International Journal of Advanced Engineering Research and Science (IJAERS)
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
A survey on Malware, Botnets and their
detection
Harvinder Singh, Anchit Bijalwan
Department of CSE, Uttaranchal University, Dehradun, Uttarakhand, India
Abstract— The use of Internet and its related services is
increasing day by day. Many million people everyday surf
net and use it for various reasons. With so much use of
internet, the threats related to security are the major
concern of today. There are many security concerns or
threats faced by the net surfers and that is because of
malwares which have many forms such as viruses, worms,
trojans horses, rootkits, botnets and various other forms
of data attacks. Among all the threats mentioned above,
botnet seems to be quite prevalent now days. It has
already spread its roots in Wide Area Network (WAN)
such as Internet and continuously spreading at very high
pace. Botnet is a network of computers where the
computers are infected by installing in them a harmful
program. Each computer as a part of Botnet is called a
bot or zombie. A Botnet is remotely controlled by a
person who commands and controls the bots through a
server called command and control sever(C&C). Such
person who commands the bots is called a botmaster or
bot herder. This paper is written to serve the objective to
perform an extensive study of core problem that is the
study and detection of Botnets.This paper focuses on the
study of malwares where special emphasis is put on
botnets and their detection.
Keywords— Botnets, HTTP, IRC, Malware, P2P, Spam.
I.
INTRODUCTION
Over the past few years the internet malwares attacks
have grown to an extent that it appears next to impossible
to get rid of them. The word malware is derived from
malicious software. It is a type of file that contains
harmful malcode. Malcode is a malicious code . The
malicious codes are distributed to different computers
through internet by the use of untrusted websites at an
alarming rate. As soon as a malware enters into one’s
computer system, it starts performing the malware
activity and corrupt the entire system. All this activity
takes place without the knowledge of the owner of the
computer.
Some of the malwares are easily detected and defended
through antivirus scanners. But, now a days , the packers
pack the malware in such a way that it plays hide and
seek with antivirus scanners and malware wins the game.
www.ijaers.com
So, it has become a tough task for the antivirus softwares
to detect the malwares [2].
Some forms of malwares are viruses, worms, tojans,
rootkits, spywares, keyloggers etc. Now a days, botnet is
adopted as a medium to launch the malware attacks.
This paper is a study based on malwares and botnets. The
paper is organized in the following manner:
Section II explains the different forms of malwares.
Section III explains the botnet, its historical overview and
botnet phenomenon. Section III explains about different
types of botnets or botnet categories. Section IV explains
about finding the presence of botnet or detecting the
botnets. Section V gives brief conclusion about the paper.
II. BACKGROUND STUDIES
Malware means malicious software, a software with some
malicious intent. It enters into the computers without the
owner’s knowledge. There are different forms of
malwares that appear as threat for the internet users.
2.1 Different forms of Malwares
The different forms of malwares that appear as threat for
internet users are as follows :
a) Virus : Virus is a type of malware that enters into a
computer system without knowledge of the
computer user and attaches it to some executable
file. It is capable of duplicating itself and can cause
harm to other computers also. Its symptoms are ,
low system performance, data corruption etc.
According to Dr Cohen “A virus is a program that
can infect other programs by modifying them to
include a possibly evolved version of itself.” A virus
is by definition a computer program that spreads or
duplicates by copying itself. The viruses have
tendency to cause infection by performing
modification in other programs by including their
copies and then further infecting other programs[1] .
b) Worm: A Worm is a standalone malicious software
that can operate independently and don’t hook itself
to propagate. The worms breach the weak security
system of computer or network and spread
themselves through the storage devices , e-mails etc.
The symptoms of worms may be low performance
of network, consumption of large amount of
memory [2].
Page | 85
International Journal of Advanced Engineering Research and Science (IJAERS)
A computer worm may be considered similar to
computer virus in many ways except it is a self
contained program. The fundamental purpose of a
worm is to gain access to another computer system
so that it can replicate itself on the new machine and
reproduce further [3].
c) Trojan: It is a form of malware which appears to be
a useful software. It may enter into computers as a
part of downloading file from the internet. Trojan
horse keeps track of user activity, steals passwords,
login details, deletion of files etc.
A Trojan horse is an executable file in the Winows
Operating System. These executable files have
certain peculiar characteristics. Multiple Windows
system process will be called whenever a Trojan
horse tries to execute any operation on the
system[4].
d) Rootkit: It is a kind of malware disguised as a useful
program. Its actual identity is concealed from the
virus removal programs. It gets installed through
Trojan and is involved in password stealing,
recording keystrokes on keyboards. Rootkits hide
the malicious program from the system’s process list
and try to avoid detection by antivirus program [5].
e) Spyware: A spyware is a form of malware that keeps
track of user’s activity without his consent and sends
back the sensitive data to its creator. It may enter
into a computer system as a part of freeware
installation. It is a class of malicious code that is
surreptitiously installed on victim’s machine. Once
active, it silently monitors the behavior of users,
records their web surfing habits and steals their
password [6].
f) Keyloggers: It is another form of malware which is a
type of spyware. It secretly records the keystrokes as
tapped by the user. It reads cookies and gathers the
personal information. Keyloggers steal the
usernames and passwords, credit card numbers,
online banking details etc.
The keyloggers can be installed by gaining physical
access to the computer or by downloaded programs.
Their small footprint in terms of memory and
processor utilization makes them practically
untraceable. Keyloggers can email the file
containing keystrokes back to a spying person [7].
g) Botnet: A network of compromised hosts that are
remotely controlled by a master is called a botnet
[8]. Botnet is a collection of infected computers that
receive instructions from the botmaster, who is a
corrupt hacker and uses the botnet for causing
destruction or getting financial gains. Any computer
can be compromised and taken as part of botnet if it
has a weak security system.
www.ijaers.com
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
2.2 Botnets
Botnets are emerging as the most serious threats against
cyber security. A botnet is a group of infected end hosts
under the command of a botmaster [9].
Botnet stands for Robot Network. It is a network of
compromised machines that are infected with malicious
programs that can be remotely controlled by an attacker
through a command and control (C&C) architecture on
IRC(Internet Relay Chat) channel or peer to peer network.
Botnets most often consist of thousands of compromised
machines which enable the attacker to cause a serious
damage. Some terms related to Botnet are :
1. Bot: Bot is a malicious software program that can
be installed on victim machine without the
knowledge of owner. It is a self propagating
application.
2. Command and Control (C&C): It is the channel
used to manage a botnet. It may be thought of as a
private infrastructure which can be used for
malicious purpose. Bots are updated and directed
through C&C.
3. Botmaster: Botmaster or botherder is the person or
hacker behind the botnet. The group of
compromised computers are controlled by one or
group of attacker known as Botmaster [10].
He commands and controls the botnet for causing
damage to the data and for financial gains.
Botnets are used for all DDOS(Distributed Denial Of
Service) attacks, Spam, click fraud, information theft,
phising attack, and distribution of other malware.
2.3 Historical overview
A botnet is a network of infected machines also called
bots, which aims to distribute the malicious code over the
internet without user intervention. The purpose of entire
botnet is to increase the bot army for intentional
destructive tasks. The difference between botnet and
other types of network attacks is the existence of
Command and Control(C&C) [12]. A botnet causes a
number of serious offences on the internet; as it allows
intruders to hijack several computers simultaneously
(Paxton, Ahn et al 2011) [13].
The concept of botnet was evolved in 1993 by
introducing the first botnet by the name Eggdrop(X wang
2003). Then , GTBOT and NetBus in 1998, SdBot and
AgoBot in 2002, SpyBot and Sinit in 2003, Bobax and
Bagle in 2004, Rustock in 2006, Cutwail and Srizbi in
2007, (conficker, mariposa, sality, Asprox, waledac,
krakren) in 2008, (Maazben, Grum, Festi, Wopla, Zeus)
in 2009, (Kelihos, TDL4, lowsec, Gheg) in 2010,
Flashback in 2011, Chameleon in 2012, Boatnet in 2013
and many more botnets appeared quickly.
The sizes of botnets are varying from 10000 bots to
30,000,000 bots [12].
Page | 86
International Journal of Advanced Engineering Research and Science (IJAERS)
1.4 Life cycle of Botnet
The life cycle of a botnet is planned and well organized.
The life cycle of a botnet from its inception to
propagation is divided into series of steps that are as
follows :1. The botmaster configures starting bot binaries.
2. The botmaster registers DNS space.
3. The static IP Address is being registered.
4. The botmaster starts victimizing or compromising
the machines by different means.
5. The propagation of bots take place.
6. The bots start becoming the part of botnet using
C&C server.
7. Bots are used for malicious activity.
8. Bots are continuously upgraded and updated by
the botmaster by running specialized programs.
A typical advanced botnet is formed in five stages : Initial
infection, secondary infection, connection, malicious
C&C and finally update and maintenance [14].
In initial infection, the weakness or vulnerabilities of
victim machines are exploited and machine gets infected.
In secondary infection , the malcode or shellcode is
executed on the victim machine which fetches the image
of bot binary to get installed on the machine. In
connection, the bot binary establishes command and
control channel. Im malicious C&C stage, the C&C
channel is used by the botmaster to send the commands
and directions to bots or victim machines. In the final and
last stage that is update and maintenance the botmaster
requires to upgrade or update the bots for different types
of purposes.
The defining characteristic of botnet is that each bot is
controlled through the commands sent by the botmaster.
The communication channel used to issue commands can
be implemented using
a variety of protocols
eg.(HTTP,P2P etc). But the majority of botnets now a
days use the IRC(Internet Relay Chat) protocol [15].
Upon initialization , each bot tries to communicate with
the IRC server through the address given in the shell
code. In many cases the DNS name resolving is done for
the IRC server. As soon as the IP address of IRC server is
obtained , the bot establishes an IRC session with the IRC
server and joins the C&C channel as specified in the bot
binary.
A bot, in order to communicate with an IRC server is
required to prove its authenticity and hence authenticates
itself by following different techniques.
LIFE CYCLE OF BOTNET
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
Fig. 1:(Life Cycle)
III. CATEGORIES OF BOTNETS
There are two main categories of botnets on the basis of
command and control channel used, the Centralized
model and the Decentralized model. The further
categories of decentralized model are :
1. IRC(Internet Relay Chat) Botnet
2. P2P(Peer to Peer) Botnet
3. HTTP(Hyper Text Transfer Protocol) Botnet
4. Hybrid Botnet
Now a days botmasters also use SMS and Bluetooth as
the command and control channel to perform malicious
tasks in smart mobile phones . such types of botnets are
called mobile botnets. A new technology that is cloud
technology is also used in setting up botnets. These types
of botnets are called cloud based botnets. The above
mentioned botnet categories are classified under
centralized and decentralized
3.1 Centralized Botnet
The centralized botnet is a type of botnet structure in
which there is a centralized command and control
structure. In this type of botnet there is a centralized
server through which the commands are sent to the bots.
Each bot machine is connected to the C&C server. In case
the C&C server stops working the entire botnet is failed.
The botnets with centralized architecture provide a simple
,low latency,anonymous and efficient real time
communication platform for the botnet controllers. Most
of the latest detected large scale botnets are based on
centralized structure with HTTP or customized protocols
[16]. Example : IRC and HTTP botnets.
Bot
Bot Master
C&C
Fig .2: (IRC Botnet).
www.ijaers.com
Bot
Bot
Maste
Page | 87
International Journal of Advanced Engineering Research and Science (IJAERS)
3.2 Decentralized Botnet
In decentralized botnet there is no central command and
control server. Each bot is connected to another and
further connected to botmaster. It is very difficult to shut
down the decentralized botnet due to its structure. Each
bot in this type of structure acts as a client as well as
server. Example P2P botnet.
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
decentralized botnets. As per Anchit Bijalwan et.al in [26]
a hybrid botnet is divided into servant and client bot. The
servant bot receives the commands from the bot herder
and forwards it to the clients.
Bot
C&C
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Fig.3:(P2P Botnet)
3.2.1
IRC Botnet
In this type of botnet, the botherder uses IRC as the C&C
channel to command and control the bot machines. Once
the bots receive commands from the botmaster through
IRC server the individual bots start the malicious activity.
The entire botnet can stop working if the IRC server is
collapsed. In order to send the command to a particular
bot, the botmaster first verifies the username and
password. Once the verification is completed then only
the commands are given to bots to perform the desired
task. The IRC is a form of real time Internet text
messaging or synchronous conferencing. The protocol is
based on the client server model, which can be used on
many computers in distributed networks [17].
3.2.2
P2P Botnet
In this type of botnet the P2P protocol is used. It is a
decentralized combination of nodes. Each bot in this
structure behaves both as the client as well as server. A
special type of search key is used by the botmaster to send
commands to different bots. If bots in this type ob botnet
are taken offline, the botnet can still continue to operate
under the control of Botmaster [18].
