What Is a Botnet?
What makes a botnet a botnet? In particular, how do you distinguish a botnet client from just another hacker break-in? First, the clients in a botnet must be able to take actions on the client without the hacker having to log into the client’s operating system (Windows, UNIX, or Mac OS). Second, many
clients must be able to act in a coordinated fashion to accomplish a common goal with little or no intervention from the hacker. If a collection of computers meet this criteria it is a botnet.
A botnet is the melding of many threats into one.The typical botnet consists of a bot server (usually an IRC server) and one or more botclients (refer to Figure 1.2). Botnets with hundreds or a few thousands of botclients (called zombies or drones) are considered small botnets. In this typical botnet, the botherder communicates with botclients using an IRC channel on a remote command and control (C&C) server. In step 1, the new botclient joins a predesignated IRC channel on an IRC server and listens for commands. In step 2, the botherder sends a message to the IRC server for each client to retrieve.In step 3, the clients retrieve the commands via the IRC channel and perform the commands. In step 4, the botclients perform the commands—in the case of Figure 1.2, to conduct a DDoS attack against a specified target. In step 5, the botclient reports the results of executing the command.
This arrangement is pleasing to hackers because the computer performing the actions isn’t their computer and even the IRC relay isn’t on their computer.To stop the botnet the investigator has to backtrack from a client to an IRC server to the hackers.The hacker can add another layer of complexity by sending all commands to the IRC channel through an obfuscating proxy and probably through a series of multiple hops, using a tool like Tor (http://tor.eff.org/download.html.en). Having at least one of these elements in another country also raises the difficulty of the investigation. If the investigator is charged with protecting one or more of the botnet clients, they will usually stop the investigation once they realize the individual damage to their enterprise is low, at least too low to justify a complex investigation involving foreign law enforcement. Add to this the fact that some botnet codebases include commands to erase evidence, commands to encrypt traffic, and even polymorphic stealth techniques, and it’s easy to see why hackers like this kind www.syngress.com
Botnets Overview of tool. Modern botnets are being fielded that are organized like real armies,with divisions of zombies controlled by different bot servers.The botherder controls a set of bot servers, which in turn each control a division of zombies.That way, if a communications channel is disrupted, only one division is lost.The other zombie divisions can be used to retaliate or to continue to conduct business.
Downloads
Post a Comment