Your botnet is my botnet: analysis of a botnet takeover

@inproceedings{StoneGross2009YourBI,
  title={Your botnet is my botnet: analysis of a botnet takeover},
  author={Brett Stone-Gross and Marco Cova and Lorenzo Cavallaro and Bob Gilbert and Martin Szydlowski and Richard A. Kemmerer and Christopher Kr{\"u}gel and Giovanni Vigna},
  booktitle={Conference on Computer and Communications Security},
  year={2009}
}
Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time… 

Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit

This paper identifies the key functionalities needed by a spamming botnet to operate effectively, and develops a number of attacks against the command and control logic of Cutwail that target those functionalities, and make the spamming operations of the botnet less effective.

Mining the Network Behavior of Bots

This work presents an approach that aims to detect bot-infected hosts that is independent on the underlying botnet structure, is able to detect individually infected hosts, and does not rely on the presence of noisy malicious activities and can thus detect legitimate-resembling communication patterns.

Botnet over Tor: The illusion of hiding

It is shown that the use of Tor does not, in fact, fully guarantee the anonymity features required by botnets that are still detectable and susceptible to attacks.

Detecting Active Bot Networks Based on DNS Traffic Analysis

The proposed method is capable of recognizing known and unknown Bots, and used the data generated from the network traffic and information of known Botnets with the Splunk platform to conduct data analysis to quickly identify attacks and predict potential dangers that could arise.

Detecting HTTP Botnet using Artificial Immune System ( AIS )

AIS is used to detect effectively malicious activities such as spam and port scanning in Bot infected hosts to detect these malicious exploits kit from a computer system.

The Next Generation Botnet Attacks And Defenses

This dissertation focuses on two areas of the next generation botnet attacks and defenses: the peer-to-peer (P2P) structured botnets and the possible honeypot detection techniques used by future botnets.

Analysis of a “/0” Stealth Scan From a Botnet

A detailed dissection of the botnet's scanning behavior is offered, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

Analysis of a "/0" stealth scan from a botnet

A detailed dissection of the botnet's scanning behavior is offered, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

CABD : A Content Agnostic Botnet Detection System

CABD should work independent of the underlying botnet structure, be able to detect infected hosts without the correlation of network events between two or more hosts, and, as “content agnostic” implies, perform detection in spite of encryption.
...

References

SHOWING 1-10 OF 53 REFERENCES

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).

The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

This paper outlines the origins and structure of bots and botnets and uses data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today and describes a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.

Revealing Botnet Membership Using DNSBL Counter-Intelligence

It is found that bots are performing reconnaissance on behalf of other bots, and counterintelligence techniques that may be useful for early bot detection are suggested.

A multifaceted approach to understanding the botnet phenomenon

This paper attempts to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure, which shows that botnets represent a major contributor to unwanted Internet traffic and provides deep insights that may facilitate further research to curtail this phenomenon.

Modeling Botnet Propagation Using Time Zones

A diurnal propagation model is created that uses diurnal shaping functions to capture regional variations in online vulnerable populations and lets one compare propagation rates for different botnets, and prioritize response.

Towards complete node enumeration in a peer-to-peer botnet

The Passive P2P Monitor is presented, which can enumerate the infected hosts regardless of whether or not they are behind a firewall or NAT, and its coverage is shown to be based on a probability-based coverage model that was derived from the empirical observation of the Storm botnet.

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

This paper presents an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them and shows that this method can be realized in the Internet by describing how it infiltrated and tracked IRC-based botnets.

Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented.

All Your iFRAMEs Point to Us

The relationship between the user browsing habits and exposure to malware, the techniques used to lure the user into the malware distribution networks, and the different properties of these networks are studied.

A Taxonomy of Botnet Structures

We propose a taxonomy of botnet structures, based on their utility to the botmaster. We propose key metrics to measure their utility for various activities (e.g., spam, ddos). Using these performance
...