Recent malicious attempts are intended to get financial benefits through a large pool of compromised hosts, which are called software robots or simply bots. A group of bots, referred to as a botnet, is remotely controllable by a server and can be used for sending spam emails, stealing personal information, and launching DDoS attacks. Growing popularity of botnets compels to find proper countermeasures, but existing defense mechanisms hardly catch up with the speed of botnet technologies. Bots are constantly and automatically changing their signatures to successfully avoid the detection. Therefore, it is necessary to analyze the weaknesses of existing defense mechanisms to find the gap and then design new framework of botnet detection that integrates effective approaches. To get a deep insight into the inner-working of botnets and to understand their architecture, the authors analyze some sophisticated sample botnets. In this chapter, they propose a comprehensive botnet analysis and reporting framework that is based on sound theoretical background.
Top1. Introduction
The tremendous growth in the use of Internet technologies in different walks of life has molded the living habits of most people. The traditional ways of trading and marketing, training and education, communication and broadcasting are replaced by the innovative Web-based applications and online systems. However, the same Internet applications are abused by perpetrators and hackers for committing different kinds of crimes including spamming, phishing, drug trafficking, cyber bullying, child pornography, and distributed denial of service (DDoS) attacks. In the majority of Internet mediated cybercrimes, the victimization tactics used vary from simple anonymity to identity theft and impersonation. Therefore, Internet security has become the focus of most research studies during the last couple of decades.
Malicious software including viruses, worms, spyware, Trojan horses, and botnets are considered as vehicles for different kinds of Internet attacks. Such malware has risen to become the primary source of most scanning (Staniford, Hoagland, & McAlerney, 2002), DDoS attacks (D. Moore, Shannon, Brown, Voelker, & Savage, 2006), direct attacks (Anagnostakis et al., 2005), and fraudulent activities (Evan, Farnam, & Danny, 2005; Lee, 2008; Ramachandran & Feamster, 2006) over the Internet. To avoid being detected, most Internet malware evolve in their forms and properties, e.g., from worms to botnets. Recent studies indicate that botnets are proved to be the primary ‘platform‘(Lee, 2008) where the cyber criminals create global cooperative networks that are instrumental in most cybercriminal attacks. Although the existence of botnets has been noticed since very long, the recent growth in botnets mediated cybercrimes has attracted the attention of the mainstream Internet communities.
Unlike worms, which are arguably fun-oriented, botnets are truly profit-oriented. Due to the development of more smarter botnets and lack of efficient detection mechanism the botmasters are controlling a good portion of the Internet resources. In early 2007, Vint Cerf, ‘the father of the Internet‘, speculated that up to one quarter of all the computers connected to the Internet are believed to participate in botnet-related activities (Weber, 2007) . The alarming increase in both the power of botnets and its infectious effects has turned botnets to be the biggest threat to Internet security (Lee, 2008). Currently, botnets are the root cause of many of Internet attacks and malicious activities (Paul Bcher, 2008; Evan et al., 2005; Ramachandran & Feamster, 2006) as listed below: