Abstract
To solve the problem of getting command and control (C&C) server address covertly for malware of Botnet or advanced persistent threats, we propose a novel C&C-server address discovery scheme via search engine. This scheme is com-posed of five modules. The botmaster uses publish module to issue C&C-server IPs in diaries of several free blogs on Internet firstly. Then these diaries could be indexed by search engine (SE). When the infected terminal becomes a bot, it uses keyword production module to produce search keyword and submits some or all these keywords to SEs to obtain the search engine result pages (SERPs). For items in SERPs, the bot uses filtering algorithm to remove noise items and leave valid items whose abstract contain C&C-server IPs. Lastly the bot utilizes extraction and conversion module to extract these C&C-server IPs and translates them into binary format. The experimental results show that our proposed scheme is fully able to discover and obtain C&C-server IPs via various search engines. Furthermore, if we set proper threshold value for SE, it can extract C&C-server IPs accurately and efficiently.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Khattak, S., Ramay, N.R., Khan, K.R., et al.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutorials 16(2), 898–924 (2014)
Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014)
Juels, A., Yen, T.F.: Sherlock Holmes and the case of the advanced persistent threat. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, pp. 63–72 (2012)
Rafael, A.R.G., Gabriel, M.F., Pedro, G.T.: Survey and taxonomy of botnet research through life-cycle. ACM Comput. Surv. 45(4), 1–33 (2013)
Zand, A., Vigna, G., Yan, X., et al.: Extracting probable command and control signatures for detecting botnets. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1657–1662. ACM (2014)
Ken, C., Levi, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (2007)
Damballa. Top-5 most prevalent DGA-based crimeware families. https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf
Yadav, S., Reddy, A.K.K., Reddy, A.L.N., et al.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)
Antonakakis, M., Perdisci, R., Nadji, Y., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Security Symposium (2012)
Bilge, L., Kirda, E., Kruegel, C., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the 2011 Symposium on Network and Distributed System Security (2011)
Riden, J.: Know your enemy: fast-flux service networks, the honeynet project. http://www.honeynet.org/book/export/html/130
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)
Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp. 24−31 (2008)
Stover, S., Dittrich, D., Hemandez, J., et al.: Analysis of the storm and nugache trojans: P2P is here. In: Proceedings of USENIX, pp. 8–27 (2007)
Dittrich, D., Dietrich, S.: P2P as botnet command and control: a deeper insight. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp. 41–48 (2008)
Thorsten, H., Moritz, S., Frederic, D., et al.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9 (2008)
Chang, S., Daniels, T.E.: P2P botnet detection using behavior clustering and statistical tests. In: Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, pp. 23–30 (2009)
Zhang, J.J., Perdisci, R., Lee, W.K., et al.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks, pp. 121–132 (2011)
Zhao, D., Traore, I., Ghorbani, A., et al.: Peer to peer botnet detection based on flow intervals. Inf. Secur. Privacy Res. 376, 87–102 (2012)
Singh., K., Guntuku, S.C., Thakur, A., et al.: Big data analytics framework for peer-to-peer botnet detection using random forests. Inf. Sci., (Online Press) (2014)
Zhao, D., Traore, I., Sayed, B., et al.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013)
Stevanovic, M., Pedersen, J.M.: An efficient flow-based botnet detection using supervised machine learning. In: Proceeding of the 2014 IEEE International Conference on Computing, Networking and Communications, pp. 797–801 (2014)
Garg, S., Sarje, A.K., Peddoju, S.K.: Improved detection of P2P botnets through network behavior analysis. In: Martínez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014, CCIS, vol. 420, pp. 334–345. Springer, Heidelberg (2014)
The MD5 Message-Digest algorithm. https://tools.ietf.org/html/rfc1321
Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. In: Proceedings of 11th Annual Digital Forensics Research Conference, pp. S62–S67. New Orleans, USA (2011)
Hedley, J.: Jsoup HTML parser. http://jsoup.org/
He, Z., Lo, E.: Answering why-not questions on top-k queries. IEEE Trans. Knowl. Data Eng. 26(6), 300–1315 (2014)
Jones, T.: Tab-Snap. https://github.com/tdj28?tab=repositories
Brewer, R.: Advanced persistent threats: minimising the damage. Netw. Secur. 4, 5–9 (2014)
Acknowledgments
This work is completed under the support of the Scientific Research Innovation Projects for General University Graduate of Jiangsu province (KYLX_0141); the Fundamental Research Funds for the Central Universities; the National High Technology Research and Development Program (“863” Program) of China (2015AA015603); Jiangsu Future Networks Innovation Institute: Prospective Research Project on Future Networks (BY2013095-5-03); Six talent peaks of high level Talents Project of Jiangsu province (2011-DZ024); Natural Science Foundation of Tibet Autonomous Region of China (2015ZR-13-17, 2015ZR-14-18).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Guo, X., Cheng, G., Pan, W., Dinhtu, T., Liang, Y. (2015). A Novel Search Engine-Based Method for Discovering Command and Control Server. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9530. Springer, Cham. https://doi.org/10.1007/978-3-319-27137-8_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-27137-8_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27136-1
Online ISBN: 978-3-319-27137-8
eBook Packages: Computer ScienceComputer Science (R0)