Skip to main content
SpringerLink
Log in

Chasing Botnets: A Real Security Incident Investigation

  • Conference paper
  • First Online:
Model-driven Simulation and Training Environments for Cybersecurity (MSTEC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12512))

  • 485 Accesses

Abstract

Botnets form a special type of malware that nowadays constitute one of the biggest threats in cyber-security. Ordinarily, the hacker exploits existing vulnerabilities to infiltrate the system and install a command-and-control (C&C) infrastructure. Thereupon, the system is “botnized” and performs the bot-master’s commands. In most cases, the attacker does not intend to destroy the compromised assets but to utilize them in order to perform other type of attacks, such as crypto-mining or Denial of Service (DoS) campaigns to targeted websites. Nevertheless, ransomware or other disruptive attacks can also be launched at some point and harm the owner of the infected equipment. This paper starts with an overview of botnet cases, attacker’s tactics, and relevant defense mechanisms. Then, we present a real step-by-step digital forensics investigation on a customer’s bare-metal server in the cloud. The attack was performed in 2020. We describe the storyline from the server’s installation, the infection, the investigation, the proper mitigation actions, as well as, the economic implication. Finally, we sum-up which were the main mistakes that enable the attack and propose a silver bulletin for server setup in the cloud.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Microsoft: Microsoft security intelligence report, Microsoft, vols. 9–17 (2010–2014)

    Google Scholar 

  2. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against Distributed Denial of Service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  3. Liu, S.: Surviving distributed Denial-of-Service attacks. IT Prof. 11(5), 51–53 (2009)

    Article  Google Scholar 

  4. Specht, S.M., Lee, R.B.: Distributed Denial of Service: taxonomies of attacks, tools and countermeasures. In: 17th International Conference on Parallel and Distributed Computing Systems (ICPADS), San Francisco, CA, USA, 15–17 September 2004, pp. 543–550 (2004)

    Google Scholar 

  5. Asghari, H., van Eeten, M.J.G., Bauer, J.M.: Economics of fighting botnets: lessons from a decade of mitigation. IEEE Secur. Priv. 13(5), 16–23 (2015)

    Article  Google Scholar 

  6. Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)

    Google Scholar 

  7. Moore, T., Clayton, R., Anderson, R.: The economics of online crime. J. Econ. Perspect. 23(3), 3–20 (2009)

    Article  Google Scholar 

  8. de Santanna, J.J.C., et al.: Booters – an analysis of DDoS-as-a-Service attacks. In: IFIP/IEEE International Symposium on Integrated Network Management (IM). IFIP/IEEE, Ottawa, Canada, 11–15 May 2015, pp. 243–251 (2015)

    Google Scholar 

  9. Khattak, S., Ramay, N.R., Khan, K.R., Syed, A.A., Khayam, S.A.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)

    Article  Google Scholar 

  10. Brown, I., Marsden, C.: Co-regulating Internet security: the London action plan. In: Academic Symposium on Global Internet Governance Academic Network (GigaNet), SSRN, Rio de Janeiro, Brazil, 11 November 2007, pp. 1–18 (2007)

    Google Scholar 

  11. Garcia, A., Horowitz, B.: The potential for underinvestment in Internet security: implications for regulatory policy. J. Regul. Econ. 31(1), 37–55 (2007). https://doi.org/10.1007/s11149-006-9011-y

  12. Hatzivasilis, G., et al.: WARDOG: awareness detection watchdog for Botnet infection on the host device. IEEE Trans. Sustain. Comput. Spec. Issue Sustain. Inf. Forensic Comput. 4, 1–15 (2019)

    Google Scholar 

  13. Habibi, J., Midi, D., Mudgerikar, A., Bertino, E.: Heimdall: mitigating the Internet of Insecure Things. IEEE Internet Things J. 4(4), 968–978 (2017)

    Google Scholar 

  14. Lu, Z., Wang, W., Wang, C.: On the evolution and impact of mobile botnets in wireless networks. IEEE Trans. Mob. Comput. 15(9), 2304–2316 (2016)

    Google Scholar 

  15. Karim, A., Shah, S.A.A., Salleh, R.B., Arif, M., Noor, R.M., Shamshirband, S.: Mobile botnet attacks – an emerging threat: classification, review and open issues. KSII Trans. Internet Inf. Syst. TIIS 9(4), 1471–1492 (2015)

    Google Scholar 

  16. Traynor, P., et al.: On cellular botnets: measuring the impact of malicious devices on a cellular network core. In: 16th ACM Conference on Computer and Communications Security (CSS), 9–13 November 2009, pp. 223–234. ACM, Chicago (2009)

    Google Scholar 

  17. Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th Usenix Security Symposium (SS), Vancouver, BC, Canada, 16–18 August 2017, pp. 1093–1110 (2017)

    Google Scholar 

  18. Fruhlinger, J.: The Mirai botnet explained: how teen scammers and CCTV cameras almost brought down the Internet. CSO Online, article 3258748. https://www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html. Accessed 9 March 2018

