Botnet

Last updated

Stacheldraht botnet diagram showing a DDoS attack. (Note this is also an example of a type of client-server model of a botnet.) Stachledraht DDos Attack.svg
Stacheldraht botnet diagram showing a DDoS attack. (Note this is also an example of a type of client–server model of a botnet.)

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, [1] send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. [2] The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Contents

Overview

A botnet is a logical collection of Internet-connected devices, such as computers, smartphones or Internet of things (IoT) devices whose security have been breached and control ceded to a third party. Each compromised device, known as a "bot," is created when a device is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols, such as IRC and Hypertext Transfer Protocol (HTTP). [3] [4]

Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes, [5] including as booter/stresser services.

Architecture

Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as clients which communicate via existing servers. This allows the bot herder (the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic. [6] Many recent botnets now rely on existing peer-to-peer networks to communicate. These P2P bot programs perform the same actions as the client–server model, but they do not require a central server to communicate.

Client–server model

A network based on the client-server model, where individual clients request services and resources from centralized servers Server-based-network.svg
A network based on the client–server model, where individual clients request services and resources from centralized servers

The first botnets on the Internet used a client–server model to accomplish their tasks. [7] Typically, these botnets operate through Internet Relay Chat networks, domains, or websites. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.

In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions. [6]

Peer-to-peer

A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources among each other without the use of a centralized administrative system P2P-network.svg
A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources among each other without the use of a centralized administrative system

In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on peer-to-peer networks. These bots may use digital signatures so that only someone with access to the private key can control the botnet, [8] such as in Gameover ZeuS and the ZeroAccess botnet.

Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands. [9] This avoids having any single point of failure, which is an issue for centralized botnets.

In order to find other infected machines, P2P bots discreetly probe random IP addresses until they identify another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update. [8] This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.

Core components

A botnet's originator (known as a "bot herder" or "bot master") controls the botnet remotely. This is known as the command-and-control (C&C). The program for the operation must communicate via a covert channel to the client on the victim's machine (zombie computer).

Control protocols

IRC is a historically favored means of C&C because of its communication protocol. A bot herder creates an IRC channel for infected clients to join. Messages sent to the channel are broadcast to all channel members. The bot herder may set the channel's topic to command the botnet. For example, the message :herder!herder@example.com TOPIC #channel DDoS www.victim.com from the bot herder alerts all infected clients belonging to #channel to begin a DDoS attack on the website www.victim.com. An example response :bot1!bot1@compromised.net PRIVMSG #channel I am DDoSing www.victim.com by a bot client alerts the bot herder that it has begun the attack. [8]

Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, Mega-D features a slightly modified Simple Mail Transfer Protocol (SMTP) implementation for testing spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server. [10]

Zombie computer

In computer science, a zombie computer is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks (DDoS). Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack. [11]

The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping". [12]

Command and control

Botnet command and control (C&C) protocols have been implemented in a number of ways, from traditional IRC approaches to more sophisticated versions.

Telnet

Telnet botnets use a simple C&C botnet protocol in which bots connect to the main command server to host the botnet. Bots are added to the botnet by using a scanning script, which runs on an external server and scans IP ranges for telnet and SSH server default logins. Once a login is found, the scanning server can infect it through SSH with malware, which pings the control server.

IRC

IRC networks use simple, low bandwidth communication methods, making them widely used to host botnets. They tend to be relatively simple in construction and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases, merely blocking of certain keywords has proven effective in stopping IRC-based botnets. The RFC 1459 (IRC) standard is popular with botnets. The first known popular botnet controller script, "MaXiTE Bot" was using IRC XDCC protocol for private control commands.

One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions. [8] To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly. [13]

P2P

Since most botnets using IRC networks and domains can be taken down with time, hackers have moved to P2P botnets with C&C to make the botnet more resilient and resistant to termination.

Some have also used encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is public-key cryptography and has presented challenges in both implementing it and breaking it.

Domains

Many large botnets tend to use domains rather than IRC in their construction (see Rustock botnet and Srizbi botnet). They are usually hosted with bulletproof hosting services. This is one of the earliest types of C&C. A zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands. The advantages of using web pages or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated.

Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with denial-of-service attacks.

Fast-flux DNS can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with domain generation algorithms being used to create new DNS names for controller servers.

Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.

Others

Calling back to popular sites [14] such as GitHub, [15] Twitter, [16] [17] Reddit, [18] Instagram, [19] the XMPP open source instant message protocol [20] and Tor hidden services [21] are popular ways of avoiding egress filtering to communicate with a C&C server. [22]

Construction

Traditional

This example illustrates how a botnet is created and used for malicious gain.

  1. A hacker purchases or builds a Trojan and/or exploit kit and uses it to start infecting users' computers, whose payload is a malicious application—the bot.
  2. The bot instructs the infected PC to connect to a particular command-and-control (C&C) server. (This allows the botmaster to keep logs of how many bots are active and online.)
  3. The botmaster may then use the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit.
  4. Depending on the quality and capability of the bots, the value is increased or decreased.

Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. [23]

Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself or may remain present to update and maintain the modules.

Others

In some cases, a botnet may be temporarily created by volunteer hacktivists, such as with implementations of the Low Orbit Ion Cannon as used by 4chan members during Project Chanology in 2010. [24]

China's Great Cannon of China allows the modification of legitimate web browsing traffic at internet backbones into China to create a large ephemeral botnet to attack large targets such as GitHub in 2015. [25]

Common uses

Market

The botnet controller community constantly competes over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines. [33]

While botnets are often named after the malware that created them, multiple botnets typically use the same malware but are operated by different entities. [34]

Phishing

Botnets can be used for many electronic scams. These botnets can be used to distribute malware such as viruses to take control of a regular users computer/software [35] By taking control of someone's personal computer they have unlimited access to their personal information, including passwords and login information to accounts. This is called phishing. Phishing is the acquiring of login information to the "victim's" accounts with a link the "victim" clicks on that is sent through an email or text. [36] A survey by Verizon found that around two-thirds of electronic "espionage" cases come from phishing. [37]

Countermeasures

The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering.

Computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself. [38] [39] [40] In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as IRC or Tor, using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network. [41]

Norton AntiBot was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing DNS entries, or completely shutting down IRC servers. BotHunter is software, developed with support from the U.S. Army Research Office, that detects botnet activity within a network by analyzing network traffic and comparing it to patterns characteristic of malicious processes.

Researchers at Sandia National Laboratories are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them. [42]

Detecting automated bot attacks is becoming more difficult each day as newer and more sophisticated generations of bots are getting launched by attackers. For example, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The idea is to overwhelm sites with tens of thousands of requests from different IPs all over the world, but with each bot only submitting a single request every 10 minutes or so, which can result in more than 5 million attempts per day. [43] In these cases, many tools try to leverage volumetric detection, but automated bot attacks now have ways of circumventing triggers of volumetric detection.

One of the techniques for detecting these bot attacks is what's known as "signature-based systems" in which the software will attempt to detect patterns in the request packet. However, attacks are constantly evolving, so this may not be a viable option when patterns cannot be discerned from thousands of requests. There is also the behavioral approach to thwarting bots, which ultimately tries to distinguish bots from humans. By identifying non-human behavior and recognizing known bot behavior, this process can be applied at the user, browser, and network levels.

The most capable method of using software to combat against a virus has been to utilize honeypot software in order to convince the malware that a system is vulnerable. The malicious files are then analyzed using forensic software.

On 15 July 2014, the Subcommittee on Crime and Terrorism of the Committee [44] on the Judiciary, United States Senate, held a hearing on the threats posed by botnets and the public and private efforts to disrupt and dismantle them. [45]

The rise in vulnerable IoT devices has led to an increase in IoT-based botnet attacks. To address this, a novel network-based anomaly detection method for IoT called N-BaIoT was introduced. It captures network behavior snapshots and employs deep autoencoders to identify abnormal traffic from compromised IoT devices. The method was tested by infecting nine IoT devices with Mirai and BASHLITE botnets, showing its ability to accurately and promptly detect attacks originating from compromised IoT devices within a botnet. [46]

