Know everything about botnets!!!
NOTE: This is for education purpose onlyWhat is a botnet ?
What are botnets made for ?
How does a hacker monetize/profit from them ?
Where do hackers host them ?
Known DDoS Bots ?
How do cyber criminals get away with them ?
How do people get so many “bots/installs” ?
Type of botnets?
What are honeypots ?
- What is a botnet ?
A botnet is a network of compromised computers, we call them zombies. The bot master can control all the computers using his command & control server where he can initiate various commands. He usually controls them via standards-based network protocols such as IRC and http. Most bot masters use IRC since its much more secure, but some more experienced persons prefer HTTP since its easier to control and manage. Furthermore, IRC botnets have their kill switch in them and can be easily traced by law agencies. There have been flooding of newer P2P model botnet, which do not require command and control server. But it has its own limitations!!!
2. What are botnets made for ?
There are several purposes. Some people want to earn money, and they usually make a living by either coding them or using them to send spam,steal information, etc. Other people want to simply prove that they can, and brag about there abilities. They are made to either steal financial information, such as bank accounts, credit card details and other sensitive details. They are called banking bots. Some bots only have DDoS functions, used to launch DDoS attacks ( The majority of DDoS bots are HTTP-Based ). People either offer services once again to gain funds, others just do it for “pixels” to gain fame on the internet. Other bots send spam, and I recently noticed some bots that can turn them into socks(quite interesting as demand for socks is quite high). So there’s 2 options, either money or fame. Extend your knowledge in this aspect, I suggest you to visit this:
https://www.f-secure.com/v-descs/articles/botnet.shtml
3. Where do hackers host them ?
It all depends. Say if one just wanted a small net, then one would usually go with an offshore VPS ( shared hosting). The worst countries for hosting botnets are US/UK & Germany as they have very strict laws and vigilant enforcement teams. The best countries for this purpose are probably: China, Taiwan, Iran, Ukraine, Singapore. Russia is slightly on high side, because they also have some strict laws. If the hackers on a budget, then he could always hack a box, and host it there. But it’s quite risky as if one loses the holds over that machine, all the botnets stored on it will become nascent for lifetime. Some users like to go advanced, if one is hosting a large botnet and stealing details there is so called “BulletProof Hosting” which ignores all reports abuse, including DMCA, spamhaus, etc. The only problem with “bulletproof hosting” is the extravagant cost that comes with it, shared hosting goes costs over 800$ at the servers end. That’s really costly !!!!
4. Known DDoS Bots ?
One of the strongest DDoS bot is Dirt Jumer, which is created specifically created to attack websites, methods such as: HTTP GET (Sends GET requests) — harder to block, HTTP POST, Synchronous Flood, Download Flood and an Anti-DDoS flood. The best thing I like about most bots these days is that they have random user agents, and change http headers and pretend to be legitimate traffic, that is really smart from the coders side, but they are usually really unstable, one would rather have a “loader” which is a type of bot which is really stable, which usually hold bots and it can act as a backbone for the DDoS bot, so a hacker would enjoy 2 benefits, stability and power.
5. How do cyber criminals get away with them ?
There are several methods, such as bulletproof hosting, which I already stated, and a common but interesting method which large botnets use it FastFlux, most of you do not know what that is and I suggest you to read. Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.
The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records. Another name for ‘fast flux’ is Dictionary Domain generation algorithms, in which botnets generate millions of domains that looks like pristine domains like catdogmango.com, which seems to be suspicious to humans but computer thinks it to be normal as statistical and heuristical checks do fail to detect it miserably but deep learning and AI are quite good in detecting them.
{ I have written a research paper on how to detect Dictionary DGA by using deep learning approaches, which is in final stages of getting published. So, I’ll share that code and approach with you soon!!!!}
6. Types of botnets ?
DDoS Bots — To initiate DDoS attacks on servers.
Banking Bots — Identity theft. ( Don’t want to go into detail )
Spam Bots — To send out spam.
Socks Bots — To create socks4/socks5 proxies.
BitCoin Bots — To generate a virtual currency called “ BTC “.
Loaders — To hold bots in a stable environment.
7. What are honeypots ?
What is a honeypot, if you consider getting into botnets you should know. If one catches a honeypot, it would probably be some experienced user who wants to trace the botnet, or another hacker who want’s to get into the botnet and steal some bots or a pig. Once a botnet infects a honeypot, the bots will be analyzed and it will be traced. The incoming packets will be sniffed and the central panel could be easily compromised within seconds(mostly). But nowadays there are honeypot-sensitive botnets that could detect almost all types of honeypots, thus honeypots should be hardened a bit(to make it look real) and a honey-net(group of honeypots) should be made rather than a single system honeypot.
