< Call for Paper: Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08) | Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web >

Technical Report: Characterizing the IRC-based Botnet Phenomenon

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:
Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.


The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.
This entry was posted by Thorsten Holz on Monday, December 3. 2007 at 14:02. and is filed under honeynets, malware, paper. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry
  1. IRC-Botnets, tiefer Einblick

    Thorsten Holz berichtet in seinem Blog über die Ergebnisse eines genauen Studie des Phänomens “IRC-based Botnets“. In Zusammenarbeit mit Mitglieder des chinesischen Honeynet Project Teams wurde ein sehr detaillierten Einblick in d...

    Weblog: GlasBlog
    Tracked: Dec 04, 00:27

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.