SlideShare a Scribd company logo

Botnets and Alife: An Evolutionary Perspective

Download as DOC, PDF
Z
Zotronix
Technology
1 of 14
Botnets and Alife Botnets and Alife Christopher Horne
Botnets and Alife NTS222 Final Project- Botnets What is a botnet? Why does the subject occupy such a prominent place in the standardized, processed information that is currently labeled as ‘News’. Does it really present a threat to the average computer user, or is the phenomena simply part of the international corporate agenda? To begin with, I would like to quote SANS (www.sans.org/reading_room/malicious/1299.php): “Using thousands of zombie machines to launch distributed denial of service attack(s) against enterprise and government resources is becoming [a] dangerously common trend. Recently, there Is a growing trend towards attackers using Internet Relay Chat(IRC) networks for controlling & managing infected internet hosts.” I believe that the key word here is ‘resources’. Wikipedia says the term ‘botnet’ is “generally used to refer to a collection of compromised, or zombie computers running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet’s originator (aka ‘bot herder’} can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC ‘bots’. Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the IRC 1459 (http:/ietf.org/html/rfc 1459) (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer flows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.” A botnet may be viewed as a natural outcome of the commoditization of information. Biologist Thomas Ray, in a 1994 paper (Thomas S.Ray :Evolution, Complexity, Entropy, and
Botnets and Alife Artificial Reality Physica D 75:239-263, 1994) described setting up an artificial life (alife) computer simulation called Tierra in which digital organisms competed for computer resources (CPU cycles, memory,etc). setting up an analogue for Darwin’s ‘survival of the fittest’. From an original ‘ancestor’ organism with a length of eighty instructions, mutants began to evolve with shorter instruction sets. At a certain point ‘parasites’ with only forty-five instructions appeared. Hosts developed defenses, parasites found new means of attack. Like botnets versus the legitimate internet ‘hosts’, the war was on. Later, ‘hyperparasites’ evolved, which could steal the replication of the parasites. Today, we can see the beginning of this latter process on the Internet, as it becomes evolutionarily ‘cheaper’ for one botnet owner to steal another’s network than to set up a new one. On the net, the security holes in the newly stolen botnet are often closed and the zombies given defensive abilities against other would-be botnet thieves. In the Artificial Life version of this struggle, the original parasites were driven to extinction, and a cooperative cycle evolved between groups of hyperparasites who relied on their neighbors for more efficient growth. A new breed of parasite soon evolved which took advantage of the cooperative cycle for its own ends. The end result was an open-ended evolutionary process. Ray’s study suggests the direction of the external form of botnets and their organization on the net. However, like the supposedly empirical stock market, reacting to laws of supply and demand, the missing factor is the human one. We also see a parallel phenomenon with corporations using tax breaks altruistically allocated by Government in order to generate new jobs and new factories being used to take over competitors and slash their employment. It is simply a more efficient use of resources. There are currently three common bot variants. WWW.honeynet.org calls them 1)Agobot/Phatbot/Forbot/XtremBot , 2)SDBot/Rbot/UrBot/UrXbot, and MiRC-based bots – GT-
Botnets and Alife Bots. Agobots, the first category, is probably the best known. This is a C++ bot with cross- platform abilities. It is modularly structured, easy to add commands or vulnerability scanners to. Agobot employs sniffers, Alternate Data Streams, and rootkits to hide itself. It can detect debuggers used by forensic computer specialists and virtual machines such as VMWare, as well as set up and init script on Linux machines. SDBots are very active currently. It is written in C, sometimes poorly implemented, with a limited command set, and the implementation not particularly sophisticated, but apparently very popular with malware writers. As I will detail later in this paper, there is a sizeable constituency of bot-herders who are relatively unskilled and who simply download and implement ready-made malware programs from the Internet. I can make a broad generalization that these so-called ‘script kiddies’ are the largest consumers of SDBot-type programs. MiRC-based bots constitute most other implementations. They launch an instance of the MiRC chat-client with scripts and binaries. Many link to DLL files which add new features to the original script, such as using the scanners in the DLL scripts. After exploitation, bots use Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HTTP, and IRC extensions to transfer themselves to the hosts. Binaries connect to a master IRC server, using a dynamic DNS-generated IP address, so that the bot joins the rest of the botnet. The server accepts the bot as a client, and the bot is relayed commands to spread itself. The bot controller is able to authenticate himself to the IRC server in order to control the botnet. Once in control, the hacker can search for sensitive information, launch a Distributed Denial of Service(DDos) attack, enable keyloggers, look for account information or passwords, etc. TCP ports 445,137(UDP),139(NetBIOS and 135(RPC) are frequent carriers of botnet traffic. Port 445 (Microsoft DS Service) is used for resource sharing (Win 2k, XP, Server 2003).
Botnets and Alife WWW.honeypot.net reports these ports account for more than 80% of all observed botnet traffic, with XP and 2000 being the most prevalent software to be affected. Windows 2000 is much more popular than XP for this purpose. Botnets vary in size from a few hundred machines to 50,000(www.honeynet.org/papers/bots). The large networks may use 5 IRC servers. Note that the servers themselves have been modified in order to make tracing them more difficult. Many are not IRC compliant, so that they are difficult to link to. Some skill in writing the same kinds of scripts the hackers use is often necessary to ‘rehack’ back into the servers. Routing of botnets is often quite baroque, with paths going through far-flung countries where extradition and prosecution of botmeisters is difficult or ill-defined. There is a certain irony that the IRC infrastructure used by botnets is often public in nature. IRC channels such as Efnet, Undernet and Dalnet provide stable, scalable infrastructure over which to launch attacks. IRC operates over a default port of 6667. IRC servers listen in a port range of 6000- 7000, although any TCP port can be used if so configured. The term “bot “ derives linguistically from “robot”, and reflects the “automaton” nature of the enterprise. It should be noted that “bots” have legitimate counterparts in the computer game and search engine fields, the former being an agent in the game imbued with a certain amount of artificial intelligence to perform actions in a quasi- independent fashion (such as an enemy soldier that takes evasive action when fired upon), and the latter in the search-engine “spiders” that go from website to website updating information for the central data fileservers of the search engines. Of course, the malware agents utilize spiders and artificial intelligence for their own nefarious purposes as well. The favored targets of botnets are servers with high bandwidth machines connected to the Internet by broadband. The resulting “pipe” is ideal for large DDos attacks
