A Multifaceted Approach to Understanding the Botnet Phenomenon
At the upcoming Internet Measurement Conference 2006, one of the papers deals with botnets. The paper entitled "A Multifaceted Approach to Understanding the Botnet Phenomenon" by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis from Johns Hopkins University presents results from their botnet studies. The data they have collected are very similar to the ones we have collected at the German Honeynet Project. In fact, they use nepenthes as one of the basic blocks of their system. They then analyze the collected binaries via "graybox testing" (logging of all network-related activity + active IRC testing) - perhaps CWSandbox would yield better results. The resulting botnet information is then used to track the botnet with a drone - a similar approach we had presented in the "Know your Enemy: Tracking Botnets" and our ESORICS'05 papers. They also use DNS cache snooping to learn more about malicious DNS entries.
Abstract:
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.
Abstract:
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.
BibTeX:
@inproceedings{,
author = {Moheeb Abu Rajab and Jay Zarfoss and Fabian Monrose and Andreas Terzis},
title = {A Multifaceted Approach to Understanding the Botnet Phenomenon},
booktitle = {Internet Measurement Conference 2006 (IMC'06), Proceedings of}
year = {2006},
month = {October},
}
".
