A parallel cyber universe: Botnet implementations over TOR-like networks

Abstract

The first bot implemented in the history of computers was the Eggdrop (Fisher J 1998). The first instance of this kind was benign, it was an automated management tool for Internet Relay Chat (IRC) rooms. It wasn't much later when Internet users experienced the first botnet attack. The GTbot family was the first known malicious automated attack network on IRCs (Bächer et al. 2009) and new era for bots had begun. Botnets can be practically defined as a network of infected smart devices. As a result of the infiltration attacks made on a victim's computer with different malwares and zero-day attacks the control of the computer is confiscated without the victim being aware of it. Confiscated machines are connected to Command and Control (C&C) centers. In the case of a single infection this attack is nothing more than a data theft or privilege escalation. However when the number of the infected devices scales up to thousands the attack becomes a mass destruction weapon on global companies' networks. Amazon Spotify Twitter and many more companies were affected by DDoS attacks by the Mirai botnet in October 2016 (Allison Nixon John Costello 2016). The Mirai botnet was conducted by a malicious network utilizing the IoT devices. Moreover an even worse fact was the announcement of more similar botnet attacks after that October (Paganini 2016 Anon 2016). Today honeypot-based signature-based and host-based defenses as well as active and passive monitoring techniques are being developed against botnets (Silva et al. 2013). Botnets are fighting back for their existence by using binary obfuscation fast-flux networks domain generation algorithm (DGA) techniques and polymorphism while ciphering IP spoofing multi-hopping and email spoofing (Rodríguez-Gómez et al. 2013 Wang et al. 2016). Another important technique for botnets is to utilize The Onion Routing (TOR) networks where the communication scheme of the bot network is anonymized in the layers of the TOR scheme. The name of this network comes from a reference to the multi-layered structure of an onion. This research presents a novel implementation of a hidden botnet mechanism over like networks to The Onion Routing (TOR) ones. The focus is on creating parallel cyber universes with TOR-like structures and hiding the existence of the botnets in the blind range of the Internet. The design of such a network and the attack vector is explained in detail for the first time in the literature. © 2023 Elsevier B.V. All rights reserved.