Botnets and Alife on networks. It would be futile for the botmeister to order a massive attack, only to find out that half his botnet is shut down because the server he wished to channel the attack on is not in service mode. Consequently, servers that are reliable and connected on a 24 hour basis are very desirable. One highly unexplored defense against botnet attacks would be to build unreliability (or at least random reliability) into the Internet as a whole. Any avid reader of John Le Carre’s spy novels will know that randomness of behavior is a rudimentary but effective technique in maintaining spy networks, but in the real world a corporation or institution lives or dies by its reputation for consistent Quality of Service. Still, as the counterintelligence capabilities of the “White Hat” server defenders grows, as it inevitably will as part of the continuing battle between hackers and institutions, some variation of this tactic might prove effective for a time. Knowing that an attack is planned, certain pipes could be made to become temporarily unstable, disrupting coordinated attack efforts. At the very least, this would send the message that the operations of a botnet are known and are being monitored effectively (if indeed it becomes desirable to relay such knowledge to the attacker). Perhaps this tactic might be more useful in the hands of a ruthless botnet rival, or a rival who has been “turned” by the forces of good. As the American computer scientist Alan Kay put it, “The best way to predict the future is to invent it.” Finally, botnet operators prefer vectors that are geographically far away from their true position, run by people who are somewhat ignorant of network operations and management. Both of these factors result in a lower threshold of detectibility for the attacker. It is within the purview of IRC administrators to ban botnet operators from using their public channels. This action would swiftly end the game for IRC botnets, and therefore the operators are skilled at avoiding detection. Service providers like noip.com are used to dynamically map bots with multiple IRC servers, obfuscating the ‘signature’ of the botnet. Complex passwords are used to prevent other potential users from logging onto the network, and often the ‘handle’
Botnets and Alife of the operator consists of only one or two letters. Survivability is a key element in the overall psychology of botmeisters. Like a terrorist ‘cell’ the discovery of individual bots or infected servers must not be linked back to the main organizational structure of the botnet, or like Ariadne’s thread, it will lead to the center of the Labrinth, where the minotaur will find itself destroyed. In this way, even if a server or host is banned from the IRC channel, the botnet will live on. We may fairly ask, what kind of data is worth this kind of effort to maintain a botnet? Certain intellectual property, such as movies, mp3s, software, and warez find a ready market in parts of the world where this output, at vastly lower prices than official channels charge. There is a huge commodity market for credit card numbers, proprietary data stolen from corporate laptops, medical data and the like. Botnets themselves have become a commodity. They are now bought and sold like bundles of home mortgages in the bond market, or rented to clients for a specific series of exploits . Certain businesses such as online casinos are regularly subject to extortion. Their business model relies on an ‘always on’ posture. Any disruption of service results in a breach of trust from gamblers, so they are particularly vulnerable to threats of DDos. The mountains of personal information available from personal computers, email, corporate networks and other sources means that botnets are a Phisher’s paradise. The level of detail involved means that emails can be individually crafted to appeal to specific victims. This results in more valuable personal data, such as social security numbers, but can also be used to leverage future attacks on networks. The botnet may thus be’ multitasked’, providing additional revenue in exchange for the use of the compromised network. One of the biggest and most profitable uses for botnets is in delivering spam. Bruce Schneier, the ubiquitous computer security maven, reported in his blog “Schneier on Schneier” Feb 2, 2006, “Ancheta and SoBe[botnet operators] signed up as affiliates in programs
Botnets and Alife maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.” This adds quasi-legitimate business to the list of uses for botnets. It may be noted that Recently Google acquired the internet user tracking ad agency DoubleClick, raising the specter that this particular ‘nefarious’ activity may soon become all too legitimate. A very recent (April 25, 2007) article in Slashdot details a recent trend which is germane to Google’s business model. “Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes that this Was bound to happen, given the way that Google structures sponsored links: ‘The bad guys behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer is about to access appears in the bottom left hand corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors can be taken first.’ “ (www.slashdot.org/index.pl?issue=20070425) Beyond the problems that currently exist with botnets, the greater nightmare may be that botnet operators acquire legitimate channels, such as Google/ Doubleclick that are trusted sources for millions of users. The profit potential of such a development would constitute a seismic shift in the dynamics of the web and the botnet industry, particularly in countries where the legal and regulatory environment is subject to bribes, lobbying, and other forms of persuasion. We may yet see the day when botnets are a ‘feature’ of the Internet. Recall my original thesis that botnets are essentially evolving digital organisms. They obtain their fuel from gathering data. Yet they are in the end simply byproducts of the people who run them, artifacts of the war between legitimate consumers, businesses and institutions and the hackers and crackers whose interests are intimately tied to their financial and professional goals.
