A survey of botnets with cryptography
Abstract.
 As technology has developed, the network IRC, the common HTTP protocol [1] and, recently, P2P botnet also builds connection and boot ™ € s characteristics and activities are different according the structure of the botnet. This is why the research is there were numerous, too, and is beneficial to categorize and classify the bot defense mechanism. The result bot activities on a lot of negative effects such as DDoS (Distributed Denial of Service) and spamming a. The mechanisms for the detection of bots and the defenses can be classified as C & C based on the detection of bots and P2P based on the detection of bots. A vital aspect of the administration of botnet is authenticity and integrity commands. Asymmetric cryptography offers a simple and effective way to do it and the methodology we discuss here.
Keywords: botnet, the bot detection, P2P bot C & C bot, cryptography
A 1. INTRODUCTION
The characteristic impossible finding of coordinated attacks is just what the hackers / attackers demand to compromise a computer or a network for illegal purposes. Once a group of hosts at different locations are controlled by a malicious individual or organization to launch an attack, one can hardly trace the origin due to the complexity of the Internet. For this reason, increasing events and the threat to the legitimate Internet activities such as flight information, click fraud, denial of service (DoS) and spam email, etc., have become very serious problems today [1]. Victims coordinated controlled by the attackers are called zombies or robots derives from the word â € € œrobotâ. The term is commonly robots software applications that run automated tasks over the Internet [2]. Under the orders of that type and control (C2, or C & C) infrastructure, a group of robots are capable of forming a self-reproduction, self-organization, and an autonomous framework, called botnets [3]. In general, endangering a number of systems, the botnet ™ € s master (also known as pastors or author) to remotely control robots to install worms, Trojans or backdoors in them [3]. Most victims are running the Microsoft operating system Windows [3]. The process of the theft of computers consisting of resources for a botnet is called â € œscrumpingâ € [3].
Botnets can be classified into two broad categories based on the types of [4]. A typical and most common type is Internet Relay Chat (IRC) based botnets. Due to its architecture centralized, researchers have designed some feasible countermeasures to detect and destroy as botnets [5, 6]. Therefore, the most recent hackers and more sophisticated / attackers start using Peer to Peer (P2P) technology on botnets [4,7]. P2P Botnets have been distributed and have no central point failure. Compared with IRC-based botnets, which are harder to detect and shoot down [4]. Moreover, most of the existing studies are still in the analysis phase [4, 7].
A labor organization is as follows. In Section 2, the classification of a botnet is given.Section 3 describes the relevant attacks. Section 4 elaborates the mechanisms of detection and tracking. Preventive measures are given in Section 5. The conclusion and future challenges are shown in section 6.
A 2. CLASSIFICATION
Botnets are emerging threats to billions € ™ computers infected around the world. Search engines can spread across thousands of computers at a very high speed, such as worms do. Unlike worms, bots in a botnet are ability to cooperate towards a common malicious purpose. For that reason, botnets are now playing an important role in the epidemic of malware on the Internet [16]. In [19], WT Strayer, et al. provided some indicators of flow analysis to detect botnets. After filtering of IRC traffic, the flow is based methods applied to discriminate benign malicious IRC channels. The methods proposed by [20] and [21] combined both application and analysis of the layer network. E. Cooke, et al. [22] on IRC activities in the application layer, using information from the monitoring of network activities. Some authors have introduced automatic learning techniques in the detection of botnets [23], and leading a better way to characterize botnets. Today, networks Traps and Intrusion Detection System (IDS) are two major techniques to prevent attacks. Honeynets can be deployed in distribution and the local context [9]. They can provide information botnet attack, but can not tell the details as if the victim has a certain worm [9]. The IDS uses signatures or behavior botnet for existing references to detect possible attacks. So, to summarize the characteristics of botnets is important for a secure network. To the best of our knowledge, we have not found any other work on anomaly detection botnet.
A 2.1 Training and Exploitation
To illustrate the formation and operation, we take spam botnet as an example. A typical formation of the botnet can be described as following steps [3],
1) The author of the botnet sending viruses or worms to infect victim machines whose payloads are robots.
2) The robots of the infected registry guest on an IRC server or other means of communication, forming a botnet.
3) Spammer makes payment to the owner of this botnet to obtain the right to access.
4) Spammer sends commands to the botnet for the bots to send spam.
5) The infected hosts to send spam messages for servers e different on the Internet.
A 2.2 Based on an IRC Bot
IRC is a protocol for text-based instant messaging between people connected to the Internet. It is based on client / server (C / S) model, but suitable for distributed environments, and [18]. Typical short IRCs are interconnected and pass messages to one another 18 []. You can connect with hundreds of customers across multiple servers. It is so called multiple IRC (mIRC) in which communications between clients and server are pushed they are connected to the channel. The functions of IRC bots based management include access lists, file movement, exchange of customer information exchange channel, and so on [18].
â € ¢ Bot: it is often an executable file triggered by a specific command of the IRC Sever. Once a bot is installed on a victim machine that will make a copy in a configurable directory and allow the malware to start the operating system. In general, bots are more than the capacity of worms or how to open a back door [18].
â € ¢ Channel Control: an IRC channel set guaranteed by the attacker to manage all bots.
â € ¢ Server IRC: it may be a compromised machine or even legitimate for a public service provider.
â € ¢ attack: the attack to control the bot IRC.
™ € s attackera The operations have four stages [16]:
1) Establishment Stage, where the attacker can add malicious code or simply modify an existing one of many highly configurable robots through the Internet [16].
2) stage configuration, where the IRC server and channel information can be collected [16]. While the robot is installed on the victim, will automatically connect to selected host [16]. Then the attacker can restrict access and secure the channel to the bots for business or other purposes [16]. For example, the attacker is able to provide a list of robots to users authorized wishing to customize and use for their own purposes.
3) stage of infection, where robots are spread by various direct and indirect means [16]. As its name implies, direct techniques exploit vulnerabilities of the services or operating systems, and are usually associated with the use of viruses [16]. While compromise vulnerable systems, which follow the infection process such that the attacker ofa saving time to add other victims [16]. More systems vulnerable Windows 2000 and XP SP1, where the attacker can find easily without patches or unsecured (ie no firewall) hosts [16]. On the contrary, indirect approaches use other programs as a proxy to spread the robots, for example, by malware distributed via DCC (Direct Client-to-Client) exchange File on IRC or P2P networks to exploit the vulnerabilities of the target computers [16].
4) Control of scene, where the attacker can send instructions to a group of robots through the IRC channel to do some malicious tasks.
 2.3A Bot based P2P
Few works focus in P2P-based bot so far [4, 24-29, 46]. It is still a difficult subject. In fact, the ad hoc P2P network using armies to control the victim is not a new technique [26]. P2P communications system is much more difficult to disrupt. This means that the commitment of a single robot does not necessarily mean the loss of all the botnet. However, the design of P2P systems are more complex and usually there is no guarantee on delivery messages or latency. A P2P-shaped worm, called Slapper [27], the Linux system infected with DoS attack in 2002. Hypothetical clients used to send commands to the danger hosts and receive answers from them [27]. Thus, its location on the network can be anonymous and not be controlled [27]. A year later, a P2P-based bot appeared, called Dubbed SINIT [28]. Used public key cryptography for authentication of update. Later in 2004, Phatbot [29] was created to send commands to other compromised hosts with P2P system. Currently, the Storm Worm [24] may be the most widespread P2P bot via the Internet. T. Holz et al. analyzed using binary and net monitor [24]. In addition, proposed some techniques to interrupt the communication of P2P-based botnet, such as dwarfing and pollution content of the file.
However, the above P2P-based robots are not mature and have many weaknesses. Many P2P networks have a central server or a list of seed peer which can be contacted to add a new participant. The boot process has appointed a single point of failure for botnets aP2P-based [25]. For this reason, the authors in [25] presented a hybrid P2P botnet specifically to overcome this problem.
 2.4a Types of Bots
Many types of bots in the network has already been discovered and studied [9, 16, 17]. Table I presents several comprehensive and well-known robots, with their basic characteristics.
Types
Features
AGOBOT
Phatbot
Forbot
Xtrembot
- They are so frequent that more than 500 variants exist in the Internet today. AGOBOT is the only robot that can use Othera                control protocols, as well as IRC [9]. It offers various approaches to hide the robot in compromised hosts, including NTFS Alternate Data Stream, polymorphic
Encryptor Antivirus Engine and Killer [16].
SDBot
Rbot
URBOT
UrXBot
SDBot is basis of the other three robots and 9, probably many more []. Unlike Agobot, your code is unclear and has only limited functionality. Still, this group of robots is still widely used on the Internet [16].
SpyBot
NetBIOS
Kuang
Netdevil
KaZaa
There are hundreds of variants of Spybot today [17]. Most frameworks seem to be shared with C2 or SDBot evolved from [17]. But doesn t ™ € facilitate accountability or to conceal their malicious purpose on the code base [17].
mIRC-based
GT-Bots
GT (Global Threat) is mIRC based bot bot. Allows a mIRC chat client based on a set of binary files (mostly DLL) and scripts [16]. Often hides the application window in the
compromised hosts to make mIRC invisible to the user [9].
DSNX Bots
The DSNX (Data Network Spy X) bot is a plug-in interface to add a new function [16]. Although the default version does not meet the requirement of separators, plugins may help solve this problem [9].
Bots Q8
It is designed for Unix / Linux OS with the common features of a robot, such as HTTP dynamic update, several DDoS attacks, the implementation of arbitrary commands, etc. [9].
Kaiten
It is very similar to Q8 Bots by the runtime environment itself and also devoid of the diffuser. Kaiten has a remote shell easily, making it more convenient to check
vulnerabilities through IRC [9].
Based on Perl Bots
Many variants written in Perl today [9]. They are so small that only have a few hundred lines of code for robots [9]. Therefore, limited command are available for basic attacks, especially DDoS attacks on UNIX-based systems [9].
Â
3. BOTNET ATTACKS
Botnets can be used for both legitimate and illegitimate purposes [6]. One of the legitimate objectives is to support the operations of the IRC channels using privileges administrative specific individuals. However, these objectives do not meet the large number of bots we've seen. On the basis of the wealth of data recorded in Honeypots [9], the possibilities of using botnets of criminal origin or targets for destruction can be classified as follows.
Of 3.1 attacks DDoS
Botnets are often used for DDoS attacks [9], which can disable the network services of the victim system by consuming its bandwidth. For example, an author may order the botnet to connect a victim € ™ s IRC channel at first and then this target can be flooded with thousands of applications service of the botnet. In this type of DDoS attack, the victim of the IRC network is down. The evidence reveals that most commonly implemented by botnets are TCP SYN and attacks UDP flood [30].
General countermeasure against DDoS attacks requires (1) control of a large number of compromised machines, (2) disable the mechanism Remote Control [30]. However, we still need more efficient ways to prevent this type of attack. FC Freiling et al. [30] have presented a method to prevent attack DDoS through the exploration of robots hidden in honeypots.
3.2 Spamming and spreading malware
Around 70% to 90% of the worldâ ™ € s spam is caused by botnets today, which has more experience in the security industry on the Internet in [47, 49]. Study Report indicates that, once the proxy Socks v4/v5 (TCP / IP RFC 1928) opens in compromised hosts for some robots, machines can be used to nefarious tasks, such as spam. In addition, some of the robots are able to collect email addresses for certain functions [9]. Therefore, attackers can use as a botnet to send massive amounts of spam [31]. Researchers in [32] have proposed a separate distribution content spam rating system, called Trinity, against spam from botnets. The designer assumes that the robots will send a mass spam emails in the short term. Therefore, any management letter such as a spam.
To discover the overall performance and benefit botnet spam detection in the future, Y. Xie et al. [33] have developed a spam signature generation framework called authorities. They also found several characteristics of spam botnet: (1) spammers often adds some random URLs and legitimate in the letter to evade detection [33], (2) botnet IP addresses are usually distributed across many systems autonomous (Autonomous Systems), with only a few machines involved in each AS on average [33], (3) despite the content of spam is different, their € ™ addresses recipients may be similar [33]. How to use these functions to the capture of botnets and avoid spam is a value to the research in the future. Similarly, botnets can be used to spread malware as well [9]. For example, botnets can launch Witty worm to attack the ICQ protocol and the system victims € ™ can not be activated Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Because some robots can not only sniff traffic passing by the teams in danger, but also the data of command within the victims, perpetrators can retrieve sensitive information like usernames and passwords easily botnets [9]. Evidence indicates that botnets are becoming rapidly more sophisticated scan at the headquarters of major corporate and financial data [47]. Since the bots rarely affect the performance of infected systems running, they are often out of the surveillance zone and difficult to be caught. Keylogging is the very solution for interior attack [9.16]. This type of robot to listen to the activities of the keyboard and then informed his master of useful information after filtering the sense inputs. This allows the attacker to steal thousands of private information and credentials data [16].
3.4 Click Fraud
With the help of the botnet, the authors are able to install advertising-ins and helper objects browser (BHO) for business purpose [9]. Like € ™ s Google's AdSense program, in order to obtain higher clickthrough rate (CTR), authors can usebotnets periodically click specific links, thereby promoting artificial CTR [9]. This is also effective for surveys or online games [9]. Due to each victim host ™ € s has a unique IP address dispersed throughout the world, each click will be considered a valid action of a person legitimate.
Identity Fraud 3.5
Identity fraud, also known as identity theft is a rapidly growing Internet Crime [9]. E-mail phishing is a typical case. Usually includes, as legitimate URLs and requests the receiver to send information personal or confidential information. These messages can be generated and sent by a botnet through spam mechanisms [9]. In a step further, botnets can also configure several fake websites posing as a business official site of the harvest victims € ™ information. Once a fake site is closed by its owner, another may pop up, until the computer turns off.
A 4. DETECTION AND LOCATION
For now, Several different approaches for identifying and tracking botnets have been proposed or tried. First and most generally, the use of honeypots, where a subnet is intended to be compromised by a Trojan, but actually observing the behavior of the attackers, the hosts are allowed to control the identification [22]. In a case in point, Freiling et al. [30] have introduced a viable way to detect certain types of DDoS attacks lunched by the botnet. To begin with, the use honeypot and active response to collect the bot binary. Then, seek to join the network as a threat zombie machine by running the robot into the trap and they can access the IRC server. In the end, the botnet has been infiltrated by a â € € œsilent droneâ collection of information, which may be useful in dismantling botnets. Other and the method is also commonly used is that, using a form of insider information to track an IRC-based botnet [11]. The third but not the less common approach for detecting botnets is investigating the DNS caches in the network to resolve the IP addresses of target servers [11].
4.1 Honeypot and Honeynet
Honeypots are well known for their strong ability to detect security threats, malware collection, and to understand the behavior and motivations of the authors. Honeynet, to monitor a diverse large-scale network consisting of more than one trap on a network. Most researchers focus on Linux-based Honeynet, for the obvious reason that compared to any other platform, with more freedom honeynet tools available in Linux [6]. As a result, only a few support tools deploying Windows honeypots and intrusion proactively begin to dismantle the honeypot.
Some researchers aim to design a reactive firewall or media related to prevention of multiple commitments of honeypots [6]. While a port is in danger detected by the firewall of this type, the incoming attacks, can be blocked [6]. This operation must be carried out in secret to avoid arousing suspicions that the attacker. The evidence tells us we have to operate under the protection covert of honeypots against several compromises by worms, because worms are used to detect its presence [6]. Because many toolkits intruders discharge in a later immediate victim, we have to block traffic are only selectively. These toolkits are important evidence for future analysis. Hence, to some extent, attackers € ™ access to the honeypots should not be prevented very well [6].
Since honeypots have become more and more popular in the surveillance and defense systems, the intruders start looking for a way to avoid the traps of avoid honeypot [34]. There are some viable techniques to detect honeypots. By example, to detect or VMware virtual machines emulated [35,36] or to detect responses € ™ s program defective honeypot [37]. In [38], Bethencourt et al. have successfully identified the intelligent use of honeypots polling statistics according to the report public. In addition, Krawetz [39] have presented a tool capable of commercial spam anti-trap function, called â € œSend-SAFEA € ™ s Honeypot Hunterâ €. By checking the response of the remote proxy, spammer is able to detect open proxy honeypot [39]. However, this tool can not effectively detect other than open proxy honeypot. Recently, CC Zou et al. [34] have proposed another method based on honeypot detection independent software and hardware. In their paper, have also introduced an efficient approach to locate and remove infected honeypots using a structured P2P botnet [34]. All evidence suggests that in the event that botnet honeypot becomes invisible to the corresponding research should be improved.
4.2 IRC-based detection
IRC-based botnet is extremely studied and therefore several features detection has found to date. One of the easy ways to detect such botnets is to sniff traffic in common IRC ports (the TCP port 6667) and then see if the strings payloadsmarch in our knowledge database [22]. However, botnets can use random ports to communicate. Therefore, another approach for the characteristics of the behavior of the bots appear. S. Racine [40] IRC-based bots are often inactive and only responded when receiving a specific instruction. Thus, connections with features such as marked as potential enemies. However, it still has a high rate of false positives in the result.
There are other existing methods for detecting IRC-based botnet. Barford et al. [17] proposed some approaches based on source code analysis. Rajab et al. [11] presented an amended IRC IRC client called tracker was able to connect to IRC server and the response query automatically. Taking into account a fingerprint template and relevant, the crawler IRC could create an instance of an IRC session again IRC server [11]. If the bot master could find the true identity of the pursuer, who appeared as a powerful robot and response on the internet and run all malicious commands, including responses to the attacker [11]. Here are some methods of detection against the IRC-based botnet.
4.2.1 The detection based on analysis of traffic
Signature technology is widely used in anomaly detection. The basic idea is to extract feature information on packets of traffic and the progress registered at the knowledge base of current robots. Apparently, it is easy to perform by simply comparing each byte in the package, but also goes with several drawbacks [45]. First, is unable to identify the robots indefinite [45]. Secondly, you should always update the knowledge base with new signatures, which increases the cost of management and performance reducesthe [45]. Third, robots can launch new attacks before they are sent in the knowledge base [45].
Based on the characteristics of IRC, some other techniques to detect botnet rise. Basically, two types of actions are involved in a normal IRC communication. One is interactive commands and another is the exchange message [45]. If we can identify the operation of IRC of a given program, it is possible to detect a botnet attack [45]. For example, private information is copied elsewhere for some IRC commands, we can say that the system is under attack as normal behavior in chat will never do that [45]. Moreover, traffic can be encoded or concealed by the noise of the network [21]. Any situation will make the invisible robots.
In [45], the authors observed the traffic real IRC communication ports ranging from 6666 to 6669. They found some IRC clients sending repeated access information while the server is denied connection [45]. Based on the result of experiment, they claimed that the robot repeats these actions, at specified intervals after rejected by the IRC server, and the time intervals are different [45]. However, it is considered a real IRC botnet attack based on his experience. This is a possible future work to extend their achievements.
A In [49], p. Sroufe et al. proposed an alternative method for detecting botnet. His approach can efficiently and automatically identify spam or robots. The idea extract the main form of electronic mail (counting lines and characters of each line), using an estimate of the Gaussian kernel density [49]. Messages email Similarly suspected. However, the authors do not show the way to detect botnet By using this method. It may be another decent future work to study.
Â
4.2.2 Anomaly Detection based on activities
In [21], the authors propose an algorithm for anomaly detection based botnet. It combines the features of IRC mesh with TCP module based on anomaly detection. First, observed and recorded a large number of TCP packets on IRC hosts. Based on the ratio calculated by the total amount of TCP control packets (eg SYN, SYNACK, FIN, and resets) the total number of TCP packets, which can detect any abnormalities of the activities [21]. They called this relationship as the TCP work weight and claimed that the high value implies a potential attack by a scanner or worm [21]. However, this mechanism can not work if the IRC commands have been encoded, as the discussion in [21].
4.3 DNS Monitoring
Since robots usually send DNS queries to access servers to C2, if we can intercept your domain name, the bot network traffic can be captured by a black list of domain names [41, 42]. In Actually, also provides a secondary route to be taken by botnets by disabling its ability to spread [11]. H. Choi et al. [41] have examined the botnet DNS features. According to their analysis, botnets € ™ DNS queries can be easily distinguished from legitimate [41]. First, bots only send queries to DNS servers domain C2, legitimate never do [41]. Second, botnet € ™ s members act together simultaneously and migration, as well as DNS queries [41]. Whereas legitimate one occurs continuously vary from a botnet [41]. Third Instead, legitimate hosts will not use very often while DDNS DDNS botnet typically used for C2 Server [41]. On the basis of the above features were developed an algorithm to identify botnet DNS query [41]. Its main idea is to compute the similarity of group activities and then the botnet distinguish them based on their value. The value similarity is defined as 0.5 (C / A + C / B), where A and B represent the size of two lists of IP called somecommon same IP address and domain name, and C represents the size of the duplicate IP addresses [41]. If the value close to zero, the common domain, it is suspected [41].
There are also some other approaches. Dagon et al. [42] presents a method by examining the rates of consultation DDNS domain. Abnormally high rates or temporarily concentrated suspected, because attackers C2 servers changed very often [44]. It is used both Mahalanobis distance and Chebyshev € ™ s inequality to quantify how the rate is anomalous [44]. Schonewille et al. [43] found that when the C2 servers had been removed, often DDNS name error response. Hosts that were repeatedly such consultations may be infected and therefore suspected [43]. In [44], the authors assessed the above two methods through experiments in the world real. They argued that Dagon € ™ s approach was not as effective as a misclassification of some C2 domains server with short TTL, while Schonewilleâ € ™ s comparative method was effective because the suspect's name came from independent individuals [44]. In [48], X. Hu et al. proposed a detection system RB-called botnets Seeker (redirect Botnet Applicant). It can automatically detect botnets in any structure. Features RB-Seeker first collects information on the activities of the redirection of robots (eg, temporal and spatial) of two subsystems. Then use the statistical methodology and survey of DNS queries technique to distinguish the malicious from the legitimate domain. Experiment result shows that the RB-Seeker is an effective tool for detecting both â € œaggressiveâ € € and â € œstealthyâ botnets.
Â
5. Strong cryptography
5.1Tamper command to test and update system
A vital aspect of the zombie network management is the authenticity and integrity of the commands. A bot should only accept commands issued by the Botmaster. In current botnets, the botmasters often use only a very weak form of authenticity, for example., By using a simple password scheme before sending the corresponding command. Even if the botnets use stronger authentication schemes, which are typically may break, for example., The Storm Worm uses a 64-bit RSA can be defeated. In centralized IRC botnets, this lack of authenticity, for example, could be overcome by a patch on the IRC server used for distribution of commands so that only the Botmaster can send messages to the designated channel. However, when it is a decentralized network of equal peers, a Botmaster must ensure that none of the hostile parties, as advocates or groups other botnet can poison the botnet by injecting malicious commands.
Asymmetric cryptography offers a simple and effective way to do this: before launching a robot in nature, the Botmaster creates a public / private cryptographic key pair of which the first is encoded in the boot ™ € s binary. Doing so allows Botmaster to sign the secure all commands using now has a private key. All partners in the botnet are able to verify the use of public key commands coded, but taking into account a reasonable key length (eg.2048 bit RSA), no defender manage to forge the signature.
5.2Rent a botnet
With the help of asymmetric cryptography, a botmaster can assume the role of a trusted certification authority, which provides an efficient way to rent a botnet other Toa, in part or in whole to a variable amount of time, and to protect tenants against certain malicious purposes.To, Toa is advisable to apply a blacklist that contains all keys.This invalidated public blacklist is stored in each boot ™ € s computer and can only add or remove Botmaster public keys using its private key to sign the order. Thus, all certificates belonging to an attacker may be revoked.
However, this list Black is of little use against attacks that require only a short time that was carried out successfully. For example, a malicious tenant can purchase a certificate botnets to distribute spam and abuse it by ordering all bots to send an e-mail to a specific address, revealing your IP address or other sensitive data. Indeed, an attacker could conveniently obtain valuable information about a ™ € botnet s size and its overall structure. Hence, renting a botnet to be considered as an option that should be used cautiously by a Botmaster.
6. PREVENTIVE MEASURES
You only need a couple of hours for conventional worms around the world and released from a single host. If the worms are using botnet from multiple hosts simultaneously are capable of infecting most vulnerable computers worldwide within minutes [7]. Some botnets have been discussed in previous sections. However, many are still unknown to us. How to minimize the risk caused by botnets in the future is the issue we discuss in this section.
6.1 Countermeasures botnet attacks
Unfortunately, few solutions for a host to a DoS attack against the botnet to date [3]. Although it is difficult find patterns of malicious hosts, network administrators can identify botnet attacks based on passive operating system identification extracted the last team firewall [3]. The life cycle tell us botnet, bots often use free hosting services DNS forwarding subdomain to an IP address inaccessible. Therefore, the elimination of services can take up such a botnet [3]. Today, many security companies focus on the offers to stop botnets [3]. Some of them protect consumers, while most others are designed for ISPs or companies [3]. Individual products try to identify bot behavior by the anti-virus software. The company's products have nothing better to nullrouting solutions DNS entries and closure IRC and other key servers after a botnet attack identified [3].
6.2 Public Countermeasures
Personal or security companies inevitably depends on the partners of communication [7]. Building a good relationship with partners is essential. First, a continuous should ask the service provider security packages, such as firewall, antivirus, intrusion detection kits, and so useful [7]. Once something goes evil, there must be a contact number for call [7]. Second, we must also pay close attention on network traffic and report on provider Internet if attacked by a DDoS attack. ISP can help block malicious IP addresses [7]. Thirdly, it is better to establish accountability in the system, together with the authority of law enforcement [7]. More specifically, academics and industry have proposed some strategies for both home users and administrators system to prevent, detect and respond to attacks from botnets [16, 18]. Here we summarize their suggestions.
6.2.1 Home users
TABLE II: PREVENTION STANDARDS FOR HOME USERS [18]
Type
Â
Strategies
Personal habits
Â
The attention in the discharge of
Avoid installing useless stuff
Read carefully before you click
Routine
Public services use anti-virus/trojan
Update frequency system
Shutdown PC when you leave
Optional Operations
Back-up systems to regulate all
Keep all software up-to-date
Implement personal firewall
Â
6.2.2 System Administrator
Similarly, there are corresponding rules for the system administrator to prevent, detect and respond botnet attacks [16, 18]. As the methods of prevention, the administrator must follow the guidelines of suppliers to update the system and applications [18]. Moreover, apprised of the latest vulnerabilities and access control and use of log files to ensure accountability [18]. As illustrated in Table III, these can help the system administrator to minimize the possibility of botnet attacks.
TABLE III: RULES FOR DETECTING administrators systems [18]
Rules
Â
Notes
The regular tracking logs
Analyze Internet traffic for abnormalities
Use network packet sniffer
Identify malicious traffic on the intranet
Isolate Malicious subnet
Verify the activity of CRF in the host
Individual scan machine
They may contain malware
Once an attack is detected, the administrator the system must isolate compromised hosts and warning users of origin [16]. Then keep the data on infected computers including log files [16]. Moreover, identify the number of casualties through the sniffer tools [16]. Finally, the report of infection security adviser [16].
7. CONCLUSIONS AND FUTURE CHALLENGES
To better understand the botnet, and stop the attack end, we offer a survey of current research botnet. The content of the debate is the formation of botnets and exploitation, and two typical topologies.
According to the discussion in Section 2, we have several ideas of different topologies. For IRC-based botnet topics thorny problem is that we can get the source of most of the robots. Therefore, a thorough analysis at network level and system level for bots € ™ behaviors are difficult to perform. For P2P-based botnet issues, due to practical problems that should be better taken into account: (1) keep the rest of robots after some have been taken by the defenders, (2) hide the zombie network topology while Some robots are captured by the defendants, (3) managing the botnet more easily, (4) changing traffic patterns more frequently and more difficult to detect.
 As you can see, the detection and tracking botnet host remains committed to a difficult task. Takes Traffic fingerprint is useful for identifying botnet. However, like the previous signature technologies discussed in Section 3, their disadvantages are obvious. We need an up-to-date knowledge base to all robots in the world at large, which seems like an impossible mission. Anomaly Detection is another possible approach. However, when infected hosts do not behave as unusual, it may not be able to detect a potential threat. Since current technology detection depends on the attack happened if no guarantee that we can find all the possible hosts compromised. An interesting question about the anomaly detection is time efficiency. If an attack occurs and it can capture the anomaly in the first place and solve relevant problems before it is used maliciously, tell us that this is a time efficient anomaly detection. It is necessary to focus on their effectiveness over time in the future work.
A In the wireless environment, especially for ad hoc network, I have not yet research activities in both attack and defense of the measure. There are many issues open: (1) How to find the shortest route to attack targets, (2) How to avoid fromdetecting compromised hosts on the wireless network; (3) How to propagate the bots in the wireless network, especially before some compromised hosts offline.
 There are also some other issues interesting to consider the need to open. To the best of our knowledge, for now, we can not avoid DDoS attacks from botnets. Even the attack has been detected any effective means to track and combat it. Instead, just turn off or disconnect the compromised machines to the network, waiting for further order such as virus scanning or formatting the OS. As the matter of fact, what we really need is to keep the number of robots in the first step. Perhaps the only effective way to eliminate botnets is the deployment of new protocols in routers worldwide. It's really a huge project and beyond reality. So why not consider installing a local gateway? Imagine, if the gateway could block communication between the robots of various domains, an attacker easy management of the hosts in danger worldwide. Meanwhile, the gateway can provide information about the malicious command wine. On the basis of abundance evidence about the network, it would be possible traced the initial attack. However, it is very difficult to pursue that idea because of the following reasons: (1) It is difficult distinguish malicious packets of traffic flow, (2) cooperation between the domains is not very easy, and must consider the situation that would jeopardize some gateways, (3) How to draw a possible attack and should be noticed for further analysis need to be studied.
REFERENCES
A [1] K. Ono, I. Kawaishi, and T. Kamon, â € œTrend botnet activities, â € in 41st Annual IEEE International Carnahan Conference on Security Technology, Ottawa, CA,
October, 2007, pp. 243-249.
[2] Wikipedia, € â € œInternet boot [online]. Available: http://en.wikipedia.org/ wiki / Internet_bot.
[3] Wikipedia, œBotnetâ € â € [online]. Available at: http://en.wikipedia.org/wiki/ Botnet.
[4] B. Thuraisingham, â € œData mining for security applications: concept and drift mining data streams to detect peer to peer botnet traffic, â € in IEEE International
Conference on Intelligence and Security Informatics, ISI 2008, Taipei, Taiwan, June 2008, pp. xxix-xxx.
[5] C. Mazzariello, â € œIRC traffic analysis to detect botnets, â € in 4th International Conference on Information Assurance and Security, Naples, Italy, September 2008
pp. 318-323.
[6] B. McCarty, â € œBotnets: Big and bigger, â € IEEE Security and Privacy, vol. 1, no. 4, pp. 87-90, July, 2003.
[7] GP Schaffer, â € œWorms and viruses and botnets, oh my!: The rational responses to emerging Internet threats, â € IEEE Security and Privacy, vol. 4, no. 3, pp. 52-58, May
2006.
[8] J. Mirkovic, G. Prier, and P. Reiher, â € œAttacking DDoS at the source, â € in ICNPâ € ™ 02: Proceedings of the 10th IEEE International Conference on Network
Protocols, Paris, France, November 2002, pp. 312-321.
[9] P. Bacher, T. Holz, M. Kotter, and G. Wicherski, â € œKnow your enemy: Tracking botnets € [online]. Available at: http://www.honeynet.org/papers/bots/.
Wide Web [10] T. Holz, S. Marechal, and F. Raynal, â € œNew threats and attacks against the world, â € IEEE Security & Privacy, vol. 4, no. 2, pp.72-75, Mar / April 2006.
[11] MA Rajab, J. Zarfoss, F. Monrose, and A. Terzis, â € œà multifaceted approach to understanding the botnet phenomenon, â € in Proceedings of the 6th ACM
SIGCOMM Internet Measurement Conference, Rio de Janeriro, Brazil, October, 2006, pp. 41-52.
[12] E. Levy, â € œThe creation of a spam zombie army: Dissecting the Sobig worms, â € IEEE Security and Privacy, vol. 1, no. 4, pp. 58-59, July, 2003.
[13] D. Cook, J. Hartnett, K. Manderson, and J. Scanlan, â € œCatching of spam before it arrives: blacklists specific dynamic domain, â € in Proceedings of the 2006
Australasian workshops on Grid computing and e-research, Hobart, Australia, pp. 193-202, January 2006.
[14] J. Jung and E. Sit down, â € Oean empirical study of spam traffic and the use of DNS black lists, IMC â € â € ™ 04: Proceedings of 4th ACM SIGCOMM Conference on
Internet measurement, Taormina, Italy, pp. 370-375, October 2004.
[15] A. Ramachandran, N. Feamster, and D. Dagon, â € œRevealing botnet membership using DNSBL counter-intelligence, â € in Proceedings of the 2nd Conference on
Measures to reduce unwanted traffic on the Internet â € "Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, â € œExamining bot zoo criminology, â € at the 6th International Conference on Information, Communications and Processing Signal, Singapore, pp. 1-6,
December 2007.
[17] P. Barford and V. Yegneswaran, â € Oean look into botnets, â € in the series: Advances in Information Security, Springer, 2006.
[18] R. Puri, â € œBots and Botnets: An Overview, â € Technical report, SANS Institute, 2003.
[19] WT Strayer, R. Walsh, C. Livadas and D. Lapsley, â € œDetecting botnets with tight command and control, 2006 31 â € in Proceedings IEEE Conference on Local
Computer Networks, Tampa, USA, pp.195-202, November 2006.
[20] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, â € œâ proposed indicators for botnet detection based on their
the cooperative behavior, â € in Proceedings of 2007 International Symposium on Applications and the Internet Workshops, Washington DC, USA, pp. 82-82,
January 2007.
[21] JR Binkley and S. Singh, â € Oean algorithm for anomaly-based detection of botnets, â € in Proceedings of the 2nd Conference on Steps to reducing unwanted traffic on the
Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, M, Jahanian, and D. McPherson, â € œThe zombie Abstract: To understand, detect, and disrupt botnets, â € in Proceedings of the Plaza de la reduction
Unwanted traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23] C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, â € machine œUsing learning techniques to identify botnet traffic, â € in Proceedings 2006 31st IEEE Conference on
Local Computer Networks, Tampa, USA, pp. 967-974, November 2006.
[24] T. Holz, M. Steiner, F. Dahl, EW Biersack, and F. Freiling, â € œMeasurement and mitigation of peer-to-peer based in Botnets: A Case Study on Storm Worm, â € in
Proceedings of the 1st Usenix Workshop on Large-scale Exploits and emerging threats, San Francisco, USA, pp. 1-9, April 2008.
[25] P. Wang, S. Sparks, and CC Zou, â € Oean advanced hybrid peer-to-peer botnet, â € in Proceedings of the First Conference on the First Workshop on Current Issues in
Botnets, understanding, Cambridge, USA, pp. 2-2 July 2008.
[26] R. Lemos, â € œBot software seeks to improve peerageâ € [Online]. Available at: http://www.securityfocus.com/news/11390.
[27] I. E. Arce and quote, â € Oean percussion worm analysis, â € IEEE Security & Privacy Magazine, vol. 1, no. 1, pp. 82-87, January, 2003.
[28] J. Stewart, € â € œSinit P2P Trojan Analysis [Online]. Available at: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart, € â € œPhatbot Trojan Analysis [Online]. Available at: http://www.secureworks.com/research/threats/phatbot.
[30] FC Freiling, T. Holz, and G. Wicherski, â € œBotnet tracking: Exploring a root-cause methodology to prevent distributed denial of service attacks, â € Lecture Notes in
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, â € œà rootkit case study of reforestation and spam robots, â € in Proceedings of the 1st Workshop on Current Issues in Understanding of botnets,
Cambridge, USA, pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, â € œâ distribution method independent of content for spam detection, â € in Proceedings of the 1st Workshop on Current Issues in Understanding
Botnets, Cambridge, USA, pp. 3-3, 2007.
[33] Y. Xie, F. Yu, K. Achar, R. Panigrahy, G. Hulten, and I Osipkov, â € œSpamming Botnets: Signatures and Characteristics, â € in Proceedings of the ACM SIGCOMM
2008 Conference on Data Communication, Seattle, USA, pp. 171-182, August 2008.
[34] CC Zou and R. Cunninqham, â € œHoneypot-Aware advanced construction and maintenance of zombie networks, â € at the 2006 International Conference on reliable systems
and Networks, Philadelphia, USA, pp. 199-208, June 2006.
[35] J. Corey, â € œAdvanced honey pot identification and € exploitation [online]. Available at: http://www.phrack.org/fakes/p63/p63-0x09.txt, 2004.
[36] K. Seifried, â € œHoneypotting with VMware basics € [online]. Available at: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd Security Advisory 2004-001, â € œRemote detection through simple packet probe € [online]. Available at: 2004 http://www.honeyd.org/adv.2004-01.asc,.
[38] J. Bethencourt, J. Franklin, M. Vernon, Internet â € œMapping sensors response to the attacks of the probe, â € in Proceedings of the 14th Conference on USENIX Security
Symposium, Baltimore, USA, pp. 193-208, August 2005.
January, 2004.
[40] S. Racine, â € œAnalysis use Internet Relay Chat by DDoS zombies, Mastera € â € ™ s thesis, Swiss Federal Institute of Technology in Zurich, April, 2004.
[41] H. Choi, H. Lee, H. Lee, and H. Kim, â € œBotnet detection for control of the group's activities in DNS traffic, â € in Proceedings of the 7th IEEE International Conference
Computer and Information Technology, Washington DC, USA, pp. 715-720, October 2007.
[42] D. Dagon, â € œBotnet detection and response, the network is the infection € [Online]. Available at: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf, 2005.
[43] A. Schonewille and DJ van Helmond, â € œThe service domain name as an IDS, â € Mastera € ™ s Project, Univ. Amsterdam, Netherlands, February 2006
http://staff.science.uva.nl/ ~ delaat/snb-2005-2006/p12/report.pdf.
[44] R. Villamarín-Salomon and JC Brustoloni, â € œIdentifying botnets using anomaly detection techniques applied to traffic DNS, â € in Proceedings of the IEEE 5
Consumer Communications and Networking Conference, Las Vegas, USA, pp. 476-481, January 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, â € œBot detection system based on traffic analysis, â € in Proceedings of the Conference 2007 International on Intelligent
Pervasive Computing, Washington, DC, USA, pp 303-306, October 2007.
[46] C. Langin, H. Zhou, WIDA08 presented.
[47] K. Pappas, â € œBack to basics to fight botnets, â € Journal of Communication News, vol. 45, n. 5, pp. 12 (1), May 2008.
[48] X. Hu, M. Knyz, and KG Shin, â € œRB-Finder: auto-detection of botnets redirection, â € in Proceedings of 16th Annual Network & Distributed System Security
Symposium (NDSS'09), February 2009.
[49] P. Sroufe, S. Phithakkitnukoon, R. Dantu, J. Cangussu, â € œEmail form analysis for the detection of spam botnets, â € in consumer communications and networking
Conference (CCNC 2009), pp. 1-2, January, 2009.
Â
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
load problems of team play?
I've been playing Silent Hunter 3, silent hunter 4 and Halo1 recently on my computer and whenever I go in the campaign she messes up. when I enter a side mission as a mission-line everything works fine. but when I play the single player campaign the game forever closes. happens to them all. I do not know why out of its ironic that my new computer cannot play a game ... I tried uninstalling and reinstalling all to all. than just seems strange that happened to all my games.
Sorry but I do not think anyone here can answer that question. If you really want to find an answer to your question, I guess I will recommend www.google.com only problem is that this could have a bit of searching. Also try www.youtube.com, because chances are there is a video that answers your question Good luck:)
 |
 CBSRMT Mystery Theater Radio Drama 1974 1982 COMPLETE  US $16.50 |  NEW Wallace and Gromit Curse of the Were Rabbit Widesc US $7.47 |  Silent Hunter V 5 Battle of the Atlantic PC XP Vista 7 US $10.95 |
 PSP 1000 Bundle with 100 games and more US $120.00 |  SNES NES N64 PS1 PS2 PS3 SEGA SYSTEMS 5000 GAMES LOT RPG COLLECTION VERY RARE US $57,000.00 |  PS2 Cheat Guide Cheats eBook PDF and on CD US $.99 |
 Silent Hunter II U boat Combat Simulator computer game US $2.62 |  Death in the Dark Continent NEW by Peter Hathaway Capst US $23.24 |  SILENT HUNTER PC XP COMPUTER GAME NEAR MINT US $10.14 |
 NEW Bows Swamps Whitetails Lewis Tim 9780595413621 US $13.67 |  NEW Coyote Soul Raven Heart Meditations of a Hunter W US $25.55 |  Silent Hunter II 2 PC CD submarine U boat war sim game US $8.99 |
 PC Program Commanders Collection 3 SIM Games in 1 Box US $15.99 |  The Deer Jackers NEW by Alf Evers US $15.52 |  Death in the Long Grass NEW by Peter Hathaway Capstick US $22.37 |
 Divinity II Ego Draconis PC 2010 US $24.99 |  SILENT HUNTER III PC SUBMARINE SIMS BRAND NEW US $8.59 |  COMPUTER GAME MANUALS A MIXED LOT FOR THREE GAMES MANUALS ONLY AS IS US $9.99 |
 NEW White Hunter Black Heart US $6.99 |  FLIR BHS X Command 320x240 Thermal Bi ocular no lens 9Hz NTSC TIBNHSNLX09HZ US $6,205.00 |  2008 Submarine Almanac NEW by Neal Stevens US $30.66 |
 2007 Submarine Almanac NEW by Editor Neal Stevens US $30.71 |  YOURS TRULY JOHNNY DOLLAR OTR 2 DVD SET 732 mp3 US $9.25 |  YOURS TRULY JOHNNY DOLLAR 1956 62 Disc 2 DVD 371 mp3 US $6.25 |
 NAVAL COMBAT PACK 688i FLEET COMMAND SUB COMMAND PC Games NEW 2000 XP US $13.95 |  NEW Abused Boys Hunter Mic 9780449906293 US $10.32 |  Blackmailer NEW by George Axelrod US $8.59 |
 THE GREAT COURSES GAMES PEOPLE PLAYGAME THEORY IN LIFE US $199.99 |  Silent Hunter II 2 Manual PC CD submarine Atlantic ocean underwater war game US $11.89 |  OTR ULTIMATE COLLECTION 27 MP3 DVDS US $49.95 |
 ART HISTORY a complete course on DVD 24 full videos US $23.56 |  Silent Hunter II 2 PC Computer Game War WWII 3D XP NEW in Case US $9.99 |  The African Adventurers A Return to the Silent Places US $22.37 |
 ULTIMATE WORLD WAR II COLLECTION 2 EXCEL PC XP COMPLETE US $46.40 |  PICK 2 LASERDISCS FROM LIST OF 600 LOT COLLECTION RARE US $13.00 |  CBS RADIO MYSTERY THEATER OTR MP3 5 DVDs 1399 EPISODES US $11.99 |
| Powered by phpBay Pro |
 | Silent Hunter 2 |
DescriptionWWII U-Boat Combat Simulator Product Information An Intense and Realistic Simulation! Silent Hunter II, the latest simulation in the critically acclaimed Silent Hunter series, recreates the desperate battles in the Atlantic between Hitler's infamous U-boat force and British and American convoys - lifeblood of the Allied war effort... |
![Silent Hunter 4 Wolves of the Pacific [Download]](http://ecx.images-amazon.com/images/I/51tXbKQ%2BxDL._SL160_.jpg) | Silent Hunter 4 Wolves of the Pacific [Download] Sale Price: $9.99 |
DescriptionIn Silent Hunter 4: Wolves of the Pacific you'll hunt, hide and kill as you take command of U.S. submarines and crews and navigate the treacherous waters of the Pacific during WWII. It's the next-generation naval warfare simulation with graphical realism, immersive gameplay, innovative crew evolution, and more action than ever before... |
 | Silent Hunter: Battle of the Atlantic List Price: |
DescriptionExperience the thrill of the hunt and live the dramatic life of a submarine captain like never before. Help to write a riveting chapter of World War II history by commanding accurately recreated German submarines in the Atlantic theatre of operations... |
 | Silent Hunter: Wolves of the Pacific Gold Edition List Price: |
DescriptionSilent Hunter: Wolves of the Pacific Gold EditionPC |
 | Silent Hunter Official Secrets & Solutions (Game Buster Get a Clue) Sale Price: $100.00 |
DescriptionOne of a series of strategy guides for computer games. |
Silent Hunter 5 Announcement Trailer [HD] (Rate This Game)
Tags: books, game, games, software, voice