3.2.3
HTTP Botnet
It is a type of centralized botnet which uses HTTP
protocol as the command and control server. The
malicious intent of the botherders is actually hidden along
with the normal data traffic and are not caught by the
antivirus , firewalls etc. A particular IP address is used by
the botherder to make connection which also works as
C&C server. The HTTP botnets are largely used by the
hackers for phising acts and financial crimes. The HTTP
bots frequently demand and download instructions from
web servers under the attacker’s control. As a result,
detecting bots with web based controlling is complex than
bots with IRC based controlling[19].
3.2.4
Hybrid Botnet
A botnet formed by combining the features of two or
more known botnets is called hybrid botnet. The hybrid
botnet is formed by combining the centralized as well as
www.ijaers.com
Bot
Bot
Fig. 4: (Hybrid botnet)
IV.
BOTNET DETECTION
The detection of botnet has always been a big challenge
to the organizations and individuals. It is very difficult to
detect the presence of bot or botnet. To detect a botnet
actually requires the use of advanced analyzing
capabilities. The two approaches used for detection of
botnets include:
1. Setting up honeynets
2. Passive traffic monitoring
(a) Signature based detection
(b) Anamoly based detection
(c) DNS based detection
(d) Mining based detection
4.1 Setting up Honeynet
A honeynet or honeypot can be thought of as a system in
which the weaknesses or vulnerabilities are intentionally
injected and then such systems are monitored for
attracting the attacks and intrusions. It is a computer
system that is used to trap to draw the attention to attach
this computer. Such computers have a strong ability to
detect security threats, to collect malware signatures and
to understand the motive and method behind the threat
used by the botmaster [21]. The honeypot method is not
very successful or strong method as we have to wait until
a bot infects the system.
4.2 Passive Traffic Monitoring
It means the data traffic movement is being monitored
and the trails of intrusion are tied to be deleted. It has four
categories:
4.2.1
Signature based detection
In this approach of detecting the botnets , the help of
known malware is taken. The network traffic is
thoroughly being monitored to detect yhe marks of
intrusion. It is a rule based method , which detects the
harmful traffic fitting into the rule. This detection
technique can only be employed for detecting the Botnets
Page | 88
International Journal of Advanced Engineering Research and Science (IJAERS)
that are the known ones. The fundamental approach is to
extract feature information on the packets from the data
traffic and match the patterns registered in the knowledge
base of existing bots. It has several disadvantages:
1. It can’t identify the unidentified bots.
2. It should always update the knowledge base with
new signatures.
3. The new bots may launch attacks before knowledge
base are patched.
Examples are snort, Rishi and NEDRS etc. [22]
4.2.2
Anomaly based detection
This approach is used to detect the botnets that are
unknown. In this technique the anomalies present in the
network traffic are observed to predict about the presence
of bot. The various anomalies could be high network
latency, high volume of traffic , traffic on unusual ports
and unexpected system working etc. The purpose of
anomaly based detection is to find the signs that are
different from the other available details. Bijalwan et.al in
[23] identified UDP bot flooding through the lab
experiments.
4.2.3
DNS based detection
The DNS based approach is a kind of passive technique.
In such techniques there is full transparency but are
unknown to botmasters. DNS based approach is based on
the property that in order to access the C&C server, bots
carry out DNS queries to locate the particular C&C server
that is typically hosted by DDNS(Dynamic DNS)
provider. So DNS monitoring will be easy approach to
detect Botnet DNS traffic and detect DNS traffic
anomalies. This is most famous and easy technique of
botnet detection [24].
4.2.4
Mining based detection
The data mining based technique helps in recognizing the
useful patterns to find out certain type of regularities and
irregularities in available sets of data. Data mining
techniques can be used for the purpose of optimization. In
this method the sufficient amount of data is available
from the network log file to work upon and analyse. The
various data mining methods are correlation,
classification, clustering, statistical analysis and
aggregation for extracting the useful information from the
available data[25].
V.
CONCLUSION
This paper is a thorough study and analysis of malware
and their categories. In this research based exhaustive
survey I have tried my level best to explain botnet, its
formation and working. The purpose behind the formation
is also covered to greater extent. I have also tried to throw
some light upon the different types of botnets and their
behavior. The different techniques used to detect botnets
are also discussed. Even though some detection
www.ijaers.com
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
techniques are available but still the botnets are big
challenge to the society. The field requires a lot of
research so that a concrete solution should be found to
fight with the challenge and mitigate its impact.
REFERENCES
[1] Manoj
Kumar
Dhruv,Yogita
Dewangan,
Purushottam Patel, “An introduction to Computer
Virus, History and its evolution” in International
Journal of Research, vol 03, issue 04, Feb 2016.