Botnets and Alife Who are these people? What are their motivations? Can we posit a ‘profile’ to help us to defeat them, or at least put up an effective defense? An interview with Washington Post security computer blogger Brian Krebs, botnet herder ‘Witlog’ claimed he did it for ‘fun’. Witlog’s specialty was installing adware-serving software. Krebs claimed he was making far in excess of $6000 to $10,000 per month. He built a botnet to 45,000 PCs before botnet hunters from the volunteer group Shadowserver caused his ISP to drop him. Witlog registered a new bot control channel (Witlog.net this time instead of Witlog.com), and began rebuilding the botnet. He is the modern version of a ‘script kiddy’, a semiskilled hacker who downloads scripts from the Internet and plays with them. It is quite possible that the money he makes is ‘silly money’, and that the motivation is the same as it always has been for this type of hacker- notoriety and the desire for respect from his peer group. It is not for nothing that exploits are commonly said to be ‘in the wild’. (http:blog.washingtonpost/securityfix.2006/03/post.html). If you’re a woodmouse (or a PC owner), it matters little whether you are eaten by a weasel like Witlog or a puma. Who are the pumas? It is at this juncture that the DNA of attackers changes. In his blog, The RedTapeChronicles”, Bob Sullivan writes about international gangs of hackers, “The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them.” The object of the fight is not physical, but to either take over someone else’s network or knock it off line. Sullivan writes: “When the Storm worm was released in Jan [07], it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack web sites run by the rival Russian Warezov gang…… The sites had been set up as communications hubs for Warezov-hijacked computers. Without them, the zombie computers did not know where to attack.” (http://blog.washingtonpost.com/securityfix/2006/03/post.html. ) The point is that botnets are now a business. In business, it’s important to advertise yourself
Botnets and Alife as the leader. Sullivan quotes Jose Nazario, a security researcher at Arbor Networks, “A single denial-of-service attack on a gambling website can cost $50,000 a day.” Sullivan puts the number of infected computers at perhaps 100 million, although it is hard to see how anyone could come up with a truly accurate estimate. He claims the top gangs are in Russia, Brazil, and Eastern Europe. Sullivan quotes David Marcus, security research and communications manager at MacAfee: “ Bot herders are typically young-perhaps 18-25—often only a little bit older than a teenage hacker. They are nearly always men. And they tend to live in an area where traditional, big money computing jobs are hard to find. [The gangs] watch for bright kids and they start them on small tasks, like, ‘Find me 100 passwords and I’ll give you 1000 rubles.” Marcus said that more aggressive recruitment sometimes involves actually sending recruits to college. We have, I think, sufficiently demonstrated the nature and scope of the botnet problem. The next logical step is to ask what to do about it. As long as the owners of PC’s which are subject to recruitment into botnets are not motivated to take proactive measures, the existence Of botnets will be a given. PC owners are affected by spam, of course, as is everyone else on the Internet, but the very ubiquitousness of the phenomena manifests in a certain resigned attitude. Beyond that, the average user might notice a certain amount of slowdown, and personal data will be compromised, but we can expect no concerted effort by consumers towards preventing their machines from being affected. A great deal of good could come from fostering awareness of the problem, but efforts to raise consciousness about the operation of computers run exactly counter to the intentions of large corporate interests such as Microsoft, who advertise convenience and operating systems that ‘just work’. The popularity of computer science in the United States has declined markedly since corporations decided that their knowledge assets should have a basis in cheaper countries such as India and China. Computer Science is hard
Botnets and Alife work, and more lucrative employment futures are seen to be elsewhere by candidates for higher learning. That leaves the ISP’s and network administrators, plus the government and vendors of security products. The ISP’s can ban a domain name from their services, but we have seen in the case of ‘Witlog’, such strictures are easily circumvented. IRC channel administrators are also subject to circumvention. The government (in this country) Has chosen to increase penalties after the perpetrators have been caught- if they can be caught. Security product vendors stand to make a great deal of money if they can come up with effective anti-bot products. As an example, McAfee launched a ‘bot-killing system’ in 2006. Techworld reported, “Unlike conventional DDos systems based on the statistical analysis of traffic, the first Layer of the new Advanced Botnet Protection(ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependant on whether or not it is ‘complete’.” The system depends on the concept of SYN cookies, not a new idea. SYN cookies amount to particular choices in initial TCP sequence numbers by servers. This defends against SYN flood attacks by avoiding dropping connections as the SYN queue fills up- the server acts as if the queue had been enlarged. What can the administrator do? Most of the existing approaches are defensive in nature. A bot needs a vulnerability or misconfiguration to exploit. In theory, if there were no vulnerabilities, the entire attack would fail. But much can be done in ensuring that the network is properly patched and configured, and IDS have signatures to protect against common exploits. The problem is that signatures need to be updated at a dizzying pace to keep up. Another approach is to interrupt communications between botnets and their herders. This can be accomplished by blocking the bots from communicating on the IRC channel. A firewall in some cases can block these communications by filtering outgoing traffic, although such protocols as HTTP may be impossible to block without destroying the functionality of the
Botnets and Alife network itself. Covert channels and encrypted data streams may also be hard to detect and stop, although protocol anomalies make it technically possible in some instances. Other solutions such as honeypots are also feasible, but if not properly configured, can actually be used by an attacker to break into the system. The problem of bots is technically not solveable at this time. If my thesis about the resemblance of botnet evolution to artificial life evolution is correct, the real problem may not even have arisen yet. In biological life, a plague continues until it becomes inefficient to infect hosts, because there are not enough left to infect, and the ones who are left have developed natural immunities. It is doubtful that the entire Internet will face extinction because of botnets or their successors, because without the Internet the vector that produces profit for the botnet owners will disappear. At a certain point, therefore, a balance will be struck, with a usable Internet laced with botnets. The question is, how much power will the botnet owners have?
Botnets and Alife References www.itbsecurity.com/pr/13677 www.wired.com/wired/ archive/14.11/botnet_pr.html http://ddanchev.blogsopt.com/2006/02/war-against-botnets-and-ddos-attack.html http://en.wikipedia.org/wikiSYN_cookie www.stanford.edu/~stinson/paper_notes/bots/botnet_tracking.txt www.ethicalhacker.net/content/view/63/2/ http://blog.washingtonpost.com/securityfix/2006/03/post.html www.schneier.com/blog/archives/2006/02/froprofit_botne.html www.theregister.co.uk/2004/10/20/phishing_botnet/print.html www.enterprisenetworkingpalnet.com/netsecur/article.php/3504801 www.rso.cornell.edu/scitech/archive/94fal/attfe.html www.honeypot.org/papers/bots http://redtape.msnbc.com/2007/04/virus_gang_warf.html physica D, 75: 239-263, 1994 isc.sans.org/diary.html?storyID=2612 www.sans.org/readingroom/whitepapers/malicious/1279.php www.slashdot.org/index.pl?issue=20070425
Botnets and Alife

