Gujarat Technological University Silver Oak College of Engineering & Technology

Ahmedabad

Dissertation Title :
“Criminology of Botnet Resilience Technology
and
Mitigation of Botnet”

Guided by: Prepared by:

Mr. Pushkar Jha (Assistant Professor SOCET) Shaishav D. Shukla

1
Outline of Dissertation
 Introduction
 Problem Statement
 Motivation of Dissertation
 History of Botnet
 Literature Survey
 Orientation of Work
 Flow of Dissertation
 Implementation
 Conclusion and Future Work
 References

2
Introduction

 Botnets are a well-recognized and persistent threat to all users

of the Internet. botnets have developed form a subject of
curiosity to highly sophisticated instruments for illegally
earning money. As many types of botnets are available but the
extensive used technology is peer-to-peer and it is also
advance form of botnet.

3
Problem Statement

 Research focus on mitigate the Botnet which Is large infecting

vehicle among all viruses. Traditional detection method is
available but it has false positive/false negative ratio . In
research we focus on this as a main parameter and then
mitigate Botnet based on detection using wire shark. as a result
port scan report and detection report are generate.

 Also other techniques are based on Signature Based Detection

which mainly not use in real time bot detection because of their
outdated signatures.

4
Continue..
 Why not Signature Base Detection?

 looking for “known patterns”

 Low alarm rates

 If someone develops a new attack, there will be no protection.

“only as strong as it’s rule set.”

 Why Anomaly Based Detection?

 Tracking unknown unique behavior pattern

 Conducts a thorough screening of what comes through

5
Motivation
 Among all media of communications, Internet is most
vulnerable to attacks owing to its public nature and virtually
without centralized control.

 Whereas previously hackers would satisfy themselves by

breaking into someone’s system, in today's world hackers' work
under an organized crime plan to obtain illicit financial gains.
Various attacks than include spamming, phishing, click fraud,
distributed denial of services, hosting illegal material, key
logging, etc. are being carried out by hackers using botnets.

 Motivation on this topic came from the news of date 5th

August 2014 about the attack of botnet.
6
 Continue..

Reference: http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-
akamai-us-dod-networks.aspx

7
History of Bot Attacks
• 2001-Sub7 Pretty Park(First • 2009 SpyEye
Botnet) • 2010 Waledac
•2002 GTBot • 2011 ZeroAccess
• 2005 Torpig • 2012 FlashFake (Mac OS X)
• 2006 Virut • 2012 Jeef
• 2007 Zeus – one of the biggest • 2012 Smok
(compromised U.S. • 2013 Boatnet
computers: 3.6 million)
• 2013 Zer0n3t
• 2007 Storm
• 2008 Conficker
• 2008 Grum
• 2008 Lethic
• 2008 Mariposa
Literature Survey
 Botnet are being used as a vehicle for an array of cybercrimes,
such as spamming ,denial of service, identity theft and
phishing.

 A computer executing bot program is called a bot.

A collection of these bots connects to a network is called a

botnet.

 Compared to other infection malwares the unique feature of a

botnet lies in its control & communication network.

9
 Botnet lifecycle[1]
 Infection:- initial installation of botnet malware on target host.

 Bootstrapping & maintenance:-each node has to perform a

set of actions to detect the presence of other nodes and connect
to them.

 Command and control:-botmaster & controller have the

necessity of reliably distributing their command as well as
service data.

 Command execution:-running the received command on each

individual bot.
10
Continue..

Figure 1:botnet working scenario the infection and attack phase[2]

11
Architecture of Bot-Attack
1. Centralized Architecture 2. P2P Architecture

Figure 2: Architecture of Attacks[2]

12
Comparison of botnet types[3]

13
Botnet attacks[6]
 Attacking IRC Networks: Botnets are used for attacking IRC
networks. The victim is flooded by service request from
thousands of Bots and thus victim IRC network is takedown.

 DDOS: DDOS is a attack on a computer system or network

that causes a loss of services/network to users by consuming
the bandwidth of the victim network.

 Manipulating Online Polls or Games: These are very easy to

manipulate due to high attention. Since every Bot has a
distinct IP address and do the manipulation. Every vote will
have the same credibility as a vote cast by a real person. Online
games can be manipulated in a similar way.

14
Continue..
 Advertisement Installation: Botnets setup a fake web site
with some advertisements. The operator of this website
negotiates a deal with some hosting companies that pay for
clicks on ads. With the help of Botnet, these clicks can be
‘automated’ so that instantly a few thousands Bots clicks on the
pop-ups, hijacks the start page of a compromise machine so
that the ‘clicks’ are executed each time the victim uses the
browser.

