A discussion on botnets: Life Cycle, control mechanism, and malicious use.

Have you ever heard of the term ‘botnets’? The term is coined from two words; robot and network. Seemingly, botnets are robots that are configured to operate in a network environment. Thus, there would be an existence of botnets when a collection of cloud-connected devices are infected and controlled by a common type of malicious software without the knowledge of the authorized and legitimate user. The infected devices are controlled remotely by the infiltrator who usually has a malicious and criminal intent of sending spam emails, data breach, or even denial of service. 

Botnets range in size from a large botnet having thousands of bots (large-scale botnets); to a small botnet having hundreds or lesser number of bots (small-scale botnets). Regardless of their size, which has a direct link to their complexity and purpose, botnets are mainly created to carry out malicious activities in computer networks. Such malicious activities include stealing financial information; spamming, denial of service; illegal ads and sales services, and malware. There are some notable successful botnet attacks worthy of mentioning here. In 2007 the world witnessed one of the most widely used botnets in the history of computer information security. It was called the Zeus malware which used a trojan horse program to steal online banking credentials and financial information from users. Two years later, the botnet was estimated to have infected about 3.6 million hosts. The 2007 Srizbi botnet was notable for sending about 60 billion emails daily. The motive here wasn’t financial, but rather political as it was used to promote the 2007 presidential campaign of candidate Ron Paul. This spam lasted for a year and infected about 450,000 systems. A more recent and complex botnet called Mirai was discovered in 2016. it was configured to search the internet for insecure devices while avoiding IP addresses belonging to major corporations and government agencies. The motivation here wasn’t political or financial but rather targeted at perpetrating a denial of service.

What are their characteristics?

Their characteristics can be depicted through their life cycle. Botnets can come in different sizes or structures but, in general, they go through the same stages in their lifecycle.

1. Infection and Propagation: The lifecycle of a botnet begins with the infection process where the botmaster uses different methods and techniques to infect new targets and converts them into bots.
2. Rallying: This refers to the first time the botmaster receives essential information relating to the C&C server’s IP address
3. Command and Reports: At this phase, the bot connects to the Command and Control (C&C) server periodically to get new commands which are treated as an order and executed with feedback to the botmaster.
4. Abandon: This phase initiates the redundancy of the bot after it has fully completed its malicious commands or when the botmaster decides that the bot is of no use any longer. It could also be abandoned when it has been discovered by an administrator or if the botmaster is blocked from giving the bot commands.
5. Securing the Botnet: The constant effort and need to secure the botnet is a very important phase in the lifecycle of the botnet. Hence, there is always a continuous update as codes changes daily. This effort allows the botmaster to develop different techniques to protect bots from detection.

What are the Command and Control (C&C) Mechanism?

It is very crucial for the bot to be able to receive command and control from the botmaster, otherwise, the bot would be abandoned or easily detected. There are three types of C&C architectures namely; centralized, decentralized, and hybrid.

1. Centralized C&C: In the centralized command and control approach, the bots are connected to the central C&C server to get commands and updates. Depending on the settings, a C&C server may provide some services to register the available bots and this will make it possible to track their activities.
2. Decentralized C&C: The decentralized command and control architecture is based on the peer-to-peer (P2P) network model. In this model, an infected computer acts as a bot and as a C&C server at the same time. In fact, in P2P botnets, instead of having a central C&C server, each bot acts as a server to transmit the commands to its neighbouring bots.
3. Hybrid C&C: As discussed above, each C&C mechanism comes with a set of advantages and disadvantages with respect to its management; the difficulty of its detection, and eventual abandonment. In order to maximize the advantages of each C&C model, the different protocols and architectures are used to form a hybrid approach.

Conclusion

No matter the purpose, size, attack method, or attribution of a bot, the intention of the botmaster is to be able to command the bots for malicious gains. An understanding of the characteristics of the botnets would always aid policymakers, and system administrators to develop detection solutions so that the botmaster won’t be able to command the bots. Financial institutions should not relent in their network monitoring efforts to quickly detect unusual network activities. Management should also continuously promote employee awareness in preventing possible channels where botnets could be introduced to the network infrastructure.