**3. Working mechanism of Botnet**

As shown in **Figure 2**, the life cycle of a Botnet is divided into six phases: (1) There are many ways for a Botnet to propagate a Bot program, such as page virus, vulnerability attack, email phishing, etc.; (2) If the host is infected, then the Bot program will remain in the system; (3) hosts with vulnerabilities send domain name query to domain name server to obtain IP address of Botnet controller; (4) host with vulnerabilities will connect the Botnet controller and join Botnet; (5) communication connection between Bot and Botnet controller start, as well as the issuance and transmission of commands between attacker and Botnet controller; and (6) the Bot attacks the victim at the command given to the controller.

In phase 1, Botnet adopts email phishing or URL hidden connections to link to some web pages and runs malicious code on the page; this propagation mode is similar to worm propagation mode. Both of them are to attack vulnerable services

**Figure 2.** *Working process of Botnet.*

by scanning specific ports with specific algorithms, which is very common. There are various algorithms to determine how and when to scan. The Bot does not implement any propagation at first until it receives the command from the attacker, which makes detection more difficult for Botnet [22].

In phase 2, when the computer with vulnerabilities is attacked, it will turn into Bot, and the C&C server will give a command of program installation (such as the echo command in Mirai). This process can be a one-step or multistep installation. For example, a control program is downloaded first, and then the entire Botnet program will be downloaded at a later stage. In addition, some Botnets that exist with chat software will also spread by Relay Node, which is not easy to be found, but also have problems such as delay.

In phase 3, the IP address of the early Botnet controller is directly written in the Bot program, which has the disadvantage of low concealment, so at this stage, the Bot program contacts the C2 controller through the DNS domain name.

In phase 4, because the victim host joined Botnet in different ways, in order to improve the security of the Botnet, it adopts a certain authentication mechanism. Only authenticated hosts can join the Botnet group and carry out communication and control interactions. In addition, the Botnet controller is also selected by the hacker in the Botnet group. In order to prevent these controllers from being shut down or offline, the attacker will generally adopt DNS technology to replace the domain name with a new IP address when the controller goes offline or it is captured. Furthermore, fast-flux technology is used to provide an IP list, and the IP address is periodically bound from the list to the domain name to improve reliability and detection difficulty. The Botnet also replaces the legitimate domain name server on the infected host with its own DNS name server, which has three benefits: (1) if the Bot program is cleared by the host user, some Bots will even reinfect the host through their own DNS name

**33**

*Threats from Botnets*

*DOI: http://dx.doi.org/10.5772/intechopen.88927*

technology to improve its survivability.

phishing attacks to enable users to access fake websites [23].

also adopts fast-flux technology to conceal its control server.

In phase 6, the Botnet receives the command sent by the hacker and launches the attack. The attack modes (as shown in **Table 2**) are different [26]; the number of Bots participating in the attack, attack target, and the attack means can also be completely controlled by the hacker. Botnet initially launches a single- or multi-machine distributed denial-of-service attack. Gradually, Botnet turns into profitable attacks, such as stealing users' privacy information on victim machines. For many years, Symantec's global annual cybersecurity report stated that the vast majority of spam is sent by Botnet. Spam sent by Botnet is more harmful than

server; (2) make some antivirus programs unable to update itself; and (3) implement

In phase 5, the main activity is C&C communication, receiving information sent by the hacker. Botnet maintains communication with the Bot and at the same time protects itself from being captured by the security system. Bot will accept or actively acquire commands, infect more machines, or download updates to the Botnet code. At this stage, due to the original fixed IP, fixed domain name, dynamic update, etc. are less concealed, and Botnet will often adopt domain-flux or fast-flux

