Compilation of Botnet Attack Investigation Plan and Proposals for Solutions
Abstract:
With the swift development of social networking services and diversification of social engineering attacks new age of information has started where it has become compulsory to train the people who uses digital services whether for personal use or office work. It is necessary to be careful while looking at the dissemination of misinformation or propaganda although it’s against or in favor of an entity which can be a person or a business organization and judging it on behalf of misinformation. Since botnets are promoting a concept of a skeptical society over the internet mainly on social media platforms I take full account of social networks characteristics and human dynamics which are useful in making a difference between a real human profile or bot profile and summarize the process of botnet attacks involving social engineering tactics and then propound some defending solution to predict the threat of botnet attack which can help investigators or defenders to mitigate it effectively.
Introduction:
This article attempts to discuss the roadmap to investigate botnet attacks involving the ways of social engineering to a specific group of people or community and the possible solutions and methodologies to defend against these attacks. More precisely the motivation of attackers who are keen players behind these type of attacks which stimulate them to involve in or conduct such attacks. All together bots give outsiders a large attack surface area to harvest information and commit various crimes understanding this aggregate problem and developing means to respond to it is a pressing need in current internet security[1].
Botnets (often called the engines of cybercrime) are networks of compromised computers used for nefarious means are a major problem source in the climate of modern day internet security. They are significant contributors to the malicious and criminal activity on the internet or we can call them specialized robots on the internet for specialized tasks as the word botnet is derived from the two different words which are “robot” and “network”. Botnets are a major source of internet scale problems including host scans, exploit attacks and spam while botnets are also a common tool used to conduct DDOS (Distributed Denial of Service) attacks due to immense aggregate bandwidth that botnets command[1]
Several antivirus companies and security vendors have taken an interest in tracking botnets to discover new malware samples that may otherwise remain unseen for sometimes. Botnets operations and features in bots have been explored, because bots have rich command syntax, bots infected hosts are often the victims of many kinds of malware installations, including spyware, rootkits, adware, and software that has often been installed using bots download facilities. There may be different types of bots can be built because of the rich feature capability of the botnet programs by the cyber criminals or investigators for different tasks such as IRC (internet relay chat) bots from the criminals perspective and bladerunner from the investigators point of view[1].
I will provide more insights about these in the later sections of this article, so please be patient and read it carefully.
What is a Botnet:
A botnet, i.e. a bot network (also known as a zombie army) is a network made up of a large number of computers that have been hijacked by malware to serve the whims of the hacker who unleashed it. By taking control of hundreds or thousands of computers. They’re considered one of the biggest online threats today [5].
How Botnet Works (An overview of botnets in the world of social media):
Botnets can be found on the social media platforms where they trick the customers of a brand by applying some social manipulation tips while posting , commenting liking and sharing by pretending the fake profiles as the real profiles and make the businesses fool by partnering with low profile influencers. This basically Shifts the public attention of your ongoing marketing campaigns to nonsense spamming and causes damage to the reputation of the brand and distort the social media analytics results[5].
On the other hand bots can play a vital role to influence the electoral processes in different countries by executing false campaigns to obtain the political gain or sympathy over the social media sites. One of the finest example could be the involvement of Russian bots in manipulating the electoral process during the presidential race in United states in 2016 and fabricated 6.1 million Twitter followers for Donald Trump. The most alarming aspect of this botnet activity is how good it is. It really does look legitimate to the untrained, and even semi-trained, eye. Botnets are well-suited to creating and maintaining myriad Twitter accounts, and using social engineering tactics to assemble vast followings. “Once these seed accounts are well established, the initial propaganda tweets can rapidly gain significant exposure and here anyone can feel that how dangerous they could be in proving the right a wrong and vice versa[5].
Victims Perspective:
A classic bot is simply an infected computer. Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news. Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers[4].
Motivation of Potential Adversaries Behind the Botnet attacks:
SNS is an online service, platform, or site which focuses on building and reflecting of social networks or social relations among people. More and more internet users are engaged in social activities through a variety of social networks, such as Facebook, Twitter, Gmail, Tencent QQ, etc. For social networks, assortative mixing, high clustering, short average path length and free-scale are essential characteristics. Meanwhile, through social networks, botmasters can make use of social engineering attacks (SEA), which continue to be an increasing attack vector for the propagation of malicious programs, to spread bot programs and construct practical high-infection botnets more easily. Botmasters make use of SEA to spam in order to achieve two objectives. One is capturing more bots to extend their botnets’ size; the other is seeking benefits, which come into being an underground economy [5].
