This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: A Multifaceted Approach to Understanding the Botnet Phenomenon Moheeb Abu Rajab Jay Zarfoss Fabian Monrose Andreas Terzis Computer Science Department Johns Hopkins University ABSTRACT The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically stud- ied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by con- structing a multifaceted and distributed measurement infrastruc- ture. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted In- ternet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnet- related spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we exam- ined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon. Categories and Subject Descriptors D.4.6 [ Operating Systems ]: Security and Protection— Invasive Soft- ware General Terms Security, Measurement Keywords Botnets, Computer Security, Malware, Network Security 1. INTRODUCTION Despite the fact that botnets first appeared several years ago, they have only recently sparked the interest of the research com- munity. The term botnets is used to define networks of infected Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. IMC’06, October 25–27, 2006, Rio de Janeiro, Brazil. Copyright 2006 ACM 1-59593-561-4/06/0010 ...$5.00. end-hosts, called bots , that are under the control of a human op- erator commonly known as a botmaster . While botnets recruit vulnerable machines using methods also utilized by other classes of malware ( e.g., remotely exploiting software vulnerabilities, so- cial engineering, etc.), their defining characteristic is the use of command and control (C&C) channels. The primary purpose of these channels is to disseminate the botmasters’ commands to their bot armies. These channels can operate over a variety of (logical) network topologies and use different communication mechanisms, from established Internet protocols to more recent P2P protocols.from established Internet protocols to more recent P2P protocols....
View Full Document
- Fall '08
- Domain Name System, IRC, botnets, irc server