[2] Dolly Uppal, Vishakha Mehra and Vinod
Verma,”Basic svrvey on malware analysis, tools and
techniques”, in IJCSA, vol4,no. 1, feb 2014.
[3] Munna Kumar et al., “Predator-Prey models on
Interaction between Computer worms, Trojan horses
and anti virus software inside a computer system”,
International Journal of Security and its
Applications”, vol 10, No 1 (2016) P. 173-190
[4] Prof.Abuzneid Abdelshakour et al., “Detection of
rojan Horse by Analysis of System Behaviour and
Data Packets”, Dept of CS, University of
Bridgeport, CT
[5] Ishita Basu et al.,”Malware detection based on some
data using data mining : A survey”, Ametican
Journal of Advanced Computing, vol3910, p.18-37
[6] Mannel Egele et al.,”Dynamic Spyware Analysis”,
2007, USENIX Annual Technical Conference,
2007.(p. 233-246)
[7] Kishore Subramanyam et al., “ Keyloggers : The
overlooked threat to Computer Security”, Dept. of
Mathematics & CSE, Northern Kentucly University,
KY-41099
[8] Fariba Hadadi et al.,” On the effectiveness of
Different Botnet detection approaches” Springer
International publishing, Switzerland 2015.
[9] Moheeb Abu Rajab et.al, “A multifaceted approach
to understanding the botnet phenomenon”,Rio de
Janeiro, Brazil, ACM, IMC 06, 2006.
[10] Haritha S Nair,Vinedh Ewards, “ A study on Botnet
Detection Techniques”, International Journal of
Scientific and Research Publications, vol 2, issue 4,
April 2012
[11] Parmar Riya H, Harshita Kanani, “A botnet
detection techniques”, in ISRJ vol 4, issue 4, May
2014.
[12] Karim et.al, “Botnet detection techniques,review,
future trends and issues”, journal of Jhejiang
University”, Jan 2014.
[13] Napolean C.Paxton et al, “Master Blaster :
Identifying
influential
players
in
Botnet
Transactions”, in 35th IEEE conference, 2011
Page | 89
International Journal of Advanced Engineering Research and Science (IJAERS)
Vol-3, Issue-3 , March- 2016]
ISSN: 2349-6495
[14] Fariba Haddadi et al, “On Botnet behavior, Analysis
using GP and C45”, Faculty of CS, Dalhousie
University, Canada.
[15] C.Calt Internet relay Chat : Client Protocol, RFC
2812,(Informational), April 2000.
[16] Wang, Tao, and Shun Zheng Yu, “Centralized
botnet detection by traffic aggregation”, Parallel and
distributed processing with applications, 2009,
IEEE, International Symposium on IEEE 2009.
[17] Vania, Jignesh, Arvind Meniya and H.B Jethra. “A
review on botnet and detection technique”,
International Journal on Computer Trends
Technology, vol 4, no.1(2013) pg 23-29
[18] Prabhu, S Nagendra and D Shanthi, “A survey an
anomaly detection of Botnet in network”,
International Journal 2.1(2014)
[19] Sultan Mohd Shahid, “ Monitoring HTTP based
command and control Botnets in Traffic using Bot
sniffer”, Diss, Texas A7M University Corpus Christi
2015.
[20] D. Seerinivasan, K Shanthi, “Categories of Botnet :
A Survey”, in IJCEACIE, vol:8, No.9, 2014.
[21] Jignesh Vania et al, “ A review on Botnet and
Detection Techniques” in IJCTT, vol 4 issue 1, 2013
[22] Ghafir, Ibrahim, Jakob Svoboda, and Vaclav
Prenosil, “ A svrvey on Botnet command and
control Traffic Detection”, International Journal of
Advances in Computer Networks and its
security(ICJNS)5(1)(2015).
[23] Bijalwan A, Wazid M, Pilli ES, Joshi R C, ‘
Forensics of random – UDP flooding attacks” in
Journal of Networks. 2015 May 27,10(5): 287-293
[24] Amit Dange, Prashant Gosavi, “ Botnet Detection
through DNS based approach”, in IJAIEM, vol2,
issue 6, June 2013.
[25] Alireja Shahrestani et al.,”Architecture for applying
data mining and visualization on network flow for
botnet traffic detection”,IEEE, pages 33-37, 2009
[26] Anchit Bijalwan et al., “ Survey and Research
Challenges of Botnet Forensics”, in IJCA, Vol 75No 7, Aug 2013
www.ijaers.com
Page | 90