Recommended

A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosisP-e-t-a-r
 
Botnets
BotnetsBotnets
Botnetsrichashri3
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 

Recommended

A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosisP-e-t-a-r
 
Botnets
BotnetsBotnets
Botnetsrichashri3
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsBiagio Botticelli
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionAnant Narayanan
 
about botnets
about botnetsabout botnets
about botnetsAlain Bindele
 
Botnet
BotnetBotnet
Botnetlokenra
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
What is botnet?
What is botnet?What is botnet?
What is botnet?Milan Petrásek
 
Conficker worm
Conficker wormConficker worm
Conficker wormssuser1eca7d
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentationMahmoud Ibra
 
Sectools
SectoolsSectools
Sectoolssecuredome
 
aaa
aaaaaa
aaahungnhatban
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed AnticipationZotronix
 

More Related Content

What's hot

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsBiagio Botticelli
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionAnant Narayanan
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentationMahmoud Ibra
 

What's hot (20)

Botnets
BotnetsBotnets
Botnets
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
 
Botnet
Botnet Botnet
Botnet
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
 
Botnet
BotnetBotnet
Botnet
 
BOTNET
BOTNETBOTNET
BOTNET
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
 
about botnets
about botnetsabout botnets
about botnets
 
Botnet
BotnetBotnet
Botnet
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
What is botnet?
What is botnet?What is botnet?
What is botnet?
 
Conficker worm
Conficker wormConficker worm
Conficker worm
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 

Viewers also liked

The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed AnticipationZotronix
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011day4justice
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012day4justice
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011day4justice
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Andrea Rossetti
 

Viewers also liked (6)

Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed Anticipation
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
 

Similar to Botnets and Alife: An Evolutionary Perspective

Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxsmile790243
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...OWASP Delhi
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet WhitepaperKim Jensen
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaperguest5152f27
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against BotnetsJim Lippard
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 

Similar to Botnets and Alife: An Evolutionary Perspective (20)

Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Botnet
BotnetBotnet
Botnet
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaper
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaper
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against Botnets
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Computer worm
Computer wormComputer worm
Computer worm
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Botnets and Alife: An Evolutionary Perspective

  • 1. Botnets and Alife Botnets and Alife Christopher Horne
  • 2. Botnets and Alife NTS222 Final Project- Botnets What is a botnet? Why does the subject occupy such a prominent place in the standardized, processed information that is currently labeled as ‘News’. Does it really present a threat to the average computer user, or is the phenomena simply part of the international corporate agenda? To begin with, I would like to quote SANS (www.sans.org/reading_room/malicious/1299.php): “Using thousands of zombie machines to launch distributed denial of service attack(s) against enterprise and government resources is becoming [a] dangerously common trend. Recently, there Is a growing trend towards attackers using Internet Relay Chat(IRC) networks for controlling & managing infected internet hosts.” I believe that the key word here is ‘resources’. Wikipedia says the term ‘botnet’ is “generally used to refer to a collection of compromised, or zombie computers running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet’s originator (aka ‘bot herder’} can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC ‘bots’. Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the IRC 1459 (http:/ietf.org/html/rfc 1459) (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer flows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.” A botnet may be viewed as a natural outcome of the commoditization of information. Biologist Thomas Ray, in a 1994 paper (Thomas S.Ray :Evolution, Complexity, Entropy, and
  • 3. Botnets and Alife Artificial Reality Physica D 75:239-263, 1994) described setting up an artificial life (alife) computer simulation called Tierra in which digital organisms competed for computer resources (CPU cycles, memory,etc). setting up an analogue for Darwin’s ‘survival of the fittest’. From an original ‘ancestor’ organism with a length of eighty instructions, mutants began to evolve with shorter instruction sets. At a certain point ‘parasites’ with only forty-five instructions appeared. Hosts developed defenses, parasites found new means of attack. Like botnets versus the legitimate internet ‘hosts’, the war was on. Later, ‘hyperparasites’ evolved, which could steal the replication of the parasites. Today, we can see the beginning of this latter process on the Internet, as it becomes evolutionarily ‘cheaper’ for one botnet owner to steal another’s network than to set up a new one. On the net, the security holes in the newly stolen botnet are often closed and the zombies given defensive abilities against other would-be botnet thieves. In the Artificial Life version of this struggle, the original parasites were driven to extinction, and a cooperative cycle evolved between groups of hyperparasites who relied on their neighbors for more efficient growth. A new breed of parasite soon evolved which took advantage of the cooperative cycle for its own ends. The end result was an open-ended evolutionary process. Ray’s study suggests the direction of the external form of botnets and their organization on the net. However, like the supposedly empirical stock market, reacting to laws of supply and demand, the missing factor is the human one. We also see a parallel phenomenon with corporations using tax breaks altruistically allocated by Government in order to generate new jobs and new factories being used to take over competitors and slash their employment. It is simply a more efficient use of resources. There are currently three common bot variants. WWW.honeynet.org calls them 1)Agobot/Phatbot/Forbot/XtremBot , 2)SDBot/Rbot/UrBot/UrXbot, and MiRC-based bots – GT-
