Abstract
It is undeniable that technology is developing and growing at an unstoppable pace. Technology has become a part of people's daily lives. It has been used for many purposes but mainly to make human life easier. In addition to being useful, these advancements in technology have some bad consequences. A new malware called botnet has recently emerged. It is considered to be one of the most important and dangerous cyber security problems as it is not well understood and evolves quickly. Communication of bots between each other and their botmaster results in the formation of botnet; this is also known as a zombie army. As botnets become popular among cybercriminals, more studies have been done in botnet detection area. Researchers have developed new detection mechanisms in order to understand and tackle this growing botnet issue. This chapter aims to review working principles of botnets and botnet detection mechanisms in order to increase general knowledge about botnets.
TopIntroduction
When it comes to talk about cyber security and its possible consequences, botnet is one of the most common word that pops in people’s mind who are specialised in cybersecurity. Botnets can be considered as network of bots as they consist of more than one bot working together. Botnets use command and control (C&C) communication channels to talk with the cybercriminal who controls them. During this communication process, bots receive commands from the cybercriminal and then report back to that cybercriminal. This is one of the most distinctive characteristics of botnets which separates them from other malwares. Botnets have different architectures and cybercriminals choose any of these architectures depending on their purposes. Cybercriminals have a range of different options ranging from client-server model to peer-to-peer networks (Botnet, 2018). In general, botmasters try to collect more devices as possible to increase the strength of botnet. Through infection process, botmasters add new devices to their army. Botmasters infect new devices by using viruses, worms, trojan horses and many other malicious techniques. Once a device gets infected by any of the mentioned malicious technique, it becomes a part of the botnet and can be labelled as a bot. Bots can be any device as long as cybercriminals can infect them such as computers and smartphones. On the other hand, it is well known that botnet detection is an on-going problem. It is very challenging to detect botnets as they use small amounts of computing power and they can update their behaviours. They can be very dangerous as they are capable of carrying out distributed denial-of-service (DDoS) attacks, stealing sensitive data and performing a number of different malicious behaviours. They can cause a range of different and serious problems if they are not successfully detected and neutralized. To be more precise, leakage of sensitive data can lead to conflicts at different levels. If cybercriminals leak government secrets, this can cause a crisis at a national level. On the other hand, DDoS attacks can make important online services unavailable. For example, if cybercriminals decide to perform DDoS attacks on online banking system, this can lead to money transaction problems, money fraud and even more serious financial issues. These are only some of the few problems that botnets can cause. Therefore, it is important to detect and understand botnets. This chapter aims to increase the knowledge about botnets by giving information about different types of botnets with their uses and formation. Also, it aims to explain botnet’s working principles, architecture, life-cycle, possible threats, infection and detection processes.
Key Terms in this Chapter
Botmaster: Botmaster is the cyber-criminal/attacker who owns the botnet and responsible for its actions. In other words, botmaster is a person who controls the botnet.
Domain Name System (DNS): Domain name system (DNS) translates domain names into IP addresses so browsers can understand and load the required contents.
Markov Chain: Markov chain is a sequence of possible events and the probability of each event happening is determined by the state in the previous events.
Peer-to-Peer (P2P) Network: Peer-to-peer (P2P) networks consist of peers that are connected to each other with the internet. Files can be shared between systems and every computer has the probability of becoming a client and a file server.
Command and Control (C&C) Server: Command and control (C&C) server is used to set communication with systems which are infected by malwares. C&C servers are controlled by cybercriminals who own those malwares. Botnets make use of these C&C servers, and botmasters use them as communication channels to be able to command their botnets.