15
Techniques in botnet to evade detection[7]
 Fast flux:-a mechanism that a set of IP addresses change
frequently corresponding to a unique domain name.

 Domain flux:-a mechanism that a set of domain names are

generated automatically and periodically corresponding to a
unique IP address.

 Domain fluxing is based on the idea of generating domains

thorough a domain generation algorithm(DGA).

16
Bot Detection Techniques[11]
 Signature based: Detection of known botnets

 Anomaly based: Detect botnet using following anomalies

 High network latency
 High volume of traffic
 Traffic on unusual port
 Unusual system behaviour

17
Continue..
 Mining based : Detect Bots by using mining algorithms.

 Machine Learning
 Classification
 Clustering
 Most mining-based approaches function by
monitoring network traffic

18
Prevention techniques
 Honey pot based monitoring[9]:

 Join in botnet
 Act as active servant bot
 Monitoring as long as possible
 Plaintext gathering

 Response DDOS[8]:

 If location of C&C are known than possibility to launch

counter DDOS attack.

19
Continue..
 Grey listing[5]:
 Related to black list/white list.
 Powerful to delaying and refusing spam refuse until the
sender tries again.

 Index poisoning[10]:
 Inserting massive number of records into the index of
p2p file sharing system.

 BGP black holing[8]:

 Redirected botnet related traffic its called sink holing

20
Continue...
 Defence against domain Flux[9]:

 Requested DNS which have the longest common substring

and have and empty A-records exceeds the threshold that the
host is in domain flux progress.

 Session abort[5]:

 Session abort connection after it obtain the message

header/body.

21
Existing Tools[v]
 Phrozensoft Mirage Anti-Bot

 Have a list of such malicious websites

 If your computer requests any such BOT-spreading malicious

website, Phrozensoft Mirage Anti-Bot won’t let the
computer process such request by blocking those sites

 Bot Revolt

 Analyse network Connections using firewalls and Remove

Bot have previous Signatures.
22
Orientation of Work
 Research divided into mainly three parts.

 Generation of port Scanner report

 Front end(it is probe part that generate port report)
 Back end(graphics engine)

 Implementation of Botnet
 Zeus Botnet implementation(key logger)
 Installation of bot binary in infected machine

 Detection of Botnet
 Wire shark tool and Ourmon
23
Projectile Path(Proposed Work)

Flow-Chart : Proposed Work

24
Continue..
 Step 1: Implementation of Ourmon script in fedora environment. For installation of
Ourmon script it .
 Requires four prior libraries libpcap-devel, pcre, pcre-devel, rrdtool and rrdtool-
perl

 Step 2: Generate port report for both transmissions protocol TCP/UDP.

 Step 3: Implementation of Zeus botnet (key logger)

 Step 4: Installation of botnet binary in to targeted host.

 Step 5: detection of botnet based on communication pattern between botmaster and

bot.

 Step 6: based on botmaster ip trace technical takedowns will be done.

25
Working of Ourmon

Figure 3 :Ourmon script starting on Fedora

26
Log file generate by Ourmon

Figure 4:Log file generate by Ourmon(Document File)

27
 VNC
TCP Port Report[i] backdoor
port False
Bad scanner positive
one SA/S
bcz P High work
False weight , [P
positi ,I] flag ,on
ve same
subnet

E = ICMP error sent back H = web source port

W = TCP work Weight is very high(>=90) I = IRC message
w = work weight is >=50 P = Dark net
O = FINS (TCP control packet, end of G = Gnutella protocol
conversion)not being returned
R = RESETS (TCP control packet),when no
service port is open
M= few data packet are returned
TCP work weight = SS+FS+RR
TP
SS = SYNS sent by the IP during the sample period.
FS = FINS sent by the IP during the sample period.
RR = RESESTS returned to the IP during the sample period.
TP = total number of TCP packets ,control and data sent & received by the host.
 Implementation

o UDP port report

Ip_s Weig Gue Udp_s Udp_re Unreac Pin L3D/L4D/ Siz Sa/r Appfla Port_count
rc ht ss ent cv hs g L4S es a gs port_sig
[port,count
]
30
Figure: 6: UDP logs taken by ourmon tool
31
UDP Port Report[i]
Floodi 2k
380million
ng of destinati
ww >
88k on
normal ww
packets unreacha
ble

Packet sent into

Packet sent
dark net
to 4k local
host at only
2 port which
is scanner
UDP Work Weight = UDP packets sent * ICMP errors returned

o Normal UDP work weight is less than 10000,00.

