Brett Stone-Gross
ABSTRACT
Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been "hijacked" and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.
- P. Amini. Kraken Botnet Infiltration. http://dvlabs.tippingpoint.com/blog/ 2008/04/28/kraken-botnet-infiltration, 2008.Google Scholar
- S. Burnette. Notice of Termination of ICANN Registrar Accreditation Agreement. http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf, 2008.Google Scholar
- A. Burstein. Conducting Cybersecurity Research Legally and Ethically. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarDigital Library
- E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006. Google ScholarDigital Library
- D. Dagon, G. Gu, C. Lee, and W. Lee. A Taxonomy of Botnet Structures. In Annual Computer Security Applications Conference (ACSAC), 2007.Google ScholarCross Ref
- D. Dagon, C. Zou, and W. Lee. Modeling Botnet Propagation Using Time Zones. In Symposium on Network and Distributed System Security, 2006.Google Scholar
- Finjan. How a cybergang operates a network of 1.9 million infected computers. http://www.finjan.com/MCRCblog.aspx?EntryId=2237, 2009.Google Scholar
- J. Fink. FBI Agents Raid Dallas Computer Business. http://cbs11tv.com/local/Core.IP. Networks.2.974706.html, 2009.Google Scholar
- E. Florio and K. Kasslin. Your computer is now stoned (...again!). Virus Bulletin, April 2008.Google Scholar
- J. Franklin, V. Paxson, A. Perrig, and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In ACM Conference on Computer and Communications Security, 2007. Google ScholarDigital Library
- F. Freiling, T. Holz, and G. Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In European Symposium on Research in Computer Security (ESORICS), 2005. Google ScholarDigital Library
- GMER Team. Stealth MBR rootkit. http://www2.gmer.net/mbr/,2008.Google Scholar
- D. Goodin. Superworm seizes 9m pcs, 'stunned' researchers say. http://www.theregister.co.uk/2009/01/16/9m_downadup_infections/, 2009.Google Scholar
- P. Guehring. Concepts against Man-in-the-Browser Attacks. http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf, 2006.Google Scholar
- P. Gutmann. The Commercial Malware Industry. In DEFCON conference, 2007.Google Scholar
- T. Holz, M. Engelberth, and F. Freiling. Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Reihe Informatik TR-2008-006, University of Mannheim, 2008.Google Scholar
- T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and Detecting Fast-Flux Service Networks. In Symposium on Network and Distributed System Security, 2008.Google Scholar
- T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarDigital Library
- J. Hruska. Cracking down on Conficker: Kaspersky, OpenDNS join forces. http://arstechnica.com/business/news/2009/02/cracking-down-on-confickerkaspersky-opendns-join-forces, February 2009.Google Scholar
- D. Jackson. Untorpig. http://www.secureworks. com/research/tools/untorpig/, 2008.Google Scholar
- B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim. Towards complete node enumeration in a peer-to-peer botnet. In ACM Symposium on Information, Computer&Communication Security (ASIACCS 2009), 2009. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In ACM Conference on Computer and Communications Security, 2008. Google ScholarDigital Library
- C. Kanich, K. Levchenko, B. Enright, G. Voelker, and S. Savage. The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarDigital Library
- A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In USENIX Workshop on Hot Topics in Understanding Botnet, 2007. Google ScholarDigital Library
- P. Kleissner. Analysis of Sinowal. http://web17.webbpro.de/index.php?page=analysis-of-sinowal, 2008.Google Scholar
- J. Leyden. Conficker botnet growth slows at 10m infections. http://www.theregister.co.uk/2009/01/26/conficker_botnet/, 2009.Google Scholar
- J. Leyden. Conficker zombie botnet drops to 3.5 million. http://www.theregister.co.uk/2009/04/03/conficker_zombie_count/, 2009.Google Scholar
- R. McMillan. Conficker group says worm 4.6 million strong. http://www.cw.com.hk/content/conficker-group-says-worm-46-million-strong, 2009.Google Scholar
- D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Usenix Security Symposium, 2001. Google ScholarDigital Library
- G. Ollmann. Caution Over Counting Numbers in C&C Portals. http://blog.damballa.com/?p=157, 2009.Google Scholar
- Openwall Project. John the Ripper password cracker. http://www.openwall.com/john/.Google Scholar
- P. Porras, H. Saidi, and V. Yegneswaran. A Foray into Conficker's Logic and Rendezvous Points. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009. Google ScholarDigital Library
- N. Provos and P. Mavrommatis. All Your iFRAMEs Point to Us. In USENIX Security Symposium, 2008. Google ScholarDigital Library
- M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging. In USENIX Workshop on Hot Topics in Understanding Botnet, 2007. Google ScholarDigital Library
- M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A Multifaceted Approach to Understanding the Botnet Phenomenon. In ACM Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the Network-level Behavior of Spammers. In ACM SIGCOMM, 2006. Google ScholarDigital Library
- A. Ramachandran, N. Feamster, and D. Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Conference on Steps to Reducing Unwanted Traffic on the Internet, 2006. Google ScholarDigital Library
- RSA FraudAction Lab. One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts. http://www.rsa.com/blog/blog_entry.aspx? id=1378, October 2008.Google Scholar
- S. Saroiu, S. Gribble, and H. Levy. Measurement and Analysis of Spyware in a University Environment. In Networked Systems Design and Implementation (NSDI), 2004. Google ScholarDigital Library
- M. Shields. Trojan virus steals banking info. http://news.bbc.co.uk/2/hi/technology/7701227.stm, 2008.Google Scholar
- Sophos. Security at risk as one third of surfers admit they use the same password for all websites, Sophos reports. http://www.sophos.com/pressoffice/news/articles/2009/03/password-security.html, March 2009.Google Scholar
- SpeedMatters.org. 2008 Report on Internet Speeds in All 50 States. http://www.speedmatters.org/document-library/sourcematerials/cwa_report_on_internet_speeds_2008.pdf, August 2008.Google Scholar
- Symantec. Report on the underground economy. http://www.symantec.com/content/en/us/about/media/pdfs/Underground_Econ_Report.pdf, 2008.Google Scholar
- The Spamhaus Project. ZEN. http://www.spamhaus.org/zen/.Google Scholar
- VeriSign iDefense Intelligence Operations Team. The Russian Business Network: Rise and Fall of a Criminal ISP. blog.wired.com/defense/files/iDefense_RBNUpdated_20080303.doc, 2008.Google Scholar
- J. Wolf. Technical details of Srizbi's domain generation algorithm. http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domaingeneration- algorithm.html, 2008.Google Scholar
- L. Zhuang, J. Dunagan, D. Simon, H. Wang, I. Osipkov, G. Hulten, and J. Tygar. Characterizing botnets from email spam records. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarDigital Library
Index Terms
- Your botnet is my botnet: analysis of a botnet takeover
Recommendations
An Analysis of the Asprox Botnet
SECURWARE '10: Proceedings of the 2010 Fourth International Conference on Emerging Security Information, Systems and TechnologiesThe presence of large pools of compromised computers, also known as botnets, or zombie armies, represents a very serious threat to Internet security. This paper describes the architecture of a contemporary advanced bot commonly known as Asprox. Asprox ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesAmong the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Classification of Botnet Detection Based on Botnet Architechture
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesNowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses ...
Comments