Abstract
Today botnets are still one of the most prevalent and devastating attacking platforms that cyber criminals rely on to launch large scale Internet attacks. Botmasters behind the scenes are becoming more agile and discreet, and some new and sophisticated strategies are adopted to recruit bots and schedule their activities to evade detection more effectively. In this paper, we conduct a measurement study of 23 active botnet families to uncover some new botmaster strategies based on an operational dataset collected over a period of seven months. Our analysis shows that different from the common perception that bots are randomly recruited in a best-effort manner, bots recruitment has strong geographical and organizational locality, offering defenses a direction and priority when attempting to shut down these botnets. Furthermore, our study to measure dynamics of botnet activity reveals that botmasters start to deliberately schedule their bots to hibernate and alternate in attacks so that the detection window becomes smaller and smaller.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Wikipedia: Hacktivism (2014). http://bit.ly/1kM2Vos
Wikipedia: Operation Israel (2014). http://bit.ly/1noDUlI
Symantec Security Response: Four years of darkseoul cyberattacks against South Korea continue on anniversary of Korean war, June 2013. http://bit.ly/1fbGlFm
Bank Info Security: Opusa threatens banks, government, May 2013. http://bit.ly/1kP3Urt
McDougall, P.: Microsoft: Kelihos ring sold ‘botnet-as-a-service’, September 2011. http://ubm.io/MtCSr7
Vicario, M.: Four ways cybercriminals profit from botnets, November 2010. http://bit.ly/1e1SIiP
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets. In: IEEE DSN 2015 (2015)
Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks (2002)
Chen, Y., Kwok, Y., Hwang, K.: MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks. In: ICDCS 2005 (2005)
Kang, M., Gligor, V.D.: Routing bottlenecks in the internet: causes, exploits, and countermeasures. In: Proceedings of ACM SIGSAC 2014 (2014)
Wikipedia: Carna botnet (2014). http://bit.ly/1slx1E6
Starr, M.: Fridge caught sending spam emails in botnet attack (2014). http://bit.ly/1j5Jac1
Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using DNS traffic. In: Proceedings of WWW 2014 (2014)
Andrade, M., Vlajic, N.: Dirt jumper: a key player in today’s botnet-for-DDoS market. In: WorldCIS 2012 (2012)
Song, L., Jin, Z., Sun, G.: Modeling and analyzing of botnet interactions. Proc. Phys. A 390(2), 347–358 (2011)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE TIFS 6(1), 175–188 (2011)
Wang, P., Sparks, S., Zou, C.: An advanced hybrid peer-to-peer botnet. TDSC (2010)
Cho, C., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. LEET (2010)
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the Zeus botnet crimeware toolkit. In: IEEE PST 2010 (2010)
Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of ACM CCS 2009 (2009)
Lee, C.P., Dagon, D., Gu, G., Lee, W.: A taxonomy of botnet structures. In: Proceedings of ACM ACSCA 2007 (2007)
Jing, L., Yang, X., Kaveh, G., Hongmei, D.: Botnet: classification, attacks, detection, tracing, and preventive measures. JWCN (2009)
Mohaisen, A., Alrawi, O.: AV-Meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112–131. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_7
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of ACM CCS 2009 (2009)
Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of USENIX Security 2008 (2008)
Digital Envoy: Digital element services. http://www.digitalenvoy.net/
Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. In: SIGCOMM 2008 (2008)
Maertens, M., Asghari, H., van Eeten, M., van Mieghem, P.: A time-dependent SIS-model for long-term computer worm evolution. In: Proceedings of IEEE CNS 2016 (2016)
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of USENIX HotBots 2007 (2007)
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: ACM SIGCOMM CCR 2007 (2007)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of USENIX Security 2011 (2011)
Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: tracking botnets (2005)
Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The nepenthes platform: an efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_9
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: IMC 2006 (2006)
Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of USENIX HotBots 2007 (2007)
Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Proceedings of Malware Detection. ADIS, vol. 27, pp. 171–191. Springer, Heidelberg (2007). https://doi.org/10.1007/978-0-387-44599-1_8
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: USENIX LEET 2008 (2008)
Shin, S., Gu, G.: Conficker and beyond: a large-scale empirical study. In: Proceedings of ACM ACSAC 2010 (2010)
Chang, W., Mohaisen, A., Wang, A., Chen, S.: Measuring botnets in the wild: some new trends. In: ACM ASIACCS 2015 (2015)
Acknowledgment
We appreciate constructive comments from anonymous referees. This work is partially supported by an ARO grant W911NF-15-1-0262, a NIST grant 70NANB16H166, and a NSF grant CNS-1524462.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Chang, W., Mohaisen, A., Wang, A., Chen, S. (2018). Understanding Adversarial Strategies from Bot Recruitment to Scheduling. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)