A Hands-on Approach on Botnets for Behavior Exploration

ao Pedro Dias

1,2

, Jos

e Pedro Pinto

1,2

and Jos

e Magalh

aes Cruz

Articial Intelligence and Computer Science Laboratory, Faculdade de Engenharia da Universidade do Porto,

Paranhos, Portugal

Faculdade de Engenharia da Universidade do Porto, Porto, Portugal

Keywords:

Computer Security, Botnets, Distributed Systems.

Abstract:

A botnet consists of a network of computers that run a special software that allows a third-party to remotely

control them. This characteristic presents a major issue regarding security in the Internet. Although common

malicious software infect the network with almost immediate visible consequences, there are cases where that

software acts stealthy without direct visible effects on the host machine. This is the normal case of botnets.

However, not always the bot software is created and used for illicit purposes. There is a need for further

exploring the concepts behind botnets and network security. For this purpose, this paper presents and discusses

an educational tool that consists of an open-source botnet software kit with built-in functionalities. The tool

enables anyone with some computer technical knowledge, to experiment and ﬁnd out how botnets work and

can be changed and adapted to a variety of useful applications, such as introducing and exemplifying security

and distributed systems’ concepts.

1 INTRODUCTION

A botnet, or zombie army, is the name given to any

collection of compromised hosts controlled by an at-

tacker remotely. Botnets generally are created by a

speciﬁc attacker or small group of attackers using one

piece of malware to infect a large number of machines.

The individual machines that are part of the botnet

are, generally, called bots, nodes or zombies. There

are botnets of various sizes, and they can vary from

small ones with hundreds or low thousands of infected

machines to larger ones with millions of compromised

hosts (Cooke et al., 2005).

There are speciﬁc cases where bots perform be-

neﬁcial activities, for example, the participants of

SETI@home initiative (Search for Extraterrestrial In-

telligence) which are, voluntarily, a part of a large

botnet used to analyze radio telescope data in order to

track evidence of intelligent extraterrestrial life (An-

derson et al., 2002).

Attackers usually install bots by exploiting vulne-

rabilities in software or by using social engineering

tactics to trick users into installing malware. So, users

are unaware that their computers are being used for

malicious purposes (Abraham and Chengalur-Smith,

2010).

Botnets can be used for various activities but the

most traditional and common use is for DDoS (Dis-

tributed Denial of Service) attacks. Other uses for

botnets are spamming, snifﬁng trafﬁc, keylogging and

even manipulating online polls and games (B

acher

et al., 2005).

As of today, there should be a straightforward way

to learn about botnets, what they are, how they work

and what can be done about them. Even though there

are tools, mechanisms and even open-source projects

that make it possible to build our own botnets, the

complexity and obscurity of these alternatives is pre-

venting, or even making it impossible, to learn their

inner functionalities and details (Barford and Yegne-

swaran, 2007). For that reason, we conceived and

implemented a simple and open-source botnet kit with

a set of built-in functionalities for anyone interested.

It can be set up in a controlled environment and expe-

rimented with, ﬁnding out how can it be changed and

adapted for many purposes.

The paper is organized as follows: Section 2 gi-

ves a background on botnets, Section 3 describes our

approach on a base implementation of a botnet labo-

ratory and some closing remarks and further work are

presented in Section 4.

Dias, J., Pinto, J. and Cruz, J.

A Hands-on Approach on Botnets for Behavior Exploration.

DOI: 10.5220/0006392404630469

In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), pages 463-469

ISBN: 978-989-758-245-5

463

2 BACKGROUND

The term botnet was widely used to describe a situa-

tion where several IRC bots were linked and setting

channel modes on other bots and users while keeping

IRC (Internet Relay Chat) channels free from unwan-

ted users. This is where the term is originally from,

since the ﬁrst illegal botnets were similar to legal ones,

operating over IRC Channels (Cooke et al., 2005). As

of today, botnets are widespread in the terms of com-

plexity, functionalities and are adapted to a variety

of devices, from mobile phones up to Linux embed-

ded systems (Internet of Things) (Bertino and Islam,

2017).

Figure 1: Overview of a DDoS attack using a botnet.

Botnets take advantage of computers whose secu-

rity defenses have been breached and control conceded

to a third party. Each compromised device, known

as a “bot”, is created when a computer is penetra-

ted by software from a malicious party. The botnet

herder (or master) is able to control the activities of

these compromised computers through communica-

tion channels (Room, 2003). Once the attacker is in

control, he can send any task to the bots, as, for exam-

ple, DDoS-ing individuals or organizations, or sending

spam (Cooke et al., 2005). A pictorial representation

of one botnet attack is given in Figure 1

A bot typically runs as a background process and

uses a covert channel to communicate with its C&C

(Command & Control) server. Generally, the perpetra-

tor has compromised multiple systems using various

mechanisms which themselves can be auto-replicators,

in the sense that a machine that was infected and has

become a bot, could infect other machines, and so on.

In a more basic approach, bots simply make use or

steal computing resources of other machines. This

process as a result of a system being joined to a botnet

is sometimes referred to as “scrumping”.

One important note is that some botnets have self-

defense mechanisms against things that try to disrupt

their normal operation. Botnet servers are typically re-

dundant, linked for greater redundancy so as to reduce

the threat of a takedown. Actual botnet communities

usually consist of one or several controllers that rarely

have highly developed command hierarchies relying

on peer-to-peer relationships (Ollmann, 2009). Some

botnets are scaling back in size to minimize detection.

As of 2006, the average size of a network was estima-

ted at 20,000 computers (DSLReports.com, 2009).

The existent literature about botnets is very dis-

perse in the way that different authors characterize,

detail and categorize botnets in a variety of different

ways. Still, based on the existent literature, the follo-

wing subsections try to make a summary of a typical

botnet anatomy, malicious uses and detection techni-

ques.

2.1 Botnet Anatomy

Botnets have a typical lifecycle that consists mainly of

ﬁve phases, from creation to maintenance (Feily et al.,

2009):

•

Initial infection phase: the attacker scans a target

subnet for known vulnerabilities, infecting machi-

nes through different exploitation methods.

•

Injection phase: fetches the actual bot binary from

a speciﬁc location, via File Transfer Protocol(FTP),

HyperText Transfer Protocol(HTTP) or Peer-to-

Peer Protocol (P2P), and installs itself on the

victim machine. From this point the victim com-

puter becomes a “Zombie”.

•

Connection phase: the bot program establishes

a C&C channel and connects the zombie to the

command and control server, becoming part of the

botnet.

•

Malicious command and control phase: the bot-

master uses the C&C channel to disseminate com-

mands to the nodes of the botnet, and the bot pro-

grams execute this commands, in order to conduct

various illicit activities.

•

Update and maintenance phase: the botmaster ta-

kes care of maintaining the bots live and updated.

These updates are made, in the majority of situati-

ons, to evade new detection techniques or add new

functionalities.

Botnets can be classiﬁed into three different cate-

gories based on the C&C models (Tanwar and Goar,

2014; Li et al., 2009a):

•

Centralized Model: The master takes advantage of

Internet Relay Chat (IRC) or the HTTP protocol

as the C&C channel to communicate and control

WICSPIT 2017 - Special Session on Innovative CyberSecurity and Privacy for Internet of Things: Strategies, Technologies, and

Implementations

464

the bots. This approach is similar to the ﬁrst appea-

rances of botnets. The main disadvantage of this

model is that this server is the single point of fai-

lure of the botnet, making it easier to be detected

and destroyed (Li et al., 2009b; Seenivasan and

Shanthi, 2014). Examples of this model are the

AgoBot, SDBot, and Zotob (Li et al., 2009a).

•

Peer-To-Peer Model (Decentralized): The botnet

consists of a decentralized peer-to-peer network of

nodes. Here, the connection does not depend on

any particular server, making this type of botnet

highly robust because the network is resilient (Dit-

trich and Dietrich, 2008; Seenivasan and Shanthi,

2014). The master usually shares speciﬁc com-

mands to each and every bot in the network and

the bots frequently communicate between them

and send keep-alive messages (Dittrich and Die-

trich, 2008). Grizzard et al. make a case study over

the Trojan.Peacomm P2P botnet (Grizzard et al.,

2007).

•

Unstructured Model (Random Model): The bot

program will not actively contact other bots or

its master. Instead, it will just listen to incoming

connections from the master. The master, when

in need, scans the network and passes along an

encrypted message. When received by a bot, the

message will be decrypted and its commands exe-

cuted (Li et al., 2009a). The main advantage of

this approach is the easy implementation, however,

the model is only theoretical and no real use cases

have been discovered (Rataj, 2014).

2.2 Malicious Uses of Botnets

A botnet is nothing more than a tool and there are many

different motives for using it. The most common uses

are criminally motivated or for destructive purposes.

Some of the possible uses of botnets can be categorized

as listed below.

•

Distributed Denial-of-Service Attacks: Often bot-

nets are used for DDoS attacks. Such, is an attack

on a computer system or network that causes a loss

of service to users, by consuming the bandwidth

of the victim network or overloading the computa-

tional resources of the victim’s system (Mirkovic

and Reiher, 2004; Sharma et al., 2016).

•

Spam (bulk email): Some bots offer the possibility

to open a SOCKS proxy on a compromised ma-

chine in order to be used for spamming. With the

help of a botnet and thousands of bots, an attacker

is able to send massive amounts of bulk emails.

Some bots also implement a special function to

simultaneously harvest email-addresses increasing

the amount and impact of this functionality (Leech

et al., 1928; B

acher et al., 2005).

•

Snifﬁng Trafﬁc: Bots can also use a packet snif-

fer to watch for interesting clear-text data passing

by a compromised machine, like usernames and

passwords. If a machine is compromised more

than once and is now a member of more than one

botnet, the packet snifﬁng allows to it to gather the

key information of the others botnets. Thus it is

possible to sniff other botnets using bots (B

acher

et al., 2005).

•

Keylogging: Bots can implement keylogger functi-

onalities in order retrieve sensitive information

from the zombie machines, that can lead to massive

identity theft (B

acher et al., 2005). One example

of a botnet that implements this functionality is

SpyBot (Barford and Yegneswaran, 2007).

•

Spreading new malware: Botnets typical imple-

ment auto-replication mechanisms, used to spread

new bots, but can also have functionalities to

spread other malware. The Witty worm, which

attacked the ICQ protocol parsing implementation

in Internet Security Systems (ISS) products is sus-

pected to have been initially launched by a botnet

due to the fact that the attacking hosts were not

running any ISS services (B

acher et al., 2005).

•

Google AdSense

abuse: An attacker can leverage

his botnet to click on these advertisements in an

automated fashion and thus artiﬁcially increment

the click counter (B

acher et al., 2005; Cole et al.,

2007).

•

Manipulating online polls and games: Online polls

and games are getting more and more attention

and its rather easy to manipulate them with botnets.

Since every bot has a distinct IP (Internet Protocol)

address, every vote will have the same credibility

as a vote cast by a real person (B

acher et al., 2005;

Cole et al., 2007).

•

Bitcoin mining: Due to the appearing of the

blockchain-based digital currencies like Bitcoin,

botnets combined computing power is being used

for bitcoin mining activities. One example is Ze-

roAccess botnet that already implements this fea-

ture (Wyke, 2012).

2.3 Botnet Detection

Botnet detection deals with the identiﬁcation of bots

in a machine or network so that some sort of patch can

AdSense offers companies the possibility to display

Google advertisements on their own website and earn money

this way. The company earns money due to clicks on these

ads, for example per 10.000 clicks in one month.

A Hands-on Approach on Botnets for Behavior Exploration

465

be applied. Despite the long existence of malicious

botnets, just a few formal studies have analyzed this

problem. One of the pioneering studies of the bot-

net thematic was the Honeynet project (B

acher et al.,

2005).

Due to the increasing impact of the botnets (and

related attacks) this has become a major research topic

in recent years. As suggested by Feily (Feily et al.,

2009) there are mainly two ways of botnet detection

and tracking. Setting up honeynets, that is specially

important for the understanding of the characteristics

of the botnet, and passive trafﬁc monitoring and analy-

sis, which is the most used approach for detecting bot

infections, both approaches are usually integrated with

Intrusion Detection System (IDS) (Gu et al., 2008b).

As for passive trafﬁc monitoring and analysis there

are some relevant techniques being used (Feily et al.,

2009):

•

Signature-based Detection: Uses the signatures

of current botnets for their detection. The main

problem with this method is that it’s only able to

detect well known botnets. Thus, unknown botnets

can’t be detected by this method (Feily et al., 2009;

acher et al., 2005).

•

Anomaly-based Detection: Botnet detection is per-

formed by considering several different network

trafﬁc anomalies, including high network latency,

high trafﬁc volume, trafﬁc on unusual ports, and ot-

her unusual system behavior that could indicate the

presence of malicious bots in the network (Feily

et al., 2009; B

acher et al., 2005; Gu et al., 2008b).

•

DNS-based Detection: This technique bases it-

self on particular DNS (Domain Name System)

information generated by a botnet, being similar to

anomaly detection techniques (Feily et al., 2009;

Choi et al., 2007).

•

Mining-based Detection: Because identiﬁcation of

botnet trafﬁc, is a difﬁcult task, due to the similari-

ties with normal trafﬁc, this approach uses several

data mining and machine learning techniques to

detect botnet trafﬁc. One example is the BotMiner

which uses clustering techniques in order to detect

botnet trafﬁc (Gu et al., 2008a).

3 IMPLEMENTATION

With the goal of producing a real hands-on tool for

testing and developing purposes we created a base core

for a botnet lab which comprehends, a communication

Signature is an algorithm or hash that uniquely identiﬁes

a speciﬁc virus.

protocol, a command and control center, encryption

capabilities and a basic bot implementation with some

built-in features.

The botnet built using this laboratory matches the

general architecture for any botnet based on a C&C

architecture. Our actor is the (Bot) Herder or (Bot)

Master, that operates using a special IRC client (which

is part of this laboratory) and connects to a IRC-Server

(IRCD-Hybrid) where all the bots also connect to.

Whenever the Master sends a message to the IRC

Server, it will broadcast it to all the connected bots.

By connected bots, we mean bots that are already

hosted in a machine (which for the purpose of this tool

can be a local, virtual or foreign machine) and have

started and connected themselves to the server has then

acknowledged them. Having received a message, the

bot will execute the requested action.

3.1 Architecture

The main network components that interact with the

botnet are showed in ﬁg.2. This ﬁgure also illustrates

a practical use of the lab, having a relation of one

master to many bots, which can be deployed in several

machines.

IRCD-Hybrid

Server

Bot Herder

Controller

Application

PasteBin API

Mandrill API

Imgur API

Figure 2: Network diagram.

This project neither exploits software vulnerabili-

ties nor mention ways of using them to place bots in

remote machines escaping detection from their owners.

With this in mind, when using this lab a bot should

be placed on a machine whose owner willingly and

knowingly accepts it. After it has been successfully

deployed, its typical communication process with the

master, through an IRC server, goes like the following:

<- : irc1 . XXXXXX . XXX N OTICE AUTH : * * *

Loo k i ng up your h o stnam e

<- : irc1 . XXXXXX . XXX N OTICE AUTH : * * *

Found your hostn a me

-> PASS sec rets erve r pas s

-> NICK [ urX ] - 7 0 0 1 5 9

-> USER mltfvt 0 0 : m l tfvt

<- : irc1 . XXXXXX . XXX N OTICE [ urX ] - 7 0 0 1 5 9

:*** If you are havin g p r ob l em s

co n ne c ti ng du e to p i n g timeouts ,

WICSPIT 2017 - Special Session on Innovative CyberSecurity and Privacy for Internet of Things: Strategies, Technologies, and

Implementations

466

plea s e type / qu o t e pong ED3 2 27 2 2 or

/ raw pong ED3 2 27 2 2 now .

<- PING : ED 3 22 7 22

-> PONG : ED 3 22 7 22

<- : irc1 . XX XXX X . XXX 001 [ urX ] -700159 :

Wel c o me to the ir c 1 . X X X XX X

IR C Net w or k

[ urX ] -70 0 1 5 9 ! m lt fv t@ ni ce tr y

<- : irc1 . XX XXX X . XXX 002 [ urX ] -700159 :

Your host is irc1 . XX XXXX ,

run n i ng ve r si o n IRCd - Hybr i d

<- : irc1 . XX XXX X . XXX 003 [ urX ] -700159 :

This se r ver was cre a ted

Se t 8 1 8 :5 8 :3 1 2015

<- : irc1 . XX XXX X . XXX 004 [ urX ] -700159

irc1 . XX XXX X . XXX IRCd - H y b ri d

io wg hr aAs OR TVS xN CW qB z vd HtG p

lv ho psm nt ikr Rc aqO AL QbS eK VfM GC uzN

Afterwards, the server accepts

the bot as a client and replies with

RPL ISUPPORT, RPL MOTDSTART, RPL MOTD,

RPL ENDOFMOTD or ERR NOMOTD. Replies

starting with RPL contain information for the client,

for example RPL ISUPPORT tells the client which

features the server understands and RPL MOTD

indicates the Message Of The Day. In contrast to this,

ERR NOMOTD is an error message if no MOTD is

available.

On RPL ENDOFMOTD or ERR NOMOTD, the

bot will try to join his master’s channel with the provi-

ded password:

-> JOIN # bot n e t ch an ne lp as sw or d

-> MODE [ urX ] -700159 + x

After the bot establishes a connection with the ser-

ver, it will remain there listening to commands from

the master and replying to them accordingly. This

initial connection and command broadcasting, by the

master, can be visualized in the sequence diagram in

ﬁg. 3.

3.2 Technologies

Concerning the IRC server we used a IRCd-hybrid ser-

ver - “A lightweight, high-performance internet relay

chat daemon.” (Team, 2015).

As our development tool we used Python 2.7 (Foun-

dation, 2015) with the help of some external libraries.

With it, we built the bots, both master and slaves, along

with the whole lab infrastructure.

Having a IRC server set up, we had the need for an

IRC Client to manually communicate with the bots as

well as to maintain a visual representation of the tool.

Such client was built using Python 2.7 (Foundation,

2015) as well.

As mentioned before, it was not feasible to build all

the tools from scratch for most of our needs during the

Bot Herder

Command-and-control

Server

Bot

Authentication (Password)

alt

Authentication O.K.

Failed to Authenticate

Bot

Other Bots

Send Request (ex. Keylogger)

Broadcast (ex. Keylogger)

Response encrypted with RSA

loop

[parameters]

PING

PONG

PING

PONG

It's alive check

[parameters]

Authentication (Password)

alt

Authentication OK

Failed to Authenticate

Figure 3: Basic use sequential diagram.

development of the lab. We had available to us many

external, public available, tools and services, namely

API’s, with proved stability and reliability. Of those,

we used the following:

• Freegeoip

: provides a public REST API for soft-

ware developers to search the geolocation of IP

addresses. It uses a database of IP addresses that

are associated to cities along with other relevant

information like time zone, latitude and longitude.

• Google Static Map API

: creates a map based on

URL parameters sent through a standard HTTPS

request.

• Mandrill

: is a reliable, scalable, and secure API

for delivering and manage transactional emails.

• Pastebin

: a website where we can store text for a

certain period of time.

• Imgur API

: an image storage website.

All the developed objects, namely the client and

the bot, are cross-platform, capable of running on both

Windows and Linux machines. The exception goes to

the IRCd-Hybrid server that needs a Linux machine to

work.

3.3 Details

Amongst all the base functionalities provided for this

lab, there are some which we’ll highlight given their

more complex and unusual behavior. Speciﬁcally the

features of spam and screenshot/webcam request.

https://freegeoip.net/

http://mandrill.com/

http://pastebin.com/

https://api.imgur.com/

A Hands-on Approach on Botnets for Behavior Exploration

467

First, the Spam feature. To avoid the trouble of

setting up a SMTP (Simple Mail Transfer Protocol)

server on every bot we used the Mandrill API to send

e-mails. This might seem unusual, because we are

centralizing all the trafﬁc on one e-mail sender API

with low free quotas and so risking the account being

blocked. However, by sending an API Key in the

request sent to a bot, whenever we request the spam

feature, if an API Key is blocked a different API Key

is sent in future request. Additionally, the PasteBin

service is used, taking advantage of its anonymous and

hidden ﬁle ability to host relevant data, like the e-mail

sending list, the API Key and message that the master

wants to send as email spam. With this service, all that

is left to send is the URL that compiles this information

to the bot. Figure 4 show how this particular feature

would function in a practical use.

Bot Herder

Command-and-control

Server

Bot

Authentication (Password)

alt

Authentication O.K.

Failed to Authenticate

Send Spam Request

loop

[parameters]

Bot

PasteBin API

Request Mail Recipient List

Bot

Mandrill API

Request API Key

and Message Content

Simple Send Mail Request

Figure 4: Spam case sequential diagram.

In the functionality of Screenshot/Webcam, the

bots use the Imgur API in order to store images, either

an image ﬁle of a screenshot or a photo from the we-

bcam. Following the request sent by the botmaster

to a given bot, the bot will then store an image ﬁle

online using Imgur and report back to the master just

the URL of the hosted picture as we can see on ﬁg. 5.

Bot Herder

Command-and-control

Server

Bot

Authentication (Password)

alt

Authentication O.K.

Failed to Authenticate

Send Webcam/Screen Request

Broadcast Webcam/Screen Request

Response encrypted with RSA

loop

[parameters]

Bot

Imgur API

Image Hosting Request

Image URL (Plain Text)

Figure 5: Webcam/Screenshot case sequential diagram.

Additionally, in order to better check the bots that

are working and where they are located at a certain

point, we use the Freegeoip’s public REST (Represen-

tational State Transfer) API to search geolocations of

IP addresses and Google’s Static Map API for retrie-

ving and displaying the relative world position of the

controlled hosts (ﬁg.6). The result of both these two

tools put together is a map of the world with pinpoints

on all the bots active in that instance of the botnet lab.

Bot Herder

Command-and-control

Server

Bot

Authentication (Password)

alt

Authentication O.K.

Failed to Authenticate

Send BotList Request

Broadcast WHO Request

Host List Response

Bot

Broadcast WHO Request

freegeoip API

Hosts

Host Location Response

Google Maps

Static API

Host Location Coordinates

Map URL

Figure 6: Location request case sequential diagram.

Also, we use RSA encryption (R.L. Rivest and

Adleman, 1978) so that the master is the only one

capable of decrypting the messages sent by the bots

given it is the private key owner. The bots encrypt the

messages using the public key deﬁned by the master.

4 CONCLUSION AND FURTHER

WORK

As of today, botnets are a big issue in computer se-

curity. Botnets are responsible for many malicious

activities, including spam and DDoS, targeting every

type of device, from normal computers up to embed-

ded Linux devices.

After proceeding to an evaluation of the research

being done in the area of botnets, we found the lack of

a simple way to build and modify a botnet. In order

to overcome this lack of research, we implemented

a simple core tool for anyone who wants to setup a

botnet laboratory, following the base build principles

of common botnets. The resulting work is open-source

on GitHub (https://github.com/jpdias/botnet-lab).

There is, however, some future work that can be

done in order for the tool to reach its full potential.

First off, the addition of some out-of-the-box

functionalities (such as keylogging and DDoS) for the

base tool besides the existing ones. Following that, we

could implement some resilience and auto-replication

techniques, resorting to, for example, the exploit of

any known software vulnerability.

Also, the security functionalities of the botnet

could be improved, like, for example, the implementa-

tion of self-defense mechanisms against third-parties.

WICSPIT 2017 - Special Session on Innovative CyberSecurity and Privacy for Internet of Things: Strategies, Technologies, and

Implementations

468

Given the nature of this tool it would be interesting

to improve the whole setup of the environment to ease

the user (developer or researcher) experience. This

can be accomplished with, for example, the favor of

addition of new functionalities in a framework-like

way and the possibility of personalize every setting in

the core tool.

REFERENCES

Abraham, S. and Chengalur-Smith, I. (2010). An overview

of social engineering malware: Trends, tactics, and

implications. Technology in Society, 32(3):183 – 196.

Anderson, D. P., Cobb, J., Korpela, E., Lebofsky, M., and

Werthimer, D. (2002). Seti@home: An experiment in

public-resource computing. Commun. ACM, 45(11):56–

61.

Barford, P. and Yegneswaran, V. (2007). An Inside Look at

Botnets, pages 171–191. Springer US, Boston, MA.

acher, P., Holz, T., K

otter, M., and Wicherski, G. (2005).

Know your enemy: Tracking botnets.

Bertino, E. and Islam, N. (2017). Botnets and internet of

things security. Computer, 50(2):76–79.

Choi, H., Lee, H., Lee, H., and Kim, H. (2007). Botnet

detection by monitoring group activities in dns trafﬁc.

In 7th IEEE International Conference on Computer

and Information Technology (CIT 2007), pages 715–

720.

Cole, A., Mellor, M., and Noyes, D. (2007). Botnets: The

rise of the machines. In Proceedings on the 6th Annual

Security Conference, pages 1–14.

Cooke, E., Jahanian, F., and McPherson, D. (2005). The zom-

bie roundup: Understanding, detecting, and disrupting

botnets. SRUTI, 5:6–6.

Dittrich, D. and Dietrich, S. (2008). P2p as botnet command

and control: A deeper insight. In 2008 3rd Internatio-

nal Conference on Malicious and Unwanted Software

(MALWARE), pages 41–48.

DSLReports.com (2009). What is a botnet trojan?

Feily, M., Shahrestani, A., and Ramadass, S. (2009). A

survey of botnet and botnet detection. In 2009 Third

International Conference on Emerging Security Infor-

mation, Systems and Technologies, pages 268–273.

Foundation, P. S. (2015). Python programming language.

Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B., and

Dagon, D. (2007). Peer-to-peer botnets: Overview and

case study. HotBots, 7:1–1.

Gu, G., Perdisci, R., Zhang, J., Lee, W., et al. (2008a). Botmi-

ner: Clustering analysis of network trafﬁc for protocol-

and structure-independent botnet detection. In USENIX

Security Symposium, volume 5, pages 139–154.

Gu, G., Zhang, J., and Lee, W. (2008b). Botsniffer: De-

tecting botnet command and control channels in net-

work trafﬁc.

Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and

Jones, L. (1928). Socks protocol version 5.

Li, C., Jiang, W., and Zou, X. (2009a). Botnet: Survey and

case study. In 2009 Fourth International Conference

on Innovative Computing, Information and Control

(ICICIC), pages 1184–1187.

Li, C., Jiang, W., and Zou, X. (2009b). Botnet: Survey and

case study. In innovative computing, information and

control (icicic), 2009 fourth international conference

on, pages 1184–1187. IEEE.

Mirkovic, J. and Reiher, P. (2004). A taxonomy of ddos at-

tack and ddos defense mechanisms. SIGCOMM Com-

put. Commun. Rev., 34(2):39–53.

Ollmann, G. (2009). Botnet communication topologies -

understanding the intricacies of botnet command-and-

control.

Rataj, M. (2014). Simulation of Botnet C&C Channels.

PhD thesis, Ph. D Dissertation, Faculty of Electrical

Engineering-Department of Computer Science and En-

gineering, Czech Technical University in Prague.

R.L. Rivest, A. S. and Adleman, L. (1978). A method for

obtaining digital signatures and public-key cryptosys-

tems.

Room, S. I. R. (2003). Bots & botnet: An overview.

Seenivasan, D. and Shanthi, K. (2014). Categories of botnet:

a survey. Int. J. Comput. Control Quantum Inf. Eng,

8(9):1589–1592.

Sharma, S., Garg, S., Karodiya, A., and Gupta, H. (2016).

Distributed denial of service attack. 4.

Tanwar, G. S. and Goar, V. (2014). Tools, techniques &

analysis of botnet. In Proceedings of the 2014 Interna-

tional Conference on Information and Communication

Technology for Competitive Strategies, ICTCS ’14, pa-

ges 92:1–92:5, New York, NY, USA. ACM.

Team, I.-H. D. (2015). Ircd-hybrid.

Wyke, J. (2012). The zeroaccess botnet: Mining and fraud

for massive ﬁnancial gain. Sophos Technical Paper.

A Hands-on Approach on Botnets for Behavior Exploration

469