Botnet Tracker is my final year project which is now progreesing in the third month of the project plan. In this post I would like to give an introduction to botnets, background and motivation for Botnet Tracker.
Today there are number of security threats that compromise security of thousands of computers connected to the internet. One such major security threat is Botnets. A botnet is a collection of internet computers which are infected by a software robot called “Bot”, without knowing to the owner of the computer and perform different malicious tasks according to the commands issued by a controlling person referred as “Botnet Master” or “Botmaster”. Botmasters normally use Command and Contril (C&C) channels to communicate with the bots. One such popular C&C infrastructure use by majority of the botnets is IRC.
Once a bot got into a computer it will patch all the security vulnerabilities of the machine such that another bot cannot enter the machine and also the computer will appear to be perfectly secure. Using the C&C channel botmaster can issue commands to the bots in the botnet to perform various malicious tasks such as flooding spams, DDoS attacks etc. A more dangerous thing is that the botmaster could obtain sensitive information of the computer owner such as passwords, credit card information etc.
Some researches has found botnets with more than hundred thousand zombi machiens. Hence, botnets have become a major threat in the internet today and unfortunatly most of the ordinery computer users do not aware abot bots. The conventional virus guards and IDSs are not that effective in detecting botnets. There are researches going on to invent means to detect bots and botnets. On the otherhand more intelligent bots are being developed and also they use other C&C mechanisms such as HTTP and P2P. In Botnet Tracker I’m looking into means of detecting botnets by analysing network traffic anomalies generate by botnet C&C communication and various bot operations.
As mentioned earlier the Botnet Tracker employees methods of tracking botnets by detecting C&C traffic anomalies and traffic anomalies generated by various bot operations as well. In the first phase of the project I’m planing to proceed with detecting C&C traffic anomalies. One such anomaly created by bots is that they respond to the commands of the botmaster immediately. In a regular IRC chat there is a human delay for replying to incoming messages. But bots as a piece of software they respond immediately to requests making it possible to get some means of separating botnet traffic from normal IRC traffic.
Another method for identifying bots is by evaluating there IRC nicknames. In a IRC channel each user should have a unique nickname to identify themselves. Therefore, the IC users will put a human readable unique nickname. But in a botnet there are number of bots in a channel each required a unique name. Therefore, the unique nick name is created by appending a random sequence of digits or characters to a fixed word (Ex: rBot_@3645). This requires to check the headers of the IRC packets and collect the channel names and nicknames to evaluate whether there are naming anomalies. So, the next step of the project would be to build a prototype that employees the above two mechanisms to detect botnet C&C communications.
Botnet Tracker is in its implementation phase 1 at the moment. In first phase Sniffer, Filter and Protocol Classifier modules are scheduled to be implemented. The Sniffer module is almost completed by now and I’m working on Filter module.