Recently i began some researches in botnets, Denial of service or Distributed Denial of Service Attacks.

Basically there are 3 Types of Botnets wich have different advantages and disadvantages.

The first and most common type of Botnets is the IRC Botnet

IRC botnets go back to 1993 in the case of the benevolent EggDrop bot, and 1998 in the case of GTbot and its
variants, one of the first malicious botnets.
This Botnet gets its instructions from IRC (Internet Relay Chat) channels, which send out the command and control
instructions to the compromised machines.
These type of Botnets can be Tracked easily and the result is a shutdown of the Botnet.
It´s the oldest type of botnets and they are the most common, the disadvantage is the usage to send the commands,
it can be easily overtaken by other hackers by sniffing the network and it can be detected pretty fast from the
IRC Provider.
This is because all traffic is generated over the IRC server. The Provider can just shut the Server down and the
Attacker could be traced easily.

Now new types of botnets came across the web, so called p2p and http botnets

p2p Botnets got theyr inspiration from the same p2p networks that are used to exchange files.
Hackers implemented the p2p ability in a new type of botnets to issue the command and control instructions.
The p2p Botnets where born.
They are harder to detect and shut down then IRC Botnets.
this connections.
p2p Bots first came public when the Agobot variants came into the web.
Agobot os one of the most widespread bots and marked a turning point in wich botnets became much more significant point.

Gnutella emerged as the first fully decentralized P2P protocol in 2000, and several other such protocols have been developed since then.
Trojan.Peacomm uses the Overnet network, which implements the Kademlia algorithm. Overnet was originally set up to service file-sharing
clients such as eDonkey 2000, and while Overnet’s own resources were shut down in late 2006 as a result of legal actions, Overnet clients,
being completely decentralized, can still function.

Trojan.Peacomm is distributed through e-mail worms, and once installed, goes through a bootstrap process to become part of the Overnet
network. To do this, the client uses a list that appears to be Overnet nodes likely to be online. This could be one centralized way of
stopping the node from activating, the researchers noted, but since the list includes 146 nodes, it could be difficult to ensure all of them
are offline.

The node then uses preset keys to search for and download a value from the Overnet network. The value is an encrypted URL that points to the
location of more files that can be downloaded, fully setting up the node with communications and attack tools.
How to counteract this sort of system? That is proving to be highly difficult so far.
Besides use of the bootstrap list of nodes, the researchers are studying the use of index poisoning as a way of attacking P2P botnets.
Index poisoning was first mooted as a way of stopping exchange of copyrighted files, but that isn’t its only use, the researchers said.
“Index poisoning could be used in order to slow the infection rate of the bot or possibly to measure the number of bots infected,”
All in all p2p botnets are much more dangerous than IRC Botnets as you see but they stil can be shutted down easily when you know where to search.

Now let´s go on to the third, the newest and till now categorized as most dangerous type of all Botnets, the HTTP Botnets.
The difference between HTTP Botnets and other botnets is that HTTP is used to issue the command and control commmands.
This means the bot connects to a server and the attacker can connect to an url and manage everything over there.
The Problem here is that there isn´t a static connection, the server connects only if he want´s to send a request.
All the attack is handled very silent and this makes it really hard to trace the Attacker and finally shut down the botnet
You have to sniff a lot of traffic to get to the attacker.
A common HTTP Botnet is Blackenergy, first it was distributed in russian circles only but it fast made his way to the us as well.

But that´s not all, a new type of Botnets is coming using new different techniques to connect to the attacker.
These new Botnets do work like a Trojan Horse, they use Reverse Connection and file injection to bypass firewalls.
Reverse-Connection is used in many Trojans and other Malware and is a common technique to bypass routers and firefalls.
Others i have seen do work with Rootkits and hide theyr process from the user.
The Attacker has a simple client where he can see the bots connected in a syn console.
The difference to all other botnet types is the functionality and options it gives to the attacker.
He could select certain bots and Attack websites, in these new botnets the Attacker can select more then one target to attack at once.
But that´s not enough, these new Botnets do have much more capabilitys, they can get into the infected pc, search files, view the screen or cam,
use the Remote Shell, Modify the registry, upload or delete any file and more.
I think these new all in one Botnet/Trojans will be the new Danger in the internet that is coming up those years.
They are very easy to use and you can do much things with them, so it´s interesting for script kiddies, hackers and spammers as well.
I Coded one of these Botnets on my own to see how it can be done and how effective it is.
The Results of the tests of this botnet is really scary, With a special implemented Apache Attack it whould need only one bot to take a regular php
based website completely down.
Imagine now what a botnet of hundreds or even thousands like this bots could do….
I coded this Botnet for private Security researches and not to use it against others or distribute it so don´t ask me for it, I won´t give it away.
Another Example of such Botnets is Netbot Attacker, this Botnet offers everything a Trojan and a Botnet offers, 12 different Attack types and
loads of options, made much improvements the last year. It´s from China and this Botnet didn´t come around a lot till now, especially the new version
that has all these features is pretty unknown till now.

.

Botnets do provide a high security risk and there are no really good solutions at the moment except a hardware firewall. Software firewalls like APF may block small attacks but they can´t handle a big one. For a regular webmaster with webspace and no root access it is almost impossible to handle an attack on your own, what counts here is to be fast and contact the support. Only with your provider you will be able to solve the problem so if you get attacked anytime don´t waste time and contact your support immediately to let them make some researches.

Author: Malicious