  • 4. Botnets and Alife Bots. Agobots, the first category, is probably the best known. This is a C++ bot with cross- platform abilities. It is modularly structured, easy to add commands or vulnerability scanners to. Agobot employs sniffers, Alternate Data Streams, and rootkits to hide itself. It can detect debuggers used by forensic computer specialists and virtual machines such as VMWare, as well as set up and init script on Linux machines. SDBots are very active currently. It is written in C, sometimes poorly implemented, with a limited command set, and the implementation not particularly sophisticated, but apparently very popular with malware writers. As I will detail later in this paper, there is a sizeable constituency of bot-herders who are relatively unskilled and who simply download and implement ready-made malware programs from the Internet. I can make a broad generalization that these so-called ‘script kiddies’ are the largest consumers of SDBot-type programs. MiRC-based bots constitute most other implementations. They launch an instance of the MiRC chat-client with scripts and binaries. Many link to DLL files which add new features to the original script, such as using the scanners in the DLL scripts. After exploitation, bots use Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HTTP, and IRC extensions to transfer themselves to the hosts. Binaries connect to a master IRC server, using a dynamic DNS-generated IP address, so that the bot joins the rest of the botnet. The server accepts the bot as a client, and the bot is relayed commands to spread itself. The bot controller is able to authenticate himself to the IRC server in order to control the botnet. Once in control, the hacker can search for sensitive information, launch a Distributed Denial of Service(DDos) attack, enable keyloggers, look for account information or passwords, etc. TCP ports 445,137(UDP),139(NetBIOS and 135(RPC) are frequent carriers of botnet traffic. Port 445 (Microsoft DS Service) is used for resource sharing (Win 2k, XP, Server 2003).
  • 5. Botnets and Alife WWW.honeypot.net reports these ports account for more than 80% of all observed botnet traffic, with XP and 2000 being the most prevalent software to be affected. Windows 2000 is much more popular than XP for this purpose. Botnets vary in size from a few hundred machines to 50,000(www.honeynet.org/papers/bots). The large networks may use 5 IRC servers. Note that the servers themselves have been modified in order to make tracing them more difficult. Many are not IRC compliant, so that they are difficult to link to. Some skill in writing the same kinds of scripts the hackers use is often necessary to ‘rehack’ back into the servers. Routing of botnets is often quite baroque, with paths going through far-flung countries where extradition and prosecution of botmeisters is difficult or ill-defined. There is a certain irony that the IRC infrastructure used by botnets is often public in nature. IRC channels such as Efnet, Undernet and Dalnet provide stable, scalable infrastructure over which to launch attacks. IRC operates over a default port of 6667. IRC servers listen in a port range of 6000- 7000, although any TCP port can be used if so configured. The term “bot “ derives linguistically from “robot”, and reflects the “automaton” nature of the enterprise. It should be noted that “bots” have legitimate counterparts in the computer game and search engine fields, the former being an agent in the game imbued with a certain amount of artificial intelligence to perform actions in a quasi- independent fashion (such as an enemy soldier that takes evasive action when fired upon), and the latter in the search-engine “spiders” that go from website to website updating information for the central data fileservers of the search engines. Of course, the malware agents utilize spiders and artificial intelligence for their own nefarious purposes as well. The favored targets of botnets are servers with high bandwidth machines connected to the Internet by broadband. The resulting “pipe” is ideal for large DDos attacks
  • 6. Botnets and Alife on networks. It would be futile for the botmeister to order a massive attack, only to find out that half his botnet is shut down because the server he wished to channel the attack on is not in service mode. Consequently, servers that are reliable and connected on a 24 hour basis are very desirable. One highly unexplored defense against botnet attacks would be to build unreliability (or at least random reliability) into the Internet as a whole. Any avid reader of John Le Carre’s spy novels will know that randomness of behavior is a rudimentary but effective technique in maintaining spy networks, but in the real world a corporation or institution lives or dies by its reputation for consistent Quality of Service. Still, as the counterintelligence capabilities of the “White Hat” server defenders grows, as it inevitably will as part of the continuing battle between hackers and institutions, some variation of this tactic might prove effective for a time. Knowing that an attack is planned, certain pipes could be made to become temporarily unstable, disrupting coordinated attack efforts. At the very least, this would send the message that the operations of a botnet are known and are being monitored effectively (if indeed it becomes desirable to relay such knowledge to the attacker). Perhaps this tactic might be more useful in the hands of a ruthless botnet rival, or a rival who has been “turned” by the forces of good. As the American computer scientist Alan Kay put it, “The best way to predict the future is to invent it.” Finally, botnet operators prefer vectors that are geographically far away from their true position, run by people who are somewhat ignorant of network operations and management. Both of these factors result in a lower threshold of detectibility for the attacker. It is within the purview of IRC administrators to ban botnet operators from using their public channels. This action would swiftly end the game for IRC botnets, and therefore the operators are skilled at avoiding detection. Service providers like noip.com are used to dynamically map bots with multiple IRC servers, obfuscating the ‘signature’ of the botnet. Complex passwords are used to prevent other potential users from logging onto the network, and often the ‘handle’
