An Inside Look at Botnets

Abstract

The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions [40]. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race. Our thesis is that the reactive methods for network security that are predominant today are ultimately insufficient and that more proactive methods are required. One such approach is to develop a foundational understanding of the mechanisms employed by malicious software (malware) which is often readily available in source form on the Internet. While it is well known that large IT security companies maintain detailed databases of this information, these are not openly available and we are not aware of any such open repository. In this paper we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis.

DOI: 10.1007/978-0-387-44599-1_8

Extracted Key Phrases

12 Figures and Tables

02040'06'07'08'09'10'11'12'13'14'15'16'17
Citations per Year

291 Citations

Semantic Scholar estimates that this publication has 291 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Barford2007AnIL, title={An Inside Look at Botnets}, author={Paul Barford and Vinod Yegneswaran}, booktitle={Malware Detection}, year={2007} }