Additionally, comparing different ways of detecting botnets is really useful for researchers. It helps them see how well each method works compared to others. This kind of comparison is good because it lets researchers evaluate the methods fairly and find ways to make them better. [47]

Historical list of botnets

The first botnet was first acknowledged and exposed by EarthLink during a lawsuit with notorious spammer Khan C. Smith [48] in 2001. The botnet was constructed for the purpose of bulk spam, and accounted for nearly 25% of all spam at the time. [49]

Around 2006, to thwart detection, some botnets were scaling back in size. [50]

Date createdDate dismantledNameEstimated no. of botsSpam capacity (bn/day)Aliases
2003MaXiTE500-1000 servers0MaXiTE XDCC Bot, MaXiTE IRC TCL Script, MaxServ
2004 (Early) Bagle 230,000 [51] 5.7Beagle, Mitglieder, Lodeight
Marina Botnet6,215,000 [51] 92Damon Briant, BOB.dc, Cotmonger, Hacktool.Spammer, Kraken
Torpig 180,000 [52] Sinowal, Anserin
Storm 160,000 [53] 3Nuwar, Peacomm, Zhelatin
2006 (around)2011 (March) Rustock 150,000 [54] 30RKRustok, Costrat
Donbot 125,000 [55] 0.8Buzus, Bachsoy
2007 (around) Cutwail 1,500,000 [56] 74Pandex, Mutant (related to: Wigon, Pushdo)
2007 Akbot 1,300,000 [57]
2007 (March)2008 (November) Srizbi 450,000 [58] 60Cbeplay, Exchanger
Lethic 260,000 [51] 2none
Xarvester10,000 [51] 0.15Rlsloup, Pixoliz
2008 (around) Sality 1,000,000 [59] Sector, Kuku
2008 (around) 2009-Dec Mariposa 12,000,000 [60]
2008 (around) Kraken 495,000 [61] 9Kracken
2008 (November) Conficker 10,500,000+ [62] 10DownUp, DownAndUp, DownAdUp, Kido
2008 (November) 2010 (March) Waledac 80,000 [63] 1.5Waled, Waledpak
Maazben50,000 [51] 0.5None
Onewordsub40,000 [64] 1.8
Gheg30,000 [51] 0.24Tofsee, Mondera
Nucrypt20,000 [64] 5Loosky, Locksky
Wopla20,000 [64] 0.6Pokier, Slogger, Cryptic
2008 (around) Asprox 15,000 [65] Danmec, Hydraflux
Spamthru12,000 [64] 0.35Spam-DComServ, Covesmer, Xmiler
2008 (around) Gumblar
2009 (May) November 2010 (not complete) BredoLab 30,000,000 [66] 3.6Oficla
2009 (Around)2012-07-19 Grum 560,000 [67] 39.9Tedroo
Mega-D 509,000 [68] 10Ozdok
2009 (August) Festi 250,000 [69] 2.25Spamnost
2010 (March) Vulcanbot
2010 (January)LowSec11,000+ [51] 0.5LowSecurity, FreeMoney, Ring0.Tools
2010 (around) TDL4 4,500,000 [70] TDSS, Alureon
Zeus 3,600,000 (US only) [71] Zbot, PRG, Wsnpoem, Gorhax, Kneber
2010(Several: 2011, 2012) Kelihos 300,000+4Hlux
2011 or earlier2015-02 Ramnit 3,000,000 [72]
2012 (Around) Chameleon 120,000 [73] None
2014 Necurs 6,000,000
2016 (August) Mirai 380,000None
2022Mantis [74] 5000

See also

Related Research Articles

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Zombie (computing)</span> Compromised computer used for malicious tasks on a network

In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hacker. Zombie computers often coordinate together in a botnet controlled by the hacker, and are used for activities such as spreading e-mail spam and launching distributed denial-of-service attacks against web servers. Most victims are unaware that their computers have become zombies. The concept is similar to the zombie of Haitian Voodoo folklore, which refers to a corpse resurrected by a sorcerer via magic and enslaved to the sorcerer's commands, having no free will of its own. A coordinated DDoS attack by multiple botnet machines also resembles a "zombie horde attack", as depicted in fictional zombie films.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Operation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners' knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the compromised computer, making a botnet or network of bot infected computers. The operation was launched because the vast scale of botnet resources poses a threat to national security.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

United States of America v. Ancheta is the name of a lawsuit against Jeanson James Ancheta of Downey, California by the U.S. Government and was handled by the United States District Court for the Central District of California. This is the first botnet related prosecution in U.S history.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

BASHLITE is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

References

  1. "Thingbots: The Future of Botnets in the Internet of Things". Security Intelligence. 20 February 2016. Retrieved 28 July 2017.
  2. "botnet" . Retrieved 9 June 2016.
  3. Ramneek, Puri (8 August 2003). "Bots &; Botnet: An Overview". SANS Institute . Retrieved 12 November 2013.
  4. Putman, C. G. J.; Abhishta; Nieuwenhuis, L. J. M. (March 2018). "Business Model of a Botnet". 2018 26th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP). pp. 441–445. arXiv: 1804.10848 . Bibcode:2018arXiv180410848P. doi:10.1109/PDP2018.2018.00077. ISBN   978-1-5386-4975-6. S2CID   13756969.
  5. Danchev, Dancho (11 October 2013). "Novice cyberciminals offer commercial access to five mini botnets". Webroot. Retrieved 28 June 2015.
  6. 1 2 Schiller, Craig A.; Binkley, Jim; Harley, David; Evron, Gadi; Bradley, Tony; Willems, Carsten; Cross, Michael (1 January 2007). Botnets. Burlington, Virginia: Syngress. pp. 29–75. doi:10.1016/B978-159749135-8/50004-4. ISBN   9781597491358.
  7. "Botnets: Definition, Types, How They Work". Crowdstrike. Retrieved 18 April 2021.
  8. 1 2 3 4 Heron, Simon (1 April 2007). "Botnet command and control techniques". Network Security. 2007 (4): 13–16. doi:10.1016/S1353-4858(07)70045-4.
  9. Wang, Ping (2010). "Peer-to-peer botnets". In Stamp, Mark; Stavroulakis, Peter (eds.). Handbook of Information and Communication Security. Springer. ISBN   9783642041174.
  10. C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols, 2010 ACM Conference on Computer and Communications Security.
  11. Teresa Dixon Murray (28 September 2012). "Banks can't prevent cyber attacks like those hitting PNC, Key, U.S. Bank this week". Cleveland.com. Retrieved 2 September 2014.
  12. Arntz, Pieter (30 March 2016). "The Facts about Botnets". Malwarebytes Labs. Retrieved 27 May 2017.
  13. Schiller, Craig A.; Binkley, Jim; Harley, David; Evron, Gadi; Bradley, Tony; Willems, Carsten; Cross, Michael (1 January 2007). Botnets. Burlington, Virginia: Syngress. pp. 77–95. doi:10.1016/B978-159749135-8/50005-6. ISBN   978-159749135-8.
  14. Zeltser, Lenny. "When Bots Use Social Media for Command and Control". zeltser.com.
  15. Osborne, Charlie. "Hammertoss: Russian hackers target the cloud, Twitter, GitHub in malware spread". ZDNet. Retrieved 7 October 2017.
  16. Singel, Ryan (13 August 2009). "Hackers Use Twitter to Control Botnet". Wired . Retrieved 27 May 2017.
  17. "First Twitter-controlled Android botnet discovered". 24 August 2016. Retrieved 27 May 2017.
  18. Gallagher, Sean (3 October 2014). "Reddit-powered botnet infected thousands of Macs worldwide". ARS Tecnica . Retrieved 27 May 2017.
  19. Cimpanu, Catalin (6 June 2017). "Russian State Hackers Use Britney Spears Instagram Posts to Control Malware". Bleeping Computer. Retrieved 8 June 2017.
  20. Dorais-Joncas, Alexis (30 January 2013). "Walking through Win32/Jabberbot.A instant messaging C&C" . Retrieved 27 May 2017.
  21. Constantin, Lucian (25 July 2013). "Cybercriminals are using the Tor network to control their botnets". PC World . Retrieved 27 May 2017.
  22. "Cisco ASA Botnet Traffic Filter Guide" . Retrieved 27 May 2017.
  23. Attack of the Bots at Wired
  24. Norton, Quinn (1 January 2012). "Anonymous 101 Part Deux: Morals Triumph Over Lulz". Wired.com. Retrieved 22 November 2013.
  25. Peterson, Andrea (10 April 2015). "China deploys new weapon for online censorship in form of 'Great Cannon'". The Washington Post. Retrieved 10 April 2015.
  26. "Here's why massive website outages will continue happening". Vox. 24 October 2016. Retrieved 31 July 2022.
  27. "Operation Aurora — The Command Structure". Damballa.com. Archived from the original on 11 June 2010. Retrieved 30 July 2010.
  28. Edwards, Jim (27 November 2013). "This Is What It Looks Like When A Click-Fraud Botnet Secretly Controls Your Web Browser" . Retrieved 27 May 2017.
  29. FTC. "Social Media Bots and Deceptive Advertising" (PDF).
  30. Burt, Jeff. "Credential-stuffing attack on GM exposes car owners' data". www.theregister.com. Retrieved 31 July 2022.
  31. Nichols, Shaun (24 June 2014). "Got a botnet? Thinking of using it to mine Bitcoin? Don't bother" . Retrieved 27 May 2017.
  32. "Bitcoin Mining". BitcoinMining.com. Archived from the original on 19 April 2016. Retrieved 30 April 2016.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  33. "Trojan horse, and Virus FAQ". DSLReports. Retrieved 7 April 2011.
  34. Many-to-Many Botnet Relationships Archived 4 March 2016 at the Wayback Machine , Damballa, 8 June 2009.
  35. "Uses of botnets | The Honeynet Project". www.honeynet.org. Archived from the original on 20 March 2019. Retrieved 24 March 2019.
  36. "What is phishing? - Definition from WhatIs.com". SearchSecurity. Retrieved 24 March 2019.
  37. Aguilar, Mario (14 April 2015). "The Number of People Who Fall for Phishing Emails Is Staggering". Gizmodo. Retrieved 24 March 2019.
  38. "Detecting and Dismantling Botnet Command and Control Infrastructure using Behavioral Profilers and Bot Informants". vhosts.eecs.umich.edu.
  39. "DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis" (PDF). Annual Computer Security Applications Conference. ACM. December 2012.
  40. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. Proceedings of the 15th Annual Network and Distributed System Security Symposium. 2008. CiteSeerX   10.1.1.110.8092 .
  41. "IRCHelp.org – Privacy on IRC". www.irchelp.org. Retrieved 21 November 2020.
  42. "Researchers Boot Million Linux Kernels to Help Botnet Research". IT Security & Network Security News. 12 August 2009. Retrieved 23 April 2011.[ permanent dead link ]
  43. "Brute-Force Botnet Attacks Now Elude Volumetric Detection". DARKReading from Information Week. 19 December 2016. Retrieved 14 November 2017.
  44. "Subcommittee on Crime and Terrorism | United States Senate Committee on the Judiciary". www.judiciary.senate.gov. Retrieved 11 December 2022.
  45. United States. Congress. Senate. Committee on the Judiciary. Subcommittee on Crime and Terrorism (2018). Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks: Hearing before the Subcommittee on Crime and Terrorism of the Committee on the Judiciary, United States Senate, One Hundred Thirteenth Congress, Second Session, July 15, 2014. Washington, DC: U.S. Government Publishing Office. Retrieved 18 November 2018.
  46. Meidan, Yair (2018). "N-BaIoT-Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders". IEEE Pervasive Computing. 17 (3): 12–22. arXiv: 1805.03409 . doi:10.1109/MPRV.2018.03367731. S2CID   13677639.
  47. García, S.; Grill, M.; Stiborek, J.; Zunino, A. (1 September 2014). "An empirical comparison of botnet detection methods". Computers & Security. 45: 100–123. doi:10.1016/j.cose.2014.05.011. hdl: 11336/6772 . ISSN   0167-4048.
  48. Credeur, Mary. "Atlanta Business Chronicle, Staff Writer". bizjournals.com. Retrieved 22 July 2002.
  49. Mary Jane Credeur (22 July 2002). "EarthLink wins $25 million lawsuit against junk e-mailer" . Retrieved 10 December 2018.
  50. Paulson, L.D. (April 2006). "Hackers Strengthen Malicious Botnets by Shrinking Them" (PDF). Computer; News Briefs. 39 (4). IEEE Computer Society: 17–19. doi:10.1109/MC.2006.136. S2CID   10312905. The size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark Sunner, chief technology officer at MessageLabs.The average botnet size is now about 20,000 computers, he said.
  51. 1 2 3 4 5 6 7 "Symantec.cloud | Email Security, Web Security, Endpoint Protection, Archiving, Continuity, Instant Messaging Security". Messagelabs.com. Archived from the original on 18 November 2020. Retrieved 30 January 2014.
  52. Chuck Miller (5 May 2009). "Researchers hijack control of Torpig botnet". SC Magazine US. Archived from the original on 24 December 2007. Retrieved 7 November 2011.
  53. "Storm Worm network shrinks to about one-tenth of its former size". Tech.Blorge.Com. 21 October 2007. Archived from the original on 24 December 2007. Retrieved 30 July 2010.
  54. Chuck Miller (25 July 2008). "The Rustock botnet spams again". SC Magazine US. Archived from the original on 4 April 2016. Retrieved 30 July 2010.
  55. Stewart, Joe (13 January 2009). "Spam Botnets to Watch in 2009". Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  56. "Pushdo Botnet — New DDOS attacks on major web sites — Harry Waldron — IT Security". Msmvps.com. 2 February 2010. Archived from the original on 16 August 2010. Retrieved 30 July 2010.
  57. "New Zealand teenager accused of controlling botnet of 1.3 million computers". The H security. 30 November 2007. Retrieved 12 November 2011.
  58. "Technology | Spam on rise after brief reprieve". BBC News. 26 November 2008. Retrieved 24 April 2010.
  59. "Sality: Story of a Peer-to-Peer Viral Network" (PDF). Symantec. 3 August 2011. Archived from the original (PDF) on 24 September 2015. Retrieved 12 January 2012.
  60. "How FBI, police busted massive botnet". theregister.co.uk. Retrieved 3 March 2010.
  61. "New Massive Botnet Twice the Size of Storm — Security/Perimeter". DarkReading. 7 April 2008. Retrieved 30 July 2010.
  62. "Calculating the Size of the Downadup Outbreak — F-Secure Weblog : News from the Lab". F-secure.com. 16 January 2009. Retrieved 24 April 2010.
  63. "Waledac botnet 'decimated' by MS takedown". The Register. 16 March 2010. Retrieved 23 April 2011.
  64. 1 2 3 4 Gregg Keizer (9 April 2008). "Top botnets control 1M hijacked computers". Computerworld. Retrieved 23 April 2011.
  65. "Botnet sics zombie soldiers on gimpy websites". The Register. 14 May 2008. Retrieved 23 April 2011.
  66. "Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com". .canada.com. Archived from the original on 11 May 2011. Retrieved 10 November 2011.
  67. "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. Retrieved 30 July 2010.
  68. Warner, Gary (2 December 2010). "Oleg Nikolaenko, Mega-D Botmaster to Stand Trial". CyberCrime & Doing Time. Retrieved 6 December 2010.
  69. Kirk, Jeremy (16 August 2012). "Spamhaus Declares Grum Botnet Dead, but Festi Surges". PC World .
  70. "Cómo detectar y borrar el rootkit TDL4 (TDSS/Alureon)". kasperskytienda.es. 3 July 2011. Retrieved 11 July 2011.
  71. "America's 10 most wanted botnets". Networkworld.com. 22 July 2009. Retrieved 10 November 2011.
  72. "EU police operation takes down malicious computer network". phys.org.
  73. "Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month". Spider.io. 19 March 2013. Retrieved 21 March 2013.
  74. "This tiny botnet is launching the most powerful DDoS attacks yet". ZDNet. Retrieved 31 July 2022.
  75. Espiner, Tom (8 March 2011). "Botnet size may be exaggerated, says Enisa | Security Threats | ZDNet UK". Zdnet.com. Retrieved 10 November 2011.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.