Introduction to Botnets:

Botnet is a jargon term for a collection of software robots, or bots that runs autonomously and automatically. The term is often associated with malicious software.

A botnet typically runs hidden and uses a covert channel. Generally, the originator/perpetrator of the botnet has compromised a series of systems using various tools such as exploits, buffer overflows, as well as encrypted DHT packets through port 80 and 443 originated by a file sharing protocols.

Newer botnets can automatically scan their environment and propagate themselves using vulnerabilities and encryption in addition to DHT routed packets through port 80 and 443 to avoid current security systems such as firewalls, intrusion detection, and prevention systems, and web security systems. Generally, the more vulnerability a botnet can scan and propagate through, the more valuable it becomes to a botnet originator/controller community. The process of stealing computing resources because of a system being joined to a "botnet" is referred to as "scrumping."

The most common and assured way of compromising series of systems with a botnet, is to use encrypted DHT routed packets through ports 80 and443 originated by file sharing protocols or circumventing proxy.

Is it possible to detect today's peer-to-peer (P2P) botnets?

P2P botnets are just plain evil. Historically, botnets used centralized architectures for command and control. However, the centralized architecture causes problems for the bad guys: it creates a single point of failure. If diligent investigators shut down the centralized (IRC) channel or even remove the server(s) associated with that channel, the botnet becomes headless. An attacker might have spent a lot of time and effort setting up a botnet of 500,000 machines, possibly earning thousands of dollars per day, too, from the malware being propagated.

To remedy this situation, attackers are turning to peer-to-peer (P2P) communication. In such an approach, an active botnet on a machine can scan for other close machines that might have the same botnet, one that's controlled by the same attacker. The botnet can then join a botnet cloud of encrypted P2P communications. The botnets can find each other nearby, making the collective unit self-aware, multi-connected and self-healing. If a given botnet notice that it's communicating peers have disappeared, it looks for more.

So with P2P there is no single point of failure. The attacker can inject commands into any part of the botnet cloud, using crypto-algorithms to implement authentication. The botnets will then dutifully distribute the commands among themselves, as the message cascades through the P2P botnet. P2P botnets are persistent and difficult to remove in their entirety.

Botnets and their Damaging Applications

1. Sniffing & Keylogging- Information breach Bots are used effectively to enhance sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload, which could contain interesting information such as passwords. The same applies to keylogging – capturing all the information typed in by the user such as board minutes, industrial secrets, e–mails, passwords, business banking data, PayPal account info, etc.

2. Identity Theft: The above mentioned methods allow an attacker controlling a botnet to collect an incredible amount of business and personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to business and personal accounts or perform various operations such as stealing money from business and payroll accounts.

3. Hosting of Illegal Software and websites: Botnets–compromised computers can be used as a dynamic repository of illegal material such as child pornography, etc.). The data is stored on the disk of an unaware company (servers) or individual user. In recent case the server of a Fortune 500 company was used as a Child Pornography server without the knowledge of the company.

4. Distributed Denial of Service attacks –DdoS: Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found among the competition (as in the case of dotcom wars). A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have a huge total bandwidth available in order to saturate the targeted site, clearly the best way to launch this type of an attack is to have many different hosts under control. Each host introduces bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol, is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. Hackers can achieve the same by using the UDP protocol.

5. Spamming: Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.

Can you assure your organization that your systems and networks do not have Botnets?
Are you willing to take the enormous risk associated with not acting?
How can you avoid guessing and eliminate botnet impact on your network?

• Botnet was downloaded to your system via file sharing-encrypted DHT protocol using ports 80 and 443. With all the security you have, this is the only way Botnet could have reached your systems.

• When the Botnet was downloaded, it always sends a location to the Botnet originator for future communications. It does that by using file sharing-encrypted DHT protocol using ports 80 and 443. A Botnet download may include an embedded specific activation date or may not.

• The location of the Botnet is then converted by the Botnet originator to many encrypted DHT routing keys (distributed hash table), that defines variable overlay routing layer to the Botnet location. Botnet originators do that so they can communicate with Botnet at will in the future and go around your security if the original routing is blocked.

This is how you can eliminate botnet impact:

• If a Botnet is dormant without activation date embedded, then it will wait for activation from the originator. The activation will always use an encrypted file sharing protocols to reach the remote Botnet using DHT routing. Your current security devices CANNOT stop this DHT encrypted incoming packet. SafeMedia's Clouseau can. Therefore, the activation will not take place.

• If a Botnet was downloaded originally with an embedded activation date, it will always use file sharing-encrypted protocols with an overlay routing hash through ports 80 and 443 to transfer the data when it is activated. Your current security devices CANNOT stop this DHT encrypted outgoing packet through ports 80 and 443. SafeMedia's Clouseau can. Therefore, the activation will not take place.

YOU ARE RESPONSIBLE, and you have the responsibility to protect the organization,

You have no other way of stopping the activation of Botnet or even finding where it is in your system. The only effective way is to disable botnets activation capabilities.