Classification of botnets

Posted: October 18, 2012 in Articles
Tags: , ,

BotnetClassification of botnets today is quite simple. It is based on the architecture of botnets and the protocols used to control the bots.

Classification of botnets: Architecture

So far known only two types of architecture botnets.

    • Botnets with a single point. In this architecture with botnets of zombie computers all connected to one control center, or C & C (Command & Control Centre). C & C expects to add new bots, registers them in its database, to monitor their condition and gives them the team, the owner of the botnet selected from the list of available commands for the bot. Respectively, in the C & C shows all connected zombie computers, and centralized management zombie network web host must have access to the command center.
Botnets single point

Botnet with centralized management

Botnets with centralized management are the most common type of zombie networks. Such botnets are easier to create, easier to manage, and they respond quickly to commands. However, to fight botnets with centralized management also easier: to neutralize the entire botnet is enough to close C & C.

  • Decentralized botnets, or P2P-botnets (from the English. “Peer-to-peer”, which means “connection” point-to-point ‘”). In the case of decentralized botnet bots are not connected to the control center, but with several infected machines from botnet. Commands are transmitted from the boat to the boat: each bot has a list of addresses of several “neighbors”, and when receiving a command from any of them, he passes it to others, thereby spreading the team further. In this case the attacker to control the entire botnet, enough to have access to at least one computer, a part of a botnet.
Decentralized botnet

Decentralized botnet

In practice, the construction of a decentralized botnet is not very convenient, because each new infected computer to provide a list of the boats, with which it will communicate in a zombie network. It is much simpler to send a boat to a central server, where they will receive a list of bots “neighbors”, and then switch the bot to communicate across the P2P-connection. This mixed topology is also of type P2P, though in a separate step bots use C & C. Fight a decentralized botnet more difficult because in the current botnet control center missing.

Classification of botnets: Used network protocols

To transfer the bot commands to the botnet owner, at least, a network connection between the computer and the zombie computers to send commands. All network communications based on network protocols that define the rules of communication in computer networks. Therefore, there is a classification of botnets based communication protocol being used.

By the type of network protocol botnets are divided into the following groups.

  • IRC-oriented. This is one of the first types of botnets, where control bot was based on the IRC (Internet Relay Chat). Each infected computer connected to the body of the program specified in the IRC-bot server, go to a specific channel and waiting for commands from the owner.
  • IM-oriented. Not a very popular form of botnets. Differs from the IRC-oriented counterparts only in that data channels are used IM-services (Instant Messaging), eg AOL, MSN, ICQ, etc. The low popularity of botnets caused difficulties arising when creating a separate account IM-service for each bot. The fact that the bots have access to the network and constantly attend online. Since most of the IM-services are not permitted in the system from different computers using the same account, each boat should have a number IM-service. The owners IM-services strongly impede any automatic registration of accounts. As a result, owners of IM-oriented botnets are very limited in the number of available registered accounts, and hence in the number of boats at the same time on the network. Of course, the bots can use the same account, go online once a certain period of time, to send data to the host and the number in a short period of time to wait for an answer, but it is problematic: a network responds to commands very slowly.
  • Web-based. A relatively new and rapidly developing branch of botnet-oriented management through www. Bot connects to a specific web server receives from commands and sends back data. Such botnets are popular because of the relative ease of development, a large number of Web servers on the Internet and ease of management through a web interface.
  • Others. In addition to the above there are other types of botnets, which are connected through its own protocol, based only on the protocol stack TCP / IP: only use common protocols TCP, ICMP, UDP.

Related post: Botnet or zombie network

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s