Domain-flux technology is created to solve the problem of central point failure. The attacker uses the domain-flux protocol to prevent itself from shutting down by the defense personnel. The C&C domain name accessed by the Bot is no longer statically hard coded but can be dynamically generated, which allows the C&C server to communicate securely with the Bot [24]. The principle of the domain name algorithm is DGA algorithm, which puts a comprehensive factor such as a dictionary, a random number, a date, and a hot topic into a generation algorithm, generates a string of special character prefixes, and adds a TLD to obtain a final domain name resource. Because of its fast generation speed and high frequency, even with the use of blocking, shielding, and other measures, it cannot protect against invasion. Torpig and Conficker, which appear on the web in general, adopt this technical feature. At the beginning of the twenty-first century, the foundation of fast-flux appeared and gradually attracted more and more attention. Fast-flux is created to address the problem of security personnel locating C&C server domains and IP (both bound to each other) through reverse technology. In general, when a domain name server is used to query the IP of a certain domain name, the result of the query will return the same IP in a short period of time because of the DNS cache. However, fast-flux technology can constantly change the correspondence between IP addresses and domain names, and it makes a large number of queries in a short period of time to return to different results. The fast-flux is divided into two categories (single-flux and double-flux) according to the different number of mapping layers. Single-flux is the fast-flux that has only one mapping layer, a domain name that has one and only one continuously changing IP address. Double-flux represents the fast-flux with two mapping layers. In the actual Internet environment, hackers deploy multiple domain name servers. By modifying the domain name of the top-level server, the correspondence between the IP address of the lower-layer DNS server and the domain name is constantly changing. A Botnet employs fast-flux technology, which would have a large number of C&C servers, and most of the servers are not controlled by the hackers themselves but by Bots. During the check, the security personnel will find that there is no control command from a hacker on the "C&C servers"; these controllers are only responsible for the command forwarding and springboard function, which virtually improves the concealment of the Botnet. Fast-flux technology can also be used to break the domain names of certain phishing websites and malicious websites. Storm adopts this technology to analyze the domain name that sends the message. Phish rock criminal organization adopts it to resolve the domain name of phishing website [25]. Waledac

#### *Threats from Botnets DOI: http://dx.doi.org/10.5772/intechopen.88927*

*Computer Security Threats*

by scanning specific ports with specific algorithms, which is very common. There are various algorithms to determine how and when to scan. The Bot does not implement any propagation at first until it receives the command from the attacker,

In phase 2, when the computer with vulnerabilities is attacked, it will turn into Bot, and the C&C server will give a command of program installation (such as the echo command in Mirai). This process can be a one-step or multistep installation. For example, a control program is downloaded first, and then the entire Botnet program will be downloaded at a later stage. In addition, some Botnets that exist with chat software will also spread by Relay Node, which is not easy to be found, but

In phase 3, the IP address of the early Botnet controller is directly written in the Bot program, which has the disadvantage of low concealment, so at this stage, the

In phase 4, because the victim host joined Botnet in different ways, in order to improve the security of the Botnet, it adopts a certain authentication mechanism. Only authenticated hosts can join the Botnet group and carry out communication and control interactions. In addition, the Botnet controller is also selected by the hacker in the Botnet group. In order to prevent these controllers from being shut down or offline, the attacker will generally adopt DNS technology to replace the domain name with a new IP address when the controller goes offline or it is captured. Furthermore, fast-flux technology is used to provide an IP list, and the IP address is periodically bound from the list to the domain name to improve reliability and detection difficulty. The Botnet also replaces the legitimate domain name server on the infected host with its own DNS name server, which has three benefits: (1) if the Bot program is cleared by the host user, some Bots will even reinfect the host through their own DNS name

Bot program contacts the C2 controller through the DNS domain name.

which makes detection more difficult for Botnet [22].

also have problems such as delay.

**32**

**Figure 2.**

*Working process of Botnet.*

server; (2) make some antivirus programs unable to update itself; and (3) implement phishing attacks to enable users to access fake websites [23].

In phase 5, the main activity is C&C communication, receiving information sent by the hacker. Botnet maintains communication with the Bot and at the same time protects itself from being captured by the security system. Bot will accept or actively acquire commands, infect more machines, or download updates to the Botnet code. At this stage, due to the original fixed IP, fixed domain name, dynamic update, etc. are less concealed, and Botnet will often adopt domain-flux or fast-flux technology to improve its survivability.

