6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.2 Attack vector<br />
Ivan Burke and Renier van Heerden<br />
Botnets are usually goal orientated. For the most part their goal is either profit or service disruption.<br />
There are several means of achieving these goals using botnets. In this Section, we discuss some<br />
attacks commonly used by Botnets.<br />
2.2.1 Distributed denial of service attack<br />
Due to Botnet size and the distributed nature of Botnets, Distributed Denial of Service attacks (DDoS)<br />
are a popular form of attack (Felix et al., 2005). In this attack the Botherders issue a command to all<br />
its subordinate Bots to connect to a targeted system at the same time. The targeted system can<br />
usually not handle the sudden influx of requests and which cause system services to be temporarily<br />
disrupted. Botherder rent out these services to competitors to disrupt competitor services (Kiefer,<br />
2004).<br />
2.2.2 Spam relay<br />
The first generation of Botnets where reliant on email to spread and infect various hosts. Botnets<br />
would open a SOCKS v4/v5 proxy on compromised machines, allowing it to send spam at the request<br />
of the Botherder. Botnets also harvested email addresses from infected hosts to add to its spam lists.<br />
(Engate, 2009)<br />
2.2.3 Data harvesting<br />
Botnets report back valuable system information to Botherders. This information can include key<br />
stroke logs, system vulnerabilities, service availability on host machine, open port data and network<br />
traffic. Botherders collect and collate this data to retrieve data such as user names and passwords<br />
which could be used for mass identity theft. Botnets scan for system weakness that could possibly be<br />
exploited at a later stage if Botnet functionality is compromised in future. By sniffing network traffic<br />
Botnets could become aware of rival Botnets infecting host PCs and disrupt these rival Botnet<br />
functionality.<br />
2.2.4 Ad serve abuse<br />
Botnets can be utilized for monetary gain. Botnets can be used to exploit the Pay Per Click or<br />
Impression Based internet advertising models. By forcing infected machines onto ad serve sites or<br />
using iFrames to fool users into clicking on advertisements, Botherdes can generate revenue from<br />
marketing companies.<br />
Botherders infect host PC with browser add-ons, Browser Helper Objects (BHO), or browser<br />
extensions which changes user browser interaction to relay them to ad serve sites or simply generate<br />
brows requests to ad serve sites automatically. These Add-ons can serve a dual purpose, as it can<br />
collect user data from browser and relay it to Botherder.<br />
2.3 Viral capability<br />
One of the great strengths of a Botnet is its sheer size. This also makes Botnets so tough to take<br />
down. Hence it is essential for a Botnet to spread fast and to vastly distributed systems.<br />
The first generation of Botnets where primarily reliant on email and malicious page redirects to<br />
spread. Modern Botnets such as Asprox, Koobface, Zhelatin and Kreios C2 spread via social media<br />
(Denis, 2008) (Eston, 2010). The Botnet posts users content on social networks sites which infect any<br />
user that follows the malicious links. Some Botnets have been known to hide within popular trusted<br />
applications. Trojans drop malicious code in trusted address spaces and exploits weaknesses in<br />
hosts PC to compromise it and make it part of Botnet network.<br />
2.4 Stealth component<br />
Botnets are only useful as long as they are not detected. Hence stealth is a fundamental requirement<br />
for all Botnets.<br />
It is the opinion of the researchers that stealth is required in each of the components previously<br />
identified in this section. If communications are noisy, infected host might become aware of malicious<br />
34