Botnet Attack Investigation Plan and Methodologies followed by an Investigator:
Before beginning any botnet detection investigation the investigator should have the clear set of goals outlined they wish to achieve. The goals of tracking one or more botnets can be loosely coupled into four categories [1].
Malware sample collection:
Several antivirus companies and security vendors have taken an interest in tracking botnets to discover new malware samples that may otherwise remain unseen for sometimes. This approach makes sense when the goal is to protect a customer and is similar to field biologist who collects specimens for a catalog. Botnet tracking is often complementary to honeypot use where new malware samples including bots and Trojans are collected and analyzed. These are standard techniques in the malware analysis community and active botnet monitoring techniques extended this approach. together with automated analysis tools such as sandboxes new samples can be gathered and analyzed quickly with little human intervention [1].
Study of people behind botnet:
To profile the people behind botnets its tracking become more labor intensive and requires a human analyst to study the logs and interact with botnet managers. In this scenario the investigator wishes to conduct the both personality profile to discover the means of the attacker as well as threat estimate through assessing the knowledge and skills the attackers possess[1].
Forensic conduct of actions:
Botnets can yield a huge amount of forensic information about the attacks such as identity theft, spam and distributed denial of service attacks. The arbor botnet tracking project’s goal is primary to gather direct observations from the sources of many DDoS attacks that could be used in traceback and response [1].
Creation of Honeypots:
A honeypot is an intentionally vulnerable resource deployed in a network with the aim of soliciting attacks or even compromise by a malicious entity. The main reason for researching and developing honeypots is to discover new information about the practices and strategies used by creators of malware and hackers [6].
Four Dimensional Analysis of Attack plan:
Ethical effects:
The major problem in dealing with botnet attacks occurs when the defenders try to create and launch the honeypots and wait for the connections from the zombie machines. But the law comes in between in some territories such as law in United States forbid unauthorized access to anyone’s computer including the zombies. There are always some ethics for counter hacking because of the chance of inadvertently damage to the systems of unknown recipients and it is necessary to respond the problem in the legal way[1].
Psychological effects:
Botnet attacks can influence the psychology of people in such a manner that the attackers used it more precisely i.e. advertising bad products over the internet and promoting bad politicians as good persons. The reason of this psychological impact is that most of the people are unaware of the fact that profiles and pages which exist on different websites or media platforms over the internet are not actual human but bots who are leading the people in wrong way[2].
Social effects:
Online social networks are increasingly threatened by social bots which are software controlled accounts that mimic human behavior with malicious intentions. There have been reports on various attacks based on social bots and about 8% of messages sent via the social pages are spams and conducting political Astroturf or spreading fake news to attract people attention to mislead[6].
Legal Aspects:
The extent of the legal complications can be seen when a botnet infection is known or suspected then i.e. packet inspection should monitors the traffic and not the content of messages and do not breach that part of the European data protection laws. It warns that any individuals or companies involved in the botnet infiltrations should seek “appropriate legal advice beforehand[1].
Description of Evaluation of the success of the investigation:
The first step to measure the prevalence of botnets is to identify the relevant factors and scale and determine the ranking. A trivial attempt would be to measure the prevalence of a given botnet is simple. The bigger the botnet the more prevalent it is. If a social botnet has many infected hosts it could make more profiles and do more damage, the same applies to any other malicious activity a malware utilize like DDoS, Data stealing, encryption of personal data etc. [6]
The size of botnet has been subject to investigations many times i.e. for centralized botnets the sizes are more difficult to measure one can get the most accurate number of zombies by taking over a central botnet.
Methodology:
The table illustrates the source its network size and the percentage of how much the top 10 botnet malware in 2013 accounts for it. For example in twitter report 2013 the top 10 malware is responsible for 40 % of all infections. This was reported by 350 million clients, servers and gateway systems [7].
