Algorithms Can Catch And Stop Botnets
May 2, 2012

Algorithms Can Catch And Stop Botnets

Image Credit:


Indian computer scientists have developed an algorithm which can be used to not only catch a botnet on a computer network, but also to stop the malware from inflicting any harm upon a machine. The scientists will explain their 2-pronged approach in a forthcoming issue of the International Journal of Wireless and Mobile Computing.

Botnets have been making their rounds in the headlines as of late when it was discovered the Flashback malware had infected hundreds of thousands of Macs, enlisting them in a botnet.

Manoj Thakur of the Veermata Jijabai Technological Institute (VJTI), in Mumbai, India, and his colleagues developed a technique to find and attack botnets. Their strategy uses one algorithm to find bots on a network and a second algorithm to confirm if these bots are legitimate and dangerous, blocking them from inflicting further harm to a network.

Thakur´s first algorithm works as a standalone process, and runs independently on each node of the network to monitor active processes. Since bots work more quickly than human-controlled machines, a jump in activity can signal the presence of a bot.

If the first algorithm proves positive, the second algorithm kicks in and tracks network traffic to determine “who” the bot is speaking with, what it is saying and what processes it is running. The second network algorithm can then determine if the spike in network activity comes from a bot or from a legitimate problem in the system.

According to Thakur, the first algorithm can be used by administrators to determine if a bot exists, and can even find bots which were previously unseen by other testing methods. The second algorithm can be used to block the bot and safeguard the network. When used together, Thakur hopes the algorithms will not only reduce the damage done by these dangerous botnets, but will also increase accuracy when seeking them out.

These botnets take control of the infected machine and allow the computer to carry out tasks or run processes without the owner´s knowledge or permission. In addition to running programs locally, a botnet controlled machine can also be used to carry out larger tasks on the internet. Since these machines are controlled by other machines, they can carry out these dirty tasks much more quickly than if they were controlled by human hands. These botnets are often controlled and organized by a “bot-master” who will often hire these bots out to malicious organizations to carry out criminal acts.

Most often used to send out email spam, botnets can perform and repeat simple tasks very quickly and are therefore capable of sending out millions of emails in a short period of time. Bots have also been used to spy on corporate networks as well as carry out Distributed Denial of Service, or DDoS attacks on corporate and international networks. Bots can be illicitly installed on networked computers to later be controlled by the botmaster. More often, these bots are installed when a user visits a malicious link or site on the internet. Flashback, for example, installed itself on systems in a “drive-by” fashion, taking advantage of a Java vulnerability and installing itself on a machine even if the user simply visited a page without clicking any link or dialogue box.