  • 7. Botnets and Alife of the operator consists of only one or two letters. Survivability is a key element in the overall psychology of botmeisters. Like a terrorist ‘cell’ the discovery of individual bots or infected servers must not be linked back to the main organizational structure of the botnet, or like Ariadne’s thread, it will lead to the center of the Labrinth, where the minotaur will find itself destroyed. In this way, even if a server or host is banned from the IRC channel, the botnet will live on. We may fairly ask, what kind of data is worth this kind of effort to maintain a botnet? Certain intellectual property, such as movies, mp3s, software, and warez find a ready market in parts of the world where this output, at vastly lower prices than official channels charge. There is a huge commodity market for credit card numbers, proprietary data stolen from corporate laptops, medical data and the like. Botnets themselves have become a commodity. They are now bought and sold like bundles of home mortgages in the bond market, or rented to clients for a specific series of exploits . Certain businesses such as online casinos are regularly subject to extortion. Their business model relies on an ‘always on’ posture. Any disruption of service results in a breach of trust from gamblers, so they are particularly vulnerable to threats of DDos. The mountains of personal information available from personal computers, email, corporate networks and other sources means that botnets are a Phisher’s paradise. The level of detail involved means that emails can be individually crafted to appeal to specific victims. This results in more valuable personal data, such as social security numbers, but can also be used to leverage future attacks on networks. The botnet may thus be’ multitasked’, providing additional revenue in exchange for the use of the compromised network. One of the biggest and most profitable uses for botnets is in delivering spam. Bruce Schneier, the ubiquitous computer security maven, reported in his blog “Schneier on Schneier” Feb 2, 2006, “Ancheta and SoBe[botnet operators] signed up as affiliates in programs
  • 8. Botnets and Alife maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.” This adds quasi-legitimate business to the list of uses for botnets. It may be noted that Recently Google acquired the internet user tracking ad agency DoubleClick, raising the specter that this particular ‘nefarious’ activity may soon become all too legitimate. A very recent (April 25, 2007) article in Slashdot details a recent trend which is germane to Google’s business model. “Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes that this Was bound to happen, given the way that Google structures sponsored links: ‘The bad guys behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer is about to access appears in the bottom left hand corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors can be taken first.’ “ (www.slashdot.org/index.pl?issue=20070425) Beyond the problems that currently exist with botnets, the greater nightmare may be that botnet operators acquire legitimate channels, such as Google/ Doubleclick that are trusted sources for millions of users. The profit potential of such a development would constitute a seismic shift in the dynamics of the web and the botnet industry, particularly in countries where the legal and regulatory environment is subject to bribes, lobbying, and other forms of persuasion. We may yet see the day when botnets are a ‘feature’ of the Internet. Recall my original thesis that botnets are essentially evolving digital organisms. They obtain their fuel from gathering data. Yet they are in the end simply byproducts of the people who run them, artifacts of the war between legitimate consumers, businesses and institutions and the hackers and crackers whose interests are intimately tied to their financial and professional goals.
  • 9. Botnets and Alife Who are these people? What are their motivations? Can we posit a ‘profile’ to help us to defeat them, or at least put up an effective defense? An interview with Washington Post security computer blogger Brian Krebs, botnet herder ‘Witlog’ claimed he did it for ‘fun’. Witlog’s specialty was installing adware-serving software. Krebs claimed he was making far in excess of $6000 to $10,000 per month. He built a botnet to 45,000 PCs before botnet hunters from the volunteer group Shadowserver caused his ISP to drop him. Witlog registered a new bot control channel (Witlog.net this time instead of Witlog.com), and began rebuilding the botnet. He is the modern version of a ‘script kiddy’, a semiskilled hacker who downloads scripts from the Internet and plays with them. It is quite possible that the money he makes is ‘silly money’, and that the motivation is the same as it always has been for this type of hacker- notoriety and the desire for respect from his peer group. It is not for nothing that exploits are commonly said to be ‘in the wild’. (http:blog.washingtonpost/securityfix.2006/03/post.html). If you’re a woodmouse (or a PC owner), it matters little whether you are eaten by a weasel like Witlog or a puma. Who are the pumas? It is at this juncture that the DNA of attackers changes. In his blog, The RedTapeChronicles”, Bob Sullivan writes about international gangs of hackers, “The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them.” The object of the fight is not physical, but to either take over someone else’s network or knock it off line. Sullivan writes: “When the Storm worm was released in Jan [07], it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack web sites run by the rival Russian Warezov gang…… The sites had been set up as communications hubs for Warezov-hijacked computers. Without them, the zombie computers did not know where to attack.” (http://blog.washingtonpost.com/securityfix/2006/03/post.html. ) The point is that botnets are now a business. In business, it’s important to advertise yourself
