botnets_final

botnets_final - 1 An Inside Look at Botnets Paul Barford...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 An Inside Look at Botnets Paul Barford Vinod Yegneswaran { pb,vinod } @cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison Abstract The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions [40]. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race. Our thesis is that the reactive methods for network security that are predominant today are ultimately insufficient and that more proactive methods are required. One such approach is to develop a foundational understanding of the mechanisms em- ployed by malicious software (malware) which is often readily available in source form on the Internet. While it is well known that large IT security companies main- tain detailed databases of this information, these are not openly available and we are not aware of any such open repository. In this paper we begin the process of codify- ing the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mech- anisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis. 1.1 Introduction Software for malicious attacks and intrusions (malware) has evolved a great deal over the past several years. This evolution is driven primarily by the desire of the authors (black hats) to elude improvements in network defense systems and to expand and enhance malware capabilities. The evolution of malcode can be seen both in terms of variants of existing tools ( e.g., there are over 580 variants of the Agobot malware
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
since it’s first release in 2002 [7]) and in the relatively frequent emergence of com- pletely new codebases ( e.g., there were six major Internet worm families introduced in 2004: Netsky, Bagle, MyDoom, Sassser, Korgo and Witty as well as the Cabir virus - the first for cell phones [1]). While worm outbreaks and DoS attacks have been widely reported in the pop- ular press and evaluated extensively by the network and security research commu- nities ( e.g., [16, 27–29]), perhaps the most serious threat to the Internet today are collections of compromised systems that can be controlled by a single person. These botnets have actually been in existence for quite some time and trace their roots to the Eggdrop bot created by Jeff Fisher for benign network management in 1993. High level overviews of malicious botnet history and their basic functionality can
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 20

botnets_final - 1 An Inside Look at Botnets Paul Barford...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online