks and Defenses.
Propagation Phenomena in Real World Networks. Springer. pp. 183-214
76.Wyke, J., 2011. What is Zeus?. [online] Sophos. Available at: https://www.sophos.com/medialibrary/PDFs/technical%20papers/Sophos%2 0what%20is%20zeus%20tp.pdf [Accessed 15 Jun. 2015].
77.Zang, X. et al., 2011. Botnet detection through fine flow classification. unpublished, Departments of CS&E and EE, The Pennsylvania State
University, University Park, PA, Report No.CSE11-001,

46

Appendix
Appendix A: Project Specification
Robert Gordon University,
School of Computing Science and Digital Media

Title
Supervisor
Suitable for

Botnet Analysis and Detection
Dr. Hatem Ahriz, h.ahriz@rgu.ac.uk
INS students ONLY

Key Techniques
Computer and Network Security, Programming
Background
Botnets are one of the most sophisticated and popular types of cybercrime today. They allow hackers to take control of many computers at a time, and turn them into “zombie” computers to spread viruses, generate spam, etc. [1]
The aim of the project is to investigate botnets and develop an application/environment that can simulate a botnet behavior and detect its presence.
Depending on the student’s programming skills, this project could either involve developing an application (in a language of the student’s choice) that can simulate a bot’s behavior and interface with an Intrusion Detection System (IDS) such as snort [2] in order to simulate the detection of the bot’s activity.
Alternatively, the project can focus mainly on setting up the virtual environment for running an actual bot and evaluating the efficiency and effectiveness of the IDS in detecting the bot’s activity. Objectives
* To investigate the different types of botnets, methods of infection and detection methods…
* To design/implement (or setup)/test/evaluate an experimental setup to demonstrate the use of the application in simulating bot activity and its detection.
References
[1] http://uk.norton.com/botnet [2] https://www.snort.org/ 47

Appendix B: Project Investigation Plan

Project Investigation Plan
Task Name

Duration

Start Date

Finish Date

2 weeks 4 days

25/05/15

12/06/15

5 days

13/06/15

17/06/15

Week 3
 Project
Specification

1 day

18/06/15

19/06/15

Week 4
 Report
Specification

1 day

19/06/15

20/06/15

Week 1
 Research and
Gathering of materials needed.


Introduction



Literature
Review
Week 2
 Analysis

General work on my report on the 20/06/15 – 21/06/15
Submission of Project Investigation 22/06/15

48

Botnet Analysis and Detection

Similar Documents

Classification of Botnet Detection Based on Botnet Architechture

2012 Us Cost of Cyber Crime Study Final6

Dfdgfg

Impact Supply Chain

Analysis of Web Based Malware

Case Study: Mobile Device Security and Other Threats

Malware

Bibliography

Artificial Intelligence in Cyber Defense

Information Security

Cloud

Cloud Computing

Cyber Law

Cybercrime

Itrust Database Software Security Assessment

Popular Essays