  • 10. Botnets and Alife as the leader. Sullivan quotes Jose Nazario, a security researcher at Arbor Networks, “A single denial-of-service attack on a gambling website can cost $50,000 a day.” Sullivan puts the number of infected computers at perhaps 100 million, although it is hard to see how anyone could come up with a truly accurate estimate. He claims the top gangs are in Russia, Brazil, and Eastern Europe. Sullivan quotes David Marcus, security research and communications manager at MacAfee: “ Bot herders are typically young-perhaps 18-25—often only a little bit older than a teenage hacker. They are nearly always men. And they tend to live in an area where traditional, big money computing jobs are hard to find. [The gangs] watch for bright kids and they start them on small tasks, like, ‘Find me 100 passwords and I’ll give you 1000 rubles.” Marcus said that more aggressive recruitment sometimes involves actually sending recruits to college. We have, I think, sufficiently demonstrated the nature and scope of the botnet problem. The next logical step is to ask what to do about it. As long as the owners of PC’s which are subject to recruitment into botnets are not motivated to take proactive measures, the existence Of botnets will be a given. PC owners are affected by spam, of course, as is everyone else on the Internet, but the very ubiquitousness of the phenomena manifests in a certain resigned attitude. Beyond that, the average user might notice a certain amount of slowdown, and personal data will be compromised, but we can expect no concerted effort by consumers towards preventing their machines from being affected. A great deal of good could come from fostering awareness of the problem, but efforts to raise consciousness about the operation of computers run exactly counter to the intentions of large corporate interests such as Microsoft, who advertise convenience and operating systems that ‘just work’. The popularity of computer science in the United States has declined markedly since corporations decided that their knowledge assets should have a basis in cheaper countries such as India and China. Computer Science is hard
  • 11. Botnets and Alife work, and more lucrative employment futures are seen to be elsewhere by candidates for higher learning. That leaves the ISP’s and network administrators, plus the government and vendors of security products. The ISP’s can ban a domain name from their services, but we have seen in the case of ‘Witlog’, such strictures are easily circumvented. IRC channel administrators are also subject to circumvention. The government (in this country) Has chosen to increase penalties after the perpetrators have been caught- if they can be caught. Security product vendors stand to make a great deal of money if they can come up with effective anti-bot products. As an example, McAfee launched a ‘bot-killing system’ in 2006. Techworld reported, “Unlike conventional DDos systems based on the statistical analysis of traffic, the first Layer of the new Advanced Botnet Protection(ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependant on whether or not it is ‘complete’.” The system depends on the concept of SYN cookies, not a new idea. SYN cookies amount to particular choices in initial TCP sequence numbers by servers. This defends against SYN flood attacks by avoiding dropping connections as the SYN queue fills up- the server acts as if the queue had been enlarged. What can the administrator do? Most of the existing approaches are defensive in nature. A bot needs a vulnerability or misconfiguration to exploit. In theory, if there were no vulnerabilities, the entire attack would fail. But much can be done in ensuring that the network is properly patched and configured, and IDS have signatures to protect against common exploits. The problem is that signatures need to be updated at a dizzying pace to keep up. Another approach is to interrupt communications between botnets and their herders. This can be accomplished by blocking the bots from communicating on the IRC channel. A firewall in some cases can block these communications by filtering outgoing traffic, although such protocols as HTTP may be impossible to block without destroying the functionality of the
  • 12. Botnets and Alife network itself. Covert channels and encrypted data streams may also be hard to detect and stop, although protocol anomalies make it technically possible in some instances. Other solutions such as honeypots are also feasible, but if not properly configured, can actually be used by an attacker to break into the system. The problem of bots is technically not solveable at this time. If my thesis about the resemblance of botnet evolution to artificial life evolution is correct, the real problem may not even have arisen yet. In biological life, a plague continues until it becomes inefficient to infect hosts, because there are not enough left to infect, and the ones who are left have developed natural immunities. It is doubtful that the entire Internet will face extinction because of botnets or their successors, because without the Internet the vector that produces profit for the botnet owners will disappear. At a certain point, therefore, a balance will be struck, with a usable Internet laced with botnets. The question is, how much power will the botnet owners have?
  • 13. Botnets and Alife References www.itbsecurity.com/pr/13677 www.wired.com/wired/ archive/14.11/botnet_pr.html http://ddanchev.blogsopt.com/2006/02/war-against-botnets-and-ddos-attack.html http://en.wikipedia.org/wikiSYN_cookie www.stanford.edu/~stinson/paper_notes/bots/botnet_tracking.txt www.ethicalhacker.net/content/view/63/2/ http://blog.washingtonpost.com/securityfix/2006/03/post.html www.schneier.com/blog/archives/2006/02/froprofit_botne.html www.theregister.co.uk/2004/10/20/phishing_botnet/print.html www.enterprisenetworkingpalnet.com/netsecur/article.php/3504801 www.rso.cornell.edu/scitech/archive/94fal/attfe.html www.honeypot.org/papers/bots http://redtape.msnbc.com/2007/04/virus_gang_warf.html physica D, 75: 239-263, 1994 isc.sans.org/diary.html?storyID=2612 www.sans.org/readingroom/whitepapers/malicious/1279.php www.slashdot.org/index.pl?issue=20070425