Abstract
Current research on future botnets mainly focuses on how to design a resilient downlink command and control (C&C) channel. However, the uplink data channel, which is generally vulnerable, inefficient even absent, has attracted little attention. In fact, most of current botnets (even large-scale and well-known) contain either a resilient (maybe also efficient) unidirectional downlink C&C channel or a vulnerable bidirectional communication channel, making the botnets either hard to monitor or easy to be taken down. To address the above problem and equip a botnet with resilient and efficient bidirectional communication capability, in this paper, we propose a communication channel division scheme and then establish a Botnet Triple-Channel Model (BTM). In a nutshell, BTM divides a traditional communication channel into three independent sub-channels, denoting as Command Download Channel (CDC), Registration Channel (RC) and Data Upload Channel (DUC), respectively. To illuminate the feasibility, we implement a BTM based botnet prototype named RoemBot, which exploits URL Flux for CDC, Domain Flux for RC and Cloud Flux for DUC. We also evaluate the resilience and efficiency of RoemBot. In the end, we attempt to make a conclusion that resilient and efficient bidirectional communication design represents a main direction of future botnets.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Plohmann, D., Gerhards-Padilla, E.: Case Study of the Miner Botnet. In: Proceedings of the 4th International Conference on Cyber Conflict (2012)
Werner, T.: The Miner Botnet: Bitcoin Mining Goes Peer-To-Peer, Blog article by Kaspersky Lab (2011), http://www.securelist.com/en/blog/208193084/
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer to peer botnet. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)
Vogt, R., Aycock, J., Jacobson, M.: Army of botnets. In: Proceedings of 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)
Cui, X., Fang, B.X., Yin, L.H., Liu, X.Y.: Andbot: Towards Advanced Mobile Botnets. In: Proceedings of the 4th Usenix Workshop on Large-scale Exploits and Emergent Threats, LEET 2011 (2011)
Hund, R., Hamann, M., Holz, T.: Towards Next-Generation Botnets. In: Proceedings of the 2008 European Conference on Computer Network Defense (2008)
Yan, G., Chen, S., Eidenbenz, S.: RatBot: Anti-enumeration Peer-to-Peer Botnets. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 135–151. Springer, Heidelberg (2011)
Kapil, S., Abhinav, S., et al.: Evaluating Email’s Feasibility for Botnet Command and Control. In: Proc. of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 376–385. IEEE Computer Society, Washington, DC (2008)
Starnberger, G., Kruegel, C., Kirda, E.: Overbot: A Botnet Protocol Based on Kademlia. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (2008)
Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: 34th IEEE Symposium on Security and Privacy, S&P 2013, San Francisco, CA (2013)
Wang, P., Wu, L., Aslam, B., Zou, C.C.: A Systematic Study on Peer-to-Peer Botnets. In: Proc. of International Conference on Computer Communications and Networks (ICCCN), pp. 1–8. IEEE Computer Society, Washington, DC (2009)
Roland, D.P.: Malware Uses Sendspace to Store Stolen Documents (2012), doi: http://tinyurl.com/use-Cloud-but-no-ShortenURL
Neumann, A., Barnickel, J., Meyer, U.: Security and privacy implications of url shortening services. In: Proceedings of the Workshop on Web 2.0 Security and Privacy (2010)
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In: Proceedings of the 21st USENIX Security Symposium (2012)
Bukowski, T.: ZeuS v3 P2P Network Monitoring, Technical Report by CERT.pl (2012)
Bureau, P.-M.: Same Botnet, Same Guys, New Code: Win32/Kelihos. In: VirusBulletin (2011)
Holz, T., Gorecki, C., Rieck, C., Freiling, F.C.: Detection and mitigation of fast-flux service networks. In: Proc. of the 15th Annual Network and Distributed System Security Symposium. USENIX Association, Berkeley (2008)
Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proc. of the 3th USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms and More, p. 2. USENIX Association, Berkeley (2010)
Dittrich, D.: So You Want to Take Over a Botnet. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (2012)
Stock, B., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac Analysis of a Peer-to-Peer Botnet. In: Proc. of the 2009 European Conference on Computer Network Defense, pp. 13–20. IEEE Computer Society, Washington, DC (2009)
McNamee, K.: Malware Analysis Report: ZeroAccess/Sirefef, Technical Report by Kindsight Security Labs (2012)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Porras, P., Saidi, H., Yegneswaran, V.: A Foray into Conficker’s Logic and Rendezvous Points. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2009)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proc. of the 16th ACM Conference on Computer and Communications Security, pp. 635–647. ACM, New York (2009)
Jonell, B., Joey, C., Ryan, F.: Infiltrating waledac botnet’s convert operation[EB]. Trend Micro (2009), http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating_the_waledac_botnet_v2.pdf (June 10, 2011)
APT1: Exposing One of China’s Cyber Espionage Units, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Amini, P., Pierce, C.: Kraken Botnet Infiltration [EB]. Blog on DVLabs (2008), http://dvlabs.tippingpoint.com (June 10, 2011)
Barrett, B.: http://gizmodo.com/gaming-network-employee-turns-14-000-users-into-bitcoin-487054354
Xu, K., Butler, P., Saha, S., Yao, D.: DNS for Massive-scale Command and Control. IEEE Transactions of Dependable and Secure Computing (TDSC) 10(3), 143–153 (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Xiang, C., Binxing, F., Jinqiao, S., Chaoge, L. (2013). Botnet Triple-Channel Model: Towards Resilient and Efficient Bidirectional Communication Botnets. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds) Security and Privacy in Communication Networks. SecureComm 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 127. Springer, Cham. https://doi.org/10.1007/978-3-319-04283-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-04283-1_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04282-4
Online ISBN: 978-3-319-04283-1
eBook Packages: Computer ScienceComputer Science (R0)