  19. Pritchett, W.: Insurtech 10: Trends for 2019. The Digital Insurer, KPMG, pp. 1–36, March 2019

    Google Scholar 

  20. Hatzivasilis, G., et al.: Cyber insurance of information systems. In: 24th IEEE International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD 2019), 11–13 September 2019, pp. 1–7. IEEE, Limassol (2019)

    Google Scholar 

  21. Hatzivasilis, G., et al.: Towards the insurance of healthcare systems. In: Fournaris, A.P., et al. (eds.) IOSEC/MSTEC/FINSEC -2019. LNCS, vol. 11981, pp. 185–198. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42051-2_13

    Chapter  Google Scholar 

  22. Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2010)

    Article  Google Scholar 

  23. Shin, S., Gu, G., Reddy, N., Lee, C.P.: A large-scale empirical study of Conflicker. IEEE Trans. Inf. Forensics Secur. 7(2), 676–690 (2012)

    Article  Google Scholar 

  24. Konovalov, A.M., Kotenko, I.V., Shorov, A.V.: Simulation-based study of botnets and defense mechanisms against them. J. Comput. Syst. Sci. Int. 52(1), 43–65 (2013). https://doi.org/10.1134/S1064230712060044

    Article  MathSciNet  MATH  Google Scholar 

  25. Bekeneva, Y., Shipilov, N., Borisenko, K., Shorov, A.: Simulation of DDoS-attacks and protection mechanisms against them. In: IEEE NW Russia Young Researchers in Electrical and Electronic Engineering Conference (ElConRusNW), 2–4 February 2015, pp. 49–55. IEEE, St. Petersburg (2015)

    Google Scholar 

  26. Dong, Y., Dai, J., Sun, X.: A mobile botnet that meets up at Twitter. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds.) SecureComm 2018. LNICSSITE, vol. 255, pp. 3–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01704-0_1

    Chapter  Google Scholar 

  27. Ling, L., Gao, Z., Silas, M.A., Lee, I., le Doeuff, E.A.: An AI-based, multi-stage detection system of banking botnets. In: 32nd Conference on Neural Information Processing Systems (NIPS), Montréal, Canada, pp. 1–9 (2019)

    Google Scholar 

  28. Grant, G.: Botnet mitigation and international law. Columbia J. Transnatl. Law 58, 189–231 (2019)

    Google Scholar 

  29. Sfakianakis, A., Douligeris, C., Marinos, L., Lourenço, M., Raghimi, O.: ENISA Threat Landscape Report 2018, ENISA, pp. 1–139, January 2019

    Google Scholar 

  30. Hatzivasilis, G., Fysarakis, K., Askoxylakis, I., Bilanakos, A.: CloudNet anti-malware engine: GPU-accelerated network monitoring for cloud services. In: Fournaris, A.P., Lampropoulos, K., Marín Tordera, E. (eds.) IOSec 2018. LNCS, vol. 11398, pp. 122–133. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12085-6_11

    Chapter  Google Scholar 

  31. Papaefstathiou, I., Bilanakos, A., Fysarakis, K., Hatzivasilis, G., Manifavas, C.: An efficient anti-malware intrusion detection system implementation, exploiting GPUs. In: International Conference on Advanced Technology & Sciences (ICAT 2014), Antalya, Turkey, 12–15 August 2014, pp. 1–9 (2014)

    Google Scholar 

  32. Hatzivasilis, G., Papadakis, N., Hatzakis, I., Ioannidis, S., Vardakis, G.: AI-driven composition and security validation of an IoT ecosystem. Appl. Sci. 10(14), 1–31 (2020). Special Issue on Smart City and Multi-Agent Systems, MDPI Open Access Journal

    Article  Google Scholar 

  33. Berger-Sabbatel, G., Duda, A.: Four years of botnet hunting: an assessment. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2014. CCIS, vol. 429, pp. 29–42. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07569-3_3

    Chapter  Google Scholar 

  34. Cooke, E., Jahanian, F., Mc Pherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), Cambridge, MA, USA, 7 July 2005, pp. 1–6 (2005)

    Google Scholar 

Download references

Acknowledgements

This work has received funding from the European Union Horizon’s 2020 research and innovation programme under the grant agreements No. 786890 (THREAT-ARREST) and No. 830927 (CONCORDIA).

Author information

Authors and Affiliations

  1. Foundation for Research and Technology, Heraklion, Greece

    George Hatzivasilis

  2. Department of Electrical and Computer Engineering, Hellenic Mediterranean University (HMU), Heraklion, Greece

    George Hatzivasilis

  3. CZ.NIC, ZSPO, Prague, Czech Republic

    Martin Kunc

Authors
  1. George Hatzivasilis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Kunc
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to George Hatzivasilis .

Editor information

Editors and Affiliations

  1. Foundation for Research and Technology - Hellas, Heraklion, Greece

    George Hatzivasilis

  2. Technical University of Crete, Chania, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hatzivasilis, G., Kunc, M. (2020). Chasing Botnets: A Real Security Incident Investigation. In: Hatzivasilis, G., Ioannidis, S. (eds) Model-driven Simulation and Training Environments for Cybersecurity. MSTEC 2020. Lecture Notes in Computer Science(), vol 12512. Springer, Cham. