In 
By K J Latesh, IT Security Professional and Research Scholar.
Botnet is the latest and exceptional security threat causing major concern among IT managers. The term bot is an acronym of “ROBOT.” It’s a depraved dispense wicked programs (also known as malware) that can turn your computer into a bot (also known as a zombie). When this happens, any computer will execute programmed (computerised) mission over the Internet, without the user knowing it.
What and Why of Botnets
Botnets are groups of computers connected to the Internet that have been taken over by a hacker. The hacker controls all the computers and they behave like a “robot network” (a.k.a. “botnet”). Botnets contain anywhere from hundreds to thousands of computers. The botmaster (the hacker who controls the botnet) then uses these computers to send spam email, spread viruses, and attack other networks or any other variety of malicious activity. The Bot types are mainly identified as IRC bots, Localised bots, P2P bots, HTTP bots and Spy Eye.
A botnet operator sends out viruses or worms, infecting ordinary users’ computers, whose payload is a malicious application—the bot. The bot on the infected PC logs into a particular C&C (Commands and Controller) server. A spammer purchases the services of the botnet from the operator. The spammer provides the spam messages to the operator, who instructs the compromised machines via the control panel on the web server, causing them to send out spam messages. Botnets are exploited for various purposes,including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, mining bitcoins, spamdexing, and the theft of application serial numbers, login IDs, and financial informationsuch as credit card numbers. The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most “high-quality” infected machines, like university, corporate, and even government machines.
How do Botnets Occur?
In distributed denial-of-service attacks, multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests. Adware advertises a commercial offering actively and without the user’s permission or awareness, for example, by replacing banner ads on web pages with those of another advertiser. Spyware is a software which sends information to its creators about a user’s activities- typically passwords, credit card numbers and other information that can be sold on the black market.
Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet. Click fraud occurs when the user’s computer visits websites without the user’s awareness to create false web traffic for personal or commercial gain. Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Android BOTs:
Security firm Kaspersky Lab has found that a Trojan malware spread on Android OS is being controlled by criminal groups. Kaspersky Lab said that Obad.a, malware, which Android powered devices, was being distributed by botnets that exploited user behaviour and infecting the computer to be part of the network.
The firm has revealed that from the total, 83 per cent of attempted infections were recorded in Russia indicating that the infections are likely to be limited to Eastern European countries for the time being. According to News24, the firm explained that the versions of Obad.a spread with Trojan-SMS .AndroidOS. Opfake.a, by sending malicious message to users, urging them to download it and if the link is clicked the file containing the malware is automatically downloaded on the Smart phone or tablet.
The malware then sends messages to all the user’s contacts urging them to repeat the process. The firm said that the code was spreading especially to devices running older versions of Android. The report said that Kaspersky has informed Google and the vulnerability has been closed for versions of Android 4.3, but antivirus expert at the firm, Roman Unuchek said that only a small percentage of devices had the latest version of the OS. The potential exists for attacks like these to target Internet banking services that send mobile transaction authentication numbers via SMS.
Many banks send authentication codes to your phone via SMS each time you do an online transaction. This means that just stealing a login password is no longer enough for criminals to raid your account, but malware on your phone, such as the Zeus-based Andr/Zitmo (and similar versions targeting Blackberry) are capable of intercepting those SMS messages. Through the use of a malicious Android app that harvests SMS messages in real time and in concert with a social engineering attack, attackers open a brief window of opportunity to steal this token and use it before you can stop them.
Challenge for CISOs
The key challenges for IT managers and Infrastructure managers is to identify these bots across their network and diffuse them from action, since these bots are not like EXE or COM programs which reside in the disk or somewhere in MBR so that they can be cleaned using end point protection. More than 95 per cent of all spam is via data/identity theft and distributing other malware, spyware/adware.
Is there any Protection against Botnets?
The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering. Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a sub domain towards an IRC server that harbors the bots. Some botnets implement custom versions of well-known protocols.
Vendors’ Take?
Security companies such as Afferent Security Labs, Symantec, MacAfee, Trend Micro, FireEye, Umbra Data and Damballa have announced offerings to counter botnets. Some newer botnets are almost entirely P2P, with command-and-control embedded into the botnet rather than relying on C&C servers, thus avoiding any single point of failure and evading many countermeasures.
Commanders can be identified just through secure keys and all data except the binary itself can be encrypted. For example, a spyware program may encrypt all suspected passwords with a public key hard coded or distributed with the bot software. Only with the private key (which is known only by the commander) can the data captured by the bot be read.
One major protection method for every organisation IT infrastructure is to empower protection measures like Application Security, System Security, LAN Security, Endpoint Security, Android Security Apps, UTM (Firewall).
Add new comment