To correlate this data we have chosen a simple approach. We count the occurrence of a specific malware among all lists and divide this by the average position in all lists. This would be the rating for the final position[7].
rating = present in X lists / average position in lists
For example: Malware A is in three out of seven lists and is rated in list one at position two, in list two at position one and in list three at position three. Its average position in lists is 1+2+3/ 3 = 2. Taking the ratings using the method above we create the final list by sorting it from lowest rating to highest. Using this, and by removing all members of the list that are not known to be botnets we can estimate some how about the type and behavior of attacks and take legal counter actions against them[7].
Defense Strategies:
Various solutions are exist to detect and prevent the botnet attacks. Organizations can take measures to train its employees and provide them awareness about cyber security attacks that involve the factor of social engineering whether its included physical manipulation of employee or an online scam. On the other hand there are many companies which offers tools and services such Avast antivirus, MacAfee trojan detector, Cisco firewall, bladerunner, riorey the DDoS Specialist etc. These tools are capable of detecting, preventing, and tracking against botnets and this is not the limit[8].
Techniques and services to use for bullet proofing:
DNS-based Detection:
DNS-based detection techniques are based on particular DNS information generated by a botnet. Thus, it is possible to detect botnet DNS traffic by DNS monitoring and detect DNS traffic anomalies [4].
Anomaly-based Detection:
Anomaly-based detection techniques attempt to detect botnets based on several network traffic anomalies such as high network latency, high volumes of traffic, traffic on unusual ports, and unusual system behavior that could indicate presence of malicious bots in the network[4].
Signature-based Detection:
Knowledge of useful signatures and behavior of existing botnets is useful for botnet detection. For example, Snort is an open source intrusion detection system (IDS) that monitors network traffic to find signs of intrusion[4].
Mining-based Detection:
One effective technique for botnet detection is to identify botnet C&C traffic. However, botnet C&C traffic is difficult to detect. In fact, since botnets utilize normal protocols for C&C communications, the traffic is similar to normal traffic[4].
Monitoring Logs:
Monitor the server logs and activities over the network to detect and dig deep into logs with the help of SolarWinds security event manager package [6].
Conclusion:
In conclusion I aim to present that botnets pose a significant and growing threat against cyber-security as they provide a key platform for many cybercrimes such as Distributed Denial of Service (DDoS) attacks against critical targets, malware dissemination fake news on social networks, phishing, and click fraud. Later on I discussed investigation approach such as forensics methods and there after the defense strategies which can be useful to follow. Despite the long presence of malicious botnets. Solving a botnet problem is a very difficult task and the evaluation criteria depend largely on the goals. however internet service providers need to be more proactive and responsive as well as registrars and DNS service providers[4].
References:
[1] Zhu, Zhaosheng, Guohan Lu, Yan Chen, Zhi Judy Fu, Phil Roberts, and Keesook Han. “Botnet research survey.” In 2008 32nd Annual IEEE International Computer Software and Applications Conference, pp. 967–972. IEEE, 2008.
[2] Piskozub, Michal, Riccardo Spolaor, and Ivan Martinovic. “MalAlert: Detecting Malware in Large-Scale Network Traffic Using Statistical Features.” ACM SIGMETRICS Performance Evaluation Review 46, no. 3 (2019): 151–154.
[3] Nazario, Jose. “Botnet tracking: Tools, techniques, and lessons learned.” Black Hat (2007).
[4] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. “A survey of botnet and botnet detection.” In 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 268–273. IEEE, 2009.
[5]Abraham, Sherly, and InduShobha Chengalur-Smith. “An overview of social engineering malware: Trends, tactics, and implications.” Technology in Society 32, no. 3 (2010): 183–196.
[6] Wainwright, Polly, and Houssain Kettani. “An Analysis of Botnet Models.” In Proceedings of the 2019 3rd International Conference on Compute and Data Analysis, pp. 116–121. ACM, 2019.
[7] Singh, Manmeet, Maninder Singh, and Sanmeet Kaur. “Issues and Challenges in DNS based Botnet Detection: A Survey.” Computers & Security (2019).
[8] Anchit Bijalwan*, Meenakshi Thapaliyal, Emmanuel S Pilli, R.C.Joshi International Journal of Computer Applications (0975–8887) Volume 75– №7, August 2013 43 S
