Summary
The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions [40]. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race.
Our thesis is that the reactive methods for network security that are predominant today are ultimately insufficient and that more proactive methods are required. One such approach is to develop a foundational understanding of the mechanisms employed by malicious software (malware) which is often readily available in source form on the Internet. While it is well known that large IT security companies maintain detailed databases of this information, these are not openly available and we are not aware of any such open repository. In this chapter we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
C. Associates. GTBotl. http://www3.ca.com/securityadvisor/pest/pestaspx?id=453073312, 1998.
M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the Network and Distributed Security Symposium, San Diego, CA, January 2005.
P. Barford. The Wisconsin Advanced Internet Laboratory. http://wail.cs.wisc.edu, 2005.
J. Canavan. The evolution of irc bots. In Proceedings of Wrus Bulletin Conference 2005,October 2005.
E. Cooke, E Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting and disrupting botnets. In Proceedings of Usenix Workshop on Stepts to Reducing Unwanted TrafJic on the Internet (SRUTI’ 05), Cambridge, MA, July 2005.
P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Mine, D. Monniaux, and X. Rival. The Astree Static Analyzer. http://www.astree.ens.fr, 2005.
Coverity. Coverity Prevent. http://www.coverity.com, 2005.
DETER. A laboratory for security research. http://www.isi.edu/deter, 2005.
D. Dietrich. Distributed Denial of Service (DDoS) Attacks/tools. http://staff.washington.edu/dittricNmisc/ddos/, 2005.
J. Evers. Dutch Police Nab Suspected Bot Herders. CNET News.com, October 2005.
F-Secure Corporation’s Data Security Summary for 2004. http://www.f-secure.com/2004, 2004.
German Honeynet Project. Tracking Botnets. http://]www.honeynet.org/papers/bots, 2005.
A. Gostev. Malware Evolution: January-March, 2005. http://www.viruslist.com, 2005.
M. Handley, C. Kreibich, and V. Paxson. Network Intrusion Detection: Evasion, Traftic Normalization, and End-to-End Protocol Semantics. In Proceedings of the USENIX Security Symposium, Washington, DC, August 2001.
The Honeynet Project. http//project.honeynet.org, 2003.
Honeynet Scan of the Month 32. http://www.honeynet.org/scans/scan32/, 2005.
IDA Pro. http://www.datarescue.com, 2005.
S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-Sale: Surviving Organized DDos Attacks That Mimic Flash Crowds. In Proceedings of the USENIX Symposium on Network Systems Design and Implementation, Boston, MA, May 2005.
D. Kawamoto. Bots Slim Down to get Tough. CNET News.com, November 2005.
A. Kumar, V. Paxson, and N. Weaver. Exploiting underlying structure for detailed reconstruction of an internet scale event. In Proceedings of ACM Internet Measurement Conference, November 2002.
McAfee. W32-Spybot.worm. http//vil.nai.com/vil/content/v.100282.htm, 2003.
Metasploit. http://www.metasploit.com, 2005.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In Proceedings of IEEE Security and Privacy,July 2003.
D. Moore and C. Shannon. The Spread of the Witty Worm. http://-www.caida.org/analysis/security/witty/, 2004.
D. Moore, C. Shannon, and K. Claffy. Code red: A case study on the spread and victims of an internet worm. In Proceedings of ACM Internet Measurement Workshop, November 2002.
R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings ofACM Internet Measurement Conference,Taormina, Italy, October 2004.
Regmon. http://www.sysinternals.com, 2005.
California Man Charged in Botnet Attacks. Reuters, November 2005.
B. Saha and A. Gairola. Botnet: An Overivew. CERT-In White Paper, CIWP-2005-05, June 2005.
SoftICE Driver Suite. http://www.compuware.comlproducts/driverstudio/softicehtm, 2005.
Sophos. Troj/Agobot-A. http//www.sophos.com/virusinfo/analyses/trojagobota.html, 2002.
Sophos. Troj/SDBot. http//www.sophos.com/virusinfo/analyses/trojsdbot.html, 2002.
Sophos virus analyses. http://www.sophos.com/virusinfo/analyses, 2005.
S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, 2002.
I. Thomson. Hackers Fight to Create Worlds Largest Botnet. http://www.vnunet.com, August 2005.
J. Ullrich. Dshield. http://www.dshield.org, 2005.
D. Verton. Organized Crime Invades Cyberspace. http://www.computenvorld.com, August 2004.
M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren, G. Voelker, and S. Savage. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), Brighton, England, October 2005.
V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of Internet sinks for network abuse monitoring. In Proceedings of Recent Advances on Intrusion Detection,Sophia, France, September 2004.
V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In Proceedings of ACM SIGMETRICS, San Diego, CA, June 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Barford, P., Yegneswaran, V. (2007). An Inside Look at Botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_8
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_8
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)