Cyber Crime and Cyber Terrorism

243
 
Botnets how do they work. Network topologies and protocols
So botnets can also be classified on the basis of network protocol used. An old 
botnet scheme was the classic IRC-oriented, that is, on the basis of the Internet Relay. 
Every bot receives a command via an IRC channel from an IRC-Bot. An IRC bot is 
composed of a set of scripts connecting to Internet Relay Chat as a client.
Since then, there have been numerous developments, however, all geared to ob-
fuscate and/or encrypt the communication channel. Most advanced botnets use their 
own protocols based on protocols such as TCP, ICMP or UDP. For example before 
Zeus P2P variant, the expert noted that authors implemented communication through 
UDP protocol.
Historically, the UDP protocol has already been used in the past as a real data 
transmission channel (fake DNS A-queries carrying a payload), but it is the UDP 
protocol, or rather the DNS protocol, that has been heavily used by the bots to 
identify the domain name of their own C&C servers. Botmasters have coded algo-
rithms into their malware, automatically and dynamically generating a high num-
ber of Internet Fully Qualified Domain Names, also known as Domain Generation 
Algorithm (DGA). In this way authors, executing the same algorithms, can hide their 
C&C servers behind different and highly dynamic domain names. Obviously, all do-
mains that are generated by a DGA have a short life span, since they are used only for 
a limited duration, and generate a lot of NXDomain traffic. They also need some col-
laboration from particular type of hosting providers that guarantee the operators that 
they would not respond to abuse complaints nor cooperate with takedown requests. 
These providers are commonly known as “bulletproof hosting” and are widely used 
in the cybercrime ecosystem (however, their services are typically more expensive 
and they might not be 100% reliable).
Of course we must not forget web-based botnets which are a collection of in-
fected machines controlled through World Wide Web. HTTP bots connect to a 
specific web server, receiving commands and sending back data. This type of ar-
chitecture is very easy to deploy and manage and very hard to track if encryption 
(HTTPs) is added.
The Nugache botnet (
Rossow, 2013
), which appeared in early 2006, was one of 
the first to use strong encryption. Commands were signed with a 4096-bit RSA key, 
in order to prevent unauthorized control, and the communications between peers was 
encrypted using session keys which were individually negotiated and derived from a 

Download 5,67 Mb.

Do'stlaringiz bilan baham: