A parallel cyber universe: Botnet implementations over TOR-like networks

Authors: Yaǧci, H., Yüce, Ç. and Koltuksuz, A.

Journal: European Conference on Information Warfare and Security, ECCWS

Volume: 0

Pages: 537-543

eISSN: 2048-8610

ISBN: 9781911218432

ISSN: 2048-8602


The first bot implemented in the history of computers was the Eggdrop (Fisher J, 1998). The first instance of this kind was benign; it was an automated management tool for Internet Relay Chat (IRC) rooms. It wasn't much later when Internet users experienced the first botnet attack. The GTbot family was the first known malicious automated attack network on IRCs (Bächer et al. 2009), and new era for bots had begun. Botnets can be practically defined as a network of infected smart devices. As a result of the infiltration attacks made on a victim's computer with different malwares and zero-day attacks, the control of the computer is confiscated without the victim being aware of it. Confiscated machines are connected to Command and Control (C&C) centers. In the case of a single infection, this attack is nothing more than a data theft or privilege escalation. However, when the number of the infected devices scales up to thousands, the attack becomes a mass destruction weapon on global companies' networks. Amazon, Spotify, Twitter, and many more companies were affected by DDoS attacks by the Mirai botnet in October 2016 (Allison Nixon, John Costello, 2016). The Mirai botnet was conducted by a malicious network utilizing the IoT devices. Moreover, an even worse fact was the announcement of more, similar botnet attacks after that October (Paganini 2016, Anon 2016). Today, honeypot-based, signature-based, and host-based defenses, as well as active and passive monitoring techniques, are being developed against botnets (Silva et al. 2013). Botnets are fighting back for their existence by using binary obfuscation, fast-flux networks, domain generation algorithm (DGA) techniques, and polymorphism, while ciphering, IP spoofing, multi-hopping, and email spoofing (Rodríguez-Gómez et al. 2013, Wang et al. 2016). Another important technique for botnets is to utilize The Onion Routing (TOR) networks where the communication scheme of the bot network is anonymized in the layers of the TOR scheme. The name of this network comes from a reference to the multi-layered structure of an onion. This research presents a novel implementation of a hidden botnet mechanism over like networks to The Onion Routing (TOR) ones. The focus is on creating parallel cyber universes with TOR-like structures and hiding the existence of the botnets in the blind range of the Internet. The design of such a network and the attack vector is explained in detail for the first time in the literature.

Source: Scopus