Domain-flux technology is created to solve the problem of central point failure. The attacker uses the domain-flux protocol to prevent itself from shutting down by the defense personnel. The C&C domain name accessed by the Bot is no longer statically hard coded but can be dynamically generated, which allows the C&C server to communicate securely with the Bot [24]. The principle of the domain name algorithm is DGA algorithm, which puts a comprehensive factor such as a dictionary, a random number, a date, and a hot topic into a generation algorithm, generates a string of special character prefixes, and adds a TLD to obtain a final domain name resource. Because of its fast generation speed and high frequency, even with the use of blocking, shielding, and other measures, it cannot protect against invasion. Torpig and Conficker, which appear on the web in general, adopt this technical feature. At the beginning of the twenty-first century, the foundation of fast-flux appeared and gradually attracted more and more attention. Fast-flux is created to address the problem of security personnel locating C&C server domains and IP (both bound to each other) through reverse technology. In general, when a domain name server is used to query the IP of a certain domain name, the result of the query will return the same IP in a short period of time because of the DNS cache. However, fast-flux technology can constantly change the correspondence between IP addresses and domain names, and it makes a large number of queries in a short period of time to return to different results. The fast-flux is divided into two categories (single-flux and double-flux) according to the different number of mapping layers. Single-flux is the fast-flux that has only one mapping layer, a domain name that has one and only one continuously changing IP address. Double-flux represents the fast-flux with two mapping layers. In the actual Internet environment, hackers deploy multiple domain name servers. By modifying the domain name of the top-level server, the correspondence between the IP address of the lower-layer DNS server and the domain name is constantly changing. A Botnet employs fast-flux technology, which would have a large number of C&C servers, and most of the servers are not controlled by the hackers themselves but by Bots. During the check, the security personnel will find that there is no control command from a hacker on the "C&C servers"; these controllers are only responsible for the command forwarding and springboard function, which virtually improves the concealment of the Botnet. Fast-flux technology can also be used to break the domain names of certain phishing websites and malicious websites. Storm adopts this technology to analyze the domain name that sends the message. Phish rock criminal organization adopts it to resolve the domain name of phishing website [25]. Waledac also adopts fast-flux technology to conceal its control server.

In phase 6, the Botnet receives the command sent by the hacker and launches the attack. The attack modes (as shown in **Table 2**) are different [26]; the number of Bots participating in the attack, attack target, and the attack means can also be completely controlled by the hacker. Botnet initially launches a single- or multi-machine distributed denial-of-service attack. Gradually, Botnet turns into profitable attacks, such as stealing users' privacy information on victim machines. For many years, Symantec's global annual cybersecurity report stated that the vast majority of spam is sent by Botnet. Spam sent by Botnet is more harmful than


**Table 2.**

*Common modes and characteristics of attack initiated by Botnet.*

regular spam, making detection more difficult. The process of phishing attack is initiated by Botnet: the Bot erases and replaces the addresses of legitimate DNS on the machine. When the user accesses the confidential page, the replaced domain name server sends the phishing website page to the user [27].

## **4. Botnet threats and assessment**

The threat assessment of traditional Botnet mainly starts from its several key performances; the stronger the key performance of Botnet, the stronger the threat. The key performance indicators of traditional Botnet mainly include four points: transparency, concealment, destruction resistance, and attack capacity.

The transparency of Botnet is mainly reflected in that when an attacker maintains a Botnet or orders a Botnet to attack a certain site, the Botnet can be operated as a whole and there is no need to pay any attention on the internal details of the Botnet. This transparency is mainly realized through the control structure. Attackers input operation commands and control information into the control structure, and the control structure continuously transmits relevant contents to various nodes, so as to control the Botnet as a whole.

The concealment of Botnet means that the activities in the main stages of the life cycle of traditional Botnet need to be carried out covertly, to effectively reduce the possibility of detection of the nodes, operating facilities and overall data flow of Botnet, etc. The concealment of Botnet requires that network nodes should not occupy memory and broadband resources too significantly and the damage to the availability of controlled hosts should be relatively small. The most important thing is to prevent itself from checking by the end user to avoid being discovered by the network security supervision system.

The destruction resistance of Botnet mainly refers to the key characteristic that Botnet is able to maintain its attack ability when some nodes are cleared or destroyed, which is also called tenacity. The great performance of destruction resistance makes the Botnet have strong survivability and can create more superior conditions for the attacker to adjust the behavior characteristics of the Botnet node, thereby effectively avoiding the occurrence of the entire Botnet failure. The main way is to build a more robust structure of Botnet to improve its destruction resistance.

The attack capacity of Botnet mainly refers to the sum of all controllable resources that can be controlled by an attacker. The attack capacity determines the maximum attack strength that an attacker can initiate, and the attack capacity mainly depends on broadband resources and network size. The attack flow that an attacker can initiate increases with the increase of broadband resources. The larger the network size, the more URLs can be exploited by an attacker, and the more dispersed attack source, the fewer constraints in the attack process.

**35**

*Threats from Botnets*

*DOI: http://dx.doi.org/10.5772/intechopen.88927*

environmental performance, and more.

are completed by the controlled hosts.

distributed Botnet.

trend of Botnet is still a continuous and challenging issue.

**5. Conclusions**

These key performance indicators can be roughly divided into three categories: transparency and concealment belong to the Botnet's defense capability, destruction resistance belongs to the Botnet's survivability, and the attack capacity belongs to the Botnet's attack capability. In addition to the above key performance indicators, there are some more detailed indicators, but they fall within these three capabilities, such as command accessibility of Botnet, node averaging of Botnet, Botnet resilience, etc. With the rise of the Internet of Things, the rapid development of smart terminals, and the continuous improvement of mobile network technologies, in addition to traditional Botnet, mobile Botnet has become one of the main platforms threatening mobile network security. After the mobile Botnet invades the intelligent terminals in the mobile Internet, these smart terminals are controlled in a one-to-many way through controlling and command channels. It can be seen that mobile Botnet is a subset of traditional Botnet, but it is far more harmful to users than traditional Botnet. Due to the particularity of the mobile network, its threat assessment has its own unique indicators in addition to the key performance indicators of traditional Botnet. The threat assessment for mobile Botnet can be started with the following performance indicators: attack performance, defensive performance, survivability, auxiliary performance, and environmental performance. There are more specific indicators in each performance indicator, such as confidentiality and node control efficiency in attack performance, stability and anti-detection capability in defense capability, network averaging and network connectivity in survivability, propagation capabilities and command mechanism performance in auxiliary performance, scalability and loan consumption in

At present, various cyberattacks based on Botnet are the most serious security threats to the Internet. As Botnet continue to evolve and behavioral research on Botnet is inadequate, the question of how to apply some behavioral problems to Botnet research and combine the psychology of the operator to analyze the future

Botnet is a common computing platform which can be controlled remotely by attackers by invading several noncooperative user terminals in the network space. It is an attacking platform consisting of multiple Bots controlled by a hacker. The behavior of Botnet is also controlled by the hacker, rather than being controlled by certain code logic, which also makes it difficult to locate and predict the Botnet attack. The Botnet is developed in two phases: it was the primary virus and worm in the first phase, and it transformed into Botnet platform in the second phase. The virus attack has the characteristic of integration. Botnet is different, the control command of Botnet is issued by separate C&C server, and the attack and invasion

Botnet has many types of classification, and it can be divided into centralized Botnet and distributed Botnet according to different operating principles. The difference is that there is only one C&C server in the entire network platform for the centralized Botnet, and the infected nodes also communicate with each other in the

The attack process of the Botnet is mainly divided into six phases: in the first phase, Botnet will spread through various traditional viruses or worms; in the second phase, the Bot begins to download the entire Botnet program; in the third phase, the Bot contacts Botnet controller; in the fourth phase, the Bot is authenticated, and the authenticated Bot can join the Botnet group; in the fifth phase, C&C communication

#### *Threats from Botnets DOI: http://dx.doi.org/10.5772/intechopen.88927*

*Computer Security Threats*

**Table 2.**

regular spam, making detection more difficult. The process of phishing attack is initiated by Botnet: the Bot erases and replaces the addresses of legitimate DNS on the machine. When the user accesses the confidential page, the replaced domain

**Attack mode Difficulty for detection Complexity Damage** Small-scale DDoS attack High Low Low Large-scale DDoS attack Medium Medium High Stealing information Low High Medium Sending spam Medium Medium High Phishing Medium High Medium

The threat assessment of traditional Botnet mainly starts from its several key performances; the stronger the key performance of Botnet, the stronger the threat. The key performance indicators of traditional Botnet mainly include four points:

The transparency of Botnet is mainly reflected in that when an attacker maintains a Botnet or orders a Botnet to attack a certain site, the Botnet can be operated as a whole and there is no need to pay any attention on the internal details of the Botnet. This transparency is mainly realized through the control structure. Attackers input operation commands and control information into the control structure, and the control structure continuously transmits relevant contents to

The concealment of Botnet means that the activities in the main stages of the life cycle of traditional Botnet need to be carried out covertly, to effectively reduce the possibility of detection of the nodes, operating facilities and overall data flow of Botnet, etc. The concealment of Botnet requires that network nodes should not occupy memory and broadband resources too significantly and the damage to the availability of controlled hosts should be relatively small. The most important thing is to prevent itself from checking by the end user to avoid being discovered by the

The destruction resistance of Botnet mainly refers to the key characteristic that Botnet is able to maintain its attack ability when some nodes are cleared or destroyed, which is also called tenacity. The great performance of destruction resistance makes the Botnet have strong survivability and can create more superior conditions for the attacker to adjust the behavior characteristics of the Botnet node, thereby effectively avoiding the occurrence of the entire Botnet failure. The main way is to build a more

The attack capacity of Botnet mainly refers to the sum of all controllable resources that can be controlled by an attacker. The attack capacity determines the maximum attack strength that an attacker can initiate, and the attack capacity mainly depends on broadband resources and network size. The attack flow that an attacker can initiate increases with the increase of broadband resources. The larger the network size, the more URLs can be exploited by an attacker, and the more

transparency, concealment, destruction resistance, and attack capacity.

name server sends the phishing website page to the user [27].

*Common modes and characteristics of attack initiated by Botnet.*

various nodes, so as to control the Botnet as a whole.

robust structure of Botnet to improve its destruction resistance.

dispersed attack source, the fewer constraints in the attack process.

**4. Botnet threats and assessment**

network security supervision system.

**34**

These key performance indicators can be roughly divided into three categories: transparency and concealment belong to the Botnet's defense capability, destruction resistance belongs to the Botnet's survivability, and the attack capacity belongs to the Botnet's attack capability. In addition to the above key performance indicators, there are some more detailed indicators, but they fall within these three capabilities, such as command accessibility of Botnet, node averaging of Botnet, Botnet resilience, etc.

With the rise of the Internet of Things, the rapid development of smart terminals, and the continuous improvement of mobile network technologies, in addition to traditional Botnet, mobile Botnet has become one of the main platforms threatening mobile network security. After the mobile Botnet invades the intelligent terminals in the mobile Internet, these smart terminals are controlled in a one-to-many way through controlling and command channels. It can be seen that mobile Botnet is a subset of traditional Botnet, but it is far more harmful to users than traditional Botnet. Due to the particularity of the mobile network, its threat assessment has its own unique indicators in addition to the key performance indicators of traditional Botnet. The threat assessment for mobile Botnet can be started with the following performance indicators: attack performance, defensive performance, survivability, auxiliary performance, and environmental performance. There are more specific indicators in each performance indicator, such as confidentiality and node control efficiency in attack performance, stability and anti-detection capability in defense capability, network averaging and network connectivity in survivability, propagation capabilities and command mechanism performance in auxiliary performance, scalability and loan consumption in environmental performance, and more.