Why Zeus Bot?
 Why Zeus Botnet?[VI]

 Men-In-Browser key stroke logging

 Spread By:
 Drive by Download
 Phishing
 Spam Mail
 First attack was on USA Dept. Of Transporter
 74,000 FTP Accounts ,NASA.org ,Bank Of America was
biggest target of this botnet

33
Communication pattern via Zues to Client[]

Figure 7: Communication pattern with zues and the bot

infected machine
34
Implementation of Zeus Bot

Figure 7: Config.txt for binary implementation

35
Continue..

Figure 8: Binary Executable

36
Continue..

Figure 9:Bot Executable file build

37
Continue..

 Now , After bot installed into the client’s machine will be part
of the botnet and bot master can update with current scenario of
the positions of the bots with the operating system in which it
install.

 When bot master want to know number of bots available now it

can easily know by botmaster.

 There is payment form in which when a pc affected with bot all

personal data disclose over there and shared with the botmaster.

38
Continue..

Figure 10: Botmaster Control Panel Part 1

39
Continue..

Figure11: Botmaster Control Panel Part 1I(Here botmaster can

know how many bots are running and among that how many are
live )
40
Continue..

Figure 12: Payment form that get all information about client’s card if bot is
installed in the machine
41
Continue..

Figure 13: search in database for inserted data by botmaster and get the
information about the card num and pin etc..
42
Continue..

Fig 14:Client’s personal card information in botmaster’s control

43
Detection of zeus botnet

192.168.98.128 = IP address of bot

192.168.98.1 = IP address of botmaster

Figure 15: Bot request for config.bin

44
Continue..

Figure 15: config.bin got by bot master

45
Conclusion and future work
 Conclusion
 Botnet or any attack is firstly infect the victim’s machine by using
some sort of scanning activity, Base on multiple parameters we
generate scanner report with reduce false positive rate The
detection of Zeus bot is based on the botmaster and bot network
communication some other packets patterns which is abnormal. In
this system we reveal Zeus binary at certain level, leads to
mitigation of botnet. Mainly this approach is applied to Zeus and it
mostly used RC4 stream cipher.
 Future Work
 To provide more security to network will do some modification in
communication pattern by some encryption; we will also
implement mitigation approach for higher version of Zeus.

46
References
[1]Aniello castiglione,Robert De Priso,Alfredo De Santis,Ugo Flore,Francesco
Palmieri, “A botnet based command and control approach relying on swarm
intelligence”, Journal of Network and Computer Application.
[2]Kuchen Wang,Chun-ying huang,Shang-Jyh lin,Ying-Dar-Lin.”A Fuzzy
pattern based filtering algorithm for botnet detection” ,Journal of Compute
Network.
[3]Ihsan Ullah,Naveed Khan,Hatim A.Aboalsamh,”Survey on Botnet:Its
Architecture,Detection,Prevention and mitigation”,IEEE april 2013.
[4]Ping Wang,Lei Wu,Baber Aslam and Cliff C.Zou,”A Systematic Study ON
Peer-to-Peer Botnets”, University Of Central Florida.
5]Areej Al-Bataineh,Gregory white,”Detection and Prevention Methods of
Botnet-generated spam”,University of Texas .
[6]Jivsh Govil,Jivika Govil,”Criminology of Botnets and their Detection and
Defense Methods”,IEEE EIT 2007.

47
[7] Lei Zhang, Shui Yu, Di Wu, Paul Watters, ”A survey on latest botnet attack
and defense”, 2011 international joint conference of IEEE.
[8] C.Czosseck, E. Tyugu, T. wingfield, ”On the arms race around botnets-
setting up and taking down botnets”,2011 3rd international conference on
cyber conflict.
[9] Zhiqi Zhang, Baochen Lu, Peng Liao, Chaoge Liu, Xiang Cui, ”A
hierarchical hybrid structure for botnet control and command”, Research
center of information security, institute of computing technology , Chinese
academy of sciences.
[10]Li Xiao-nan, Liu Yang, Zheng Hua,” Peer-to-Peer Botnets:Analysis and
Defense”,IEEE 2011.
[11]N.S.Raghava,Divya Sahgal,Seema Chanda,”Classification of Botnet
Detection and Architecture”, Delhi Technological University,IEEE2012
[12]H.Binsalleeh,P.Sinha,A.Youssef “On the analysis of the zeus
botnet”.Canada 2011

48
 Reference Links
[I]http://www.chmag.in/article/jan2011/botnet-detection-tool-ourmon

[II] http://www.checkpoint.com/products/anti-bot-software-blade/anti-bot-software-blade-
landing-page.html

[III]https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets

[IV] en.wikipedia.org/wiki/Botnet

[V] www.thewindowsclub.com/botnet-removal-tools-windows

[VI] http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

Books
[i] Craig A. Schiller , Jim Binkley , David Harley , Gadi Evron , Tony Bradley,
Carsten Willems , Michael Cross, “Botnets The Killer Web App”

49