**Table 1.**

*Computer Security Threats*

**2. Classification of Botnet**

right to control all Bots.

centralized Botnet.

**Type Protocol Examples**

Distributed Structured P2P Botnet PhatBot

Centralized IRC-based Botnet SdBot, AgoBot, GT-Bot, RBot

Custom protocol Botnet Mega D, Mariposa

Unstructured P2P Botnet Sinit, Nugache Hierarchical Botnet Waledac, Storm

**2.1 Centralized Botnet**

At present, there are many different methods for detecting Botnet. For example, Moheeb and others built a real network flow monitoring system to analyze the flow records, binary file types, Botnet control commands, etc.; Cai [3] evaluated the key behavioral characteristics of HTTP Botnet and designed a detection method for HTTP Botnet based on feature analysis; Song [4] adopted displacement entropy and Kalman filtering to detect and analyze the characteristics of P2P Botnet and proposed the corresponding detection algorithm; XU found that P2P Botnet shows higher robustness when random nodes fail, but the robustness declines rapidly when central nodes fail; and Chen proposed a solution to the problem that HMM

Botnet has many types of classification, and it can be divided into centralized

2.For distributed Botnet, the Bots will also have message communication between each other. According to different command and control protocols, the centralized Botnet can be classified into three categories: IRC-based Botnet, HTTP Botnet, and custom protocol Botnet [5–7]. According to topological structure, the distributed Botnet can be classified into three categories: structured P2P Botnet, unstructured P2P Botnet, and hierarchical Botnet [8, 9]. **Table 1** lists the classification of some known Botnets. Although there are multiple control servers in some Botnets, such as Mega D and Mariposa [10], Bots do not communicate with each other, and they are still classified into the category of

1.For centralized Botnet, there is only one C&C server in the whole Botnet platform, and all Bots are connected to the C&C server. C&C server has the

IRC-based Botnet: In the early days of the Internet, the earliest centralized Botnets were mainly IRC-based Botnets, which mainly used IRC services to communicate between C&C servers and Bots (**Figure 1(a)**). This type of Botnet has a simple structure and adopts the known plaintext protocol [11]. Through the monitoring of activity cycle of the Botnet (such as ports and messages), the characteristics can be clearly identified, and these data flow can be easily filtered out in the

HTTP-based Botnet Rustock, ClickBot, Naz, Zeus, Conficker, Torpig

Botnet and distributed Botnet according to different operating principles.

method cannot be adopted for flow detection of hierarchical Botnet.

**28**

**Table 1.**

*Classifications of some known Botnets.*

**Figure 1.** *Three types of Botnet structure.*

network defense. This type of Botnet has a little impact because of its small scale. However, due to its simple operating mechanism and strong operability, it is deeply used by hackers. With the current development of Botnet, many hackers still use it.

HTTP-based Botnet: Due to the easy identification of messages of IRC-based Botnet, the HTTP-based Botnet arose. This type of Botnet could hide itself well by adopting HTTP protocol. Since the communication protocols between devices on the Internet are mainly HTTP protocol, HTTP messages in the information transmission of HTTP Botnet can be mixed with normal messages, making it difficult to filter directly through the router rules (ACL), which greatly improves the survival ability of Botnet and makes it more concealable. It is known that the HTTP-based Botnet is more complex and diverse than IRC-based Botnet. Rustock, Zeus, Torpig, etc. encrypt the content of the communication, and Conficker and Torpig also adopt a technique named "domain-flux" to increase the difficulty of blocking their control servers [12]. In addition, a small number of Botnets, such as Naz, also directly use popular social networking sites (such as Facebook, QQ space, etc.) as control servers, increasing the difficulty of detection and blocking [13]. Most Botnets currently use the HTTP protocol.

Custom protocol Botnet: Some Botnets use custom protocols for communication. The known Botnets of this type include Mega D, Mariposa, etc. Since Mega D uses a custom protocol, the first thing for researchers is to understand its operating mechanism through means of data mining and analysis or reverse capability. Compared with the IRC protocol and the HTTP protocol, Mariposa uses the UDP protocol for transmission, which does not require a three-way handshake. It is more difficult to be shielded by router rules (ACL), and its survivability is stronger.

#### **2.2 Distributed Botnet**

For the Botnets described above, the overall structure is a C&C server connected to multiple infected Bots. When the C&C server is broken by security experts, the Botnet is not available anymore. In order to enhance the survivability of Botnets, hackers increase the number of C&C servers and allow Bots to communicate with each other, so the distributed Botnet arise. This type of Botnet has a complicated structure, is difficult to construct, and requires a hacker with strong capabilities. At present, there are many distributed Botnets (such as Waledac and Storm), whose viability has been verified.

Structured P2P Botnet: The communication protocol between such Botnets is not unstructured (P2P protocol). A typical example of structured Botnet is PhatBot, which uses a fully connected Waste Protocol, which leads to a poor scalability of the PhatBot [14]. Early Storm adopted Overnet based on the Kademlia protocol [15] as a way of command and control. Since the information of other nodes can be obtained by the lookup operation in the Kademlia protocol, the researchers could make use of this feature to display the set points in all Overnet networks and then fill in many virtual set points (which we set), so that many messages and file transfers in Botnet will be introduced to the masquerading set points. In this way, the Bots are identified, and the judgment on the scale of Storm Botnet and the defense against it are finally achieved.

Unstructured P2P Botnet: The Bots under this model are connected irregularly, and they can communicate with each other. The communication method is also irregular, and they can send messages in a one-to-many way. There are many types of unstructured P2P Botnets, with two main ones (Nugache and Sinit). The operating mechanism of Sinit is random scanning, which adopts a scan code in the source code to filter some necessary IP segments, aimlessly identify other Bots. The message is sent through port 53, with a poor degree of concealment. The Nugache Botnet keeps a list internally. When the Botnet asks for a connection, it selects an uncertain record from the list of connection. If it is not successful, the random selection will continue; if it is successful, the connecting parties will refresh the list with each other [16]. Dittrich made an effort to keep sending message requests, refresh the list, and enumerate the whole Nugache network by recording and finally draws the structure diagram as shown in **Figure 1(b)**. It is found from the structure diagram that Nugache applies a range interval to the exit and entry massage of the Bot, giving birth to a P2P network with random connectivity. This decentralized topology, combined with the encryption of communications, allows Nugache to have very good concealment and keep a substantial number of active Bots unnoticed for a long time.

Hierarchical Botnet: This type of Botnet is referred to as hybrid P2P Botnet in some literature [17], and it is believed that the most prominent feature is the hierarchical structure. The structure is divided into at least three layers, the Bottom layer is the Bots, the middle layer consists of some Bots or C&C servers with better performance as the medium for information transmission, and the top layer is the core C&C server. This structure can prevent the top layer from being discovered by researchers and achieve more complex functions. Kanich et al.'s further research on Storm found that the Storm is a three-layer Botnet [18]. The Bots in the bottom layer could send HTTP messages, virus information, etc. The Bots can use the Internet to

**31**

*Threats from Botnets*

*DOI: http://dx.doi.org/10.5772/intechopen.88927*

query other proxies infected host, and the most top hacker server (C&C server) is

Waledac is another large-scale hierarchical Botnet, which is also used to send large amounts of spam. Waledac has a similar hierarchical structure as shown in the above (**Figure 1(c)**). It has a structure of one more layer than the ordinary hierarchical structure, and relevant research shows that it is transformed on the basis of the previous hierarchical Botnet. Botmaster is mainly divided into four layers of institutions (from bottom to top for Spammer, Repeater, TSL, UTS). The lower two layers are computer devices with vulnerabilities. The upper two layers are the hierarchical C&C servers used by hackers. The communication method of this Botnet is a technology named fast-flux. The third layer (Repeater) serves as a bridge between the second layer and the fourth layer of Bots, that is, using Bot as a proxy. This is different from the Koobface [19] Botnet, which uses trusted social networking sites, game sites, and other large server devices as its own proxy layer. Waledac is more viable in this way. Nunnery et al.'s research found that Waledac is able to offer two different levels of spam business. Through experiments, the researchers found that due to the diversity of the Bots in the bottom layer of Waledac, it has the function of sending spam, but this ability is not strong, and it is easy to be directly intercepted by some large-scale defense servers; there is also a spam service that can be sent directly by the second layer (TSL) of the Waledac Botnet. This method of sending can dynamically modify the contents of the file to prevent it from being killed by the fixed antivirus software, with high availability. At the same time, in order to further improve the concealment of Botnet and prevent it from being detected by network supervisors, Waledac's internal message transmission mechanism is based on elliptic curve encryption to implement encryption technology. A two-in-one technique (timestamp + public key) is used on the communication between the second and third layers to prevent replay and forgery [20]. In order to prevent security personnel from tracking Botnet, Waledac adopts the detection method of domain

behind the proxy infected host, with a high degree of concealment.

name polling to prevent the population of fake nodes [21].

attacks the victim at the command given to the controller.

**3. Working mechanism of Botnet**

Koobface also adopts an intermediate node as a proxy to hide the control server. But Koobface is notable not for its complex structure but for its numerous functional modules and the way it uses social networking sites to spread its messages. Koobface steals the accounts of social networking sites on Bots, automatically logs in and sends malicious links to friends for transmission, which exploits the trust between social network users. Koobface has a range of modules targeted at almost all major social networks and can force infected users to recognize Captcha images, as well as DNS hijacking, search, hijacking, web server and information theft, etc.

As shown in **Figure 2**, the life cycle of a Botnet is divided into six phases: (1) There are many ways for a Botnet to propagate a Bot program, such as page virus, vulnerability attack, email phishing, etc.; (2) If the host is infected, then the Bot program will remain in the system; (3) hosts with vulnerabilities send domain name query to domain name server to obtain IP address of Botnet controller; (4) host with vulnerabilities will connect the Botnet controller and join Botnet; (5) communication connection between Bot and Botnet controller start, as well as the issuance and transmission of commands between attacker and Botnet controller; and (6) the Bot

In phase 1, Botnet adopts email phishing or URL hidden connections to link to some web pages and runs malicious code on the page; this propagation mode is similar to worm propagation mode. Both of them are to attack vulnerable services

#### *Threats from Botnets DOI: http://dx.doi.org/10.5772/intechopen.88927*

*Computer Security Threats*

**2.2 Distributed Botnet**

viability has been verified.

and the defense against it are finally achieved.

uses a custom protocol, the first thing for researchers is to understand its operating mechanism through means of data mining and analysis or reverse capability. Compared with the IRC protocol and the HTTP protocol, Mariposa uses the UDP protocol for transmission, which does not require a three-way handshake. It is more difficult to be shielded by router rules (ACL), and its survivability is stronger.

For the Botnets described above, the overall structure is a C&C server connected to multiple infected Bots. When the C&C server is broken by security experts, the Botnet is not available anymore. In order to enhance the survivability of Botnets, hackers increase the number of C&C servers and allow Bots to communicate with each other, so the distributed Botnet arise. This type of Botnet has a complicated structure, is difficult to construct, and requires a hacker with strong capabilities. At present, there are many distributed Botnets (such as Waledac and Storm), whose

Structured P2P Botnet: The communication protocol between such Botnets is not unstructured (P2P protocol). A typical example of structured Botnet is PhatBot, which uses a fully connected Waste Protocol, which leads to a poor scalability of the PhatBot [14]. Early Storm adopted Overnet based on the Kademlia protocol [15] as a way of command and control. Since the information of other nodes can be obtained by the lookup operation in the Kademlia protocol, the researchers could make use of this feature to display the set points in all Overnet networks and then fill in many virtual set points (which we set), so that many messages and file transfers in Botnet will be introduced to the masquerading set points. In this way, the Bots are identified, and the judgment on the scale of Storm Botnet

Unstructured P2P Botnet: The Bots under this model are connected irregularly, and they can communicate with each other. The communication method is also irregular, and they can send messages in a one-to-many way. There are many types of unstructured P2P Botnets, with two main ones (Nugache and Sinit). The operating mechanism of Sinit is random scanning, which adopts a scan code in the source code to filter some necessary IP segments, aimlessly identify other Bots. The message is sent through port 53, with a poor degree of concealment. The Nugache Botnet keeps a list internally. When the Botnet asks for a connection, it selects an uncertain record from the list of connection. If it is not successful, the random selection will continue; if it is successful, the connecting parties will refresh the list with each other [16]. Dittrich made an effort to keep sending message requests, refresh the list, and enumerate the whole Nugache network by recording and finally draws the structure diagram as shown in **Figure 1(b)**. It is found from the structure diagram that Nugache applies a range interval to the exit and entry massage of the Bot, giving birth to a P2P network with random connectivity. This decentralized topology, combined with the encryption of communications, allows Nugache to have very good concealment and

keep a substantial number of active Bots unnoticed for a long time.

Hierarchical Botnet: This type of Botnet is referred to as hybrid P2P Botnet in some literature [17], and it is believed that the most prominent feature is the hierarchical structure. The structure is divided into at least three layers, the Bottom layer is the Bots, the middle layer consists of some Bots or C&C servers with better performance as the medium for information transmission, and the top layer is the core C&C server. This structure can prevent the top layer from being discovered by researchers and achieve more complex functions. Kanich et al.'s further research on Storm found that the Storm is a three-layer Botnet [18]. The Bots in the bottom layer could send HTTP messages, virus information, etc. The Bots can use the Internet to

**30**

query other proxies infected host, and the most top hacker server (C&C server) is behind the proxy infected host, with a high degree of concealment.

Waledac is another large-scale hierarchical Botnet, which is also used to send large amounts of spam. Waledac has a similar hierarchical structure as shown in the above (**Figure 1(c)**). It has a structure of one more layer than the ordinary hierarchical structure, and relevant research shows that it is transformed on the basis of the previous hierarchical Botnet. Botmaster is mainly divided into four layers of institutions (from bottom to top for Spammer, Repeater, TSL, UTS). The lower two layers are computer devices with vulnerabilities. The upper two layers are the hierarchical C&C servers used by hackers. The communication method of this Botnet is a technology named fast-flux. The third layer (Repeater) serves as a bridge between the second layer and the fourth layer of Bots, that is, using Bot as a proxy. This is different from the Koobface [19] Botnet, which uses trusted social networking sites, game sites, and other large server devices as its own proxy layer. Waledac is more viable in this way. Nunnery et al.'s research found that Waledac is able to offer two different levels of spam business. Through experiments, the researchers found that due to the diversity of the Bots in the bottom layer of Waledac, it has the function of sending spam, but this ability is not strong, and it is easy to be directly intercepted by some large-scale defense servers; there is also a spam service that can be sent directly by the second layer (TSL) of the Waledac Botnet. This method of sending can dynamically modify the contents of the file to prevent it from being killed by the fixed antivirus software, with high availability. At the same time, in order to further improve the concealment of Botnet and prevent it from being detected by network supervisors, Waledac's internal message transmission mechanism is based on elliptic curve encryption to implement encryption technology. A two-in-one technique (timestamp + public key) is used on the communication between the second and third layers to prevent replay and forgery [20]. In order to prevent security personnel from tracking Botnet, Waledac adopts the detection method of domain name polling to prevent the population of fake nodes [21].

Koobface also adopts an intermediate node as a proxy to hide the control server. But Koobface is notable not for its complex structure but for its numerous functional modules and the way it uses social networking sites to spread its messages. Koobface steals the accounts of social networking sites on Bots, automatically logs in and sends malicious links to friends for transmission, which exploits the trust between social network users. Koobface has a range of modules targeted at almost all major social networks and can force infected users to recognize Captcha images, as well as DNS hijacking, search, hijacking, web server and information theft, etc.
