232
CHAPTER 17
Responding to cyber crime and cyber terrorism
are expected to be connected to the Internet by 2020. This paradigm is usually
referred as “
Internet of Things
”;
• possibility of malware customization (introduced by Zeus botnet and its
Software Development Kit);
• presence in the underground/black market of cyber criminals that rent services
and structures that compose the malicious systems.
There are various classifications of botnets based on the overall topology and
the command and control channels used, through which they can be updated
and directed, the developing technology used and the scope of the services
implemented.
Emerging trends show that newer architectures are migrating toward completely
distributed topologies (P2P networks) instead of centralized structures, mobile im-
plementations of malwares and the use of TOR networks and social platforms as
C&C server hiding techniques. The high sophistication and spread of botnets has
led to the emergence of a new criminal business model that can be synthesized with
“Cybercrime-as-a-Service” (CaaS). This chapter is a botnet essay (with two use
cases included) and related countermeasures.
A BOTNET ROADMAP
The malwares that both have introduced the concept of victim machine connected to
a communication channel to listen for malicious commands, beginning with the so-
called botnet-era, were “Sub7” and “Pretty Park”—a Trojan and worm, respectively.
These two pieces of malware first emerged in 1999 and botnet innovation has been
steady since then (
Ferguson, 2010
).
During 2002, there were a couple of major developments in botnet technology
with the release of both SDBot and Agobot. SDBot was a single small binary, written
in C
++
, marketed by its creator who has also made the source code widely available.
As a result, many bots later include code or ideas taken from SDbot. Agobot, instead,
introduced the concept of a modular attack. The initial attack installed a “back door”,
the second tried to disable the antivirus software and the third has blocked access to
the websites of security vendors. These two malwares started the huge increase in
variants and the expansion of functionalities.
Malware authors gradually introduced encryption for Ransomware (hostage tak-
ing of encrypted files), HTTP and SOCKS proxies allowing them to use their victims
for onward connection or FTP servers for storing illegal content.
Steadily botnets migrated away from the original IRC Command & Control chan-
nel—the protocol is easily identified in network traffic and TCP ports seldom opened
through firewalls—and began to communicate over HTTP, ICMP and SSL ports,
often using custom protocols. They have also continued the adoption and refinement
of peer-to-peer communications, as would be demonstrated 5 years later by another
famous botnet known with the name of Conficker.
Do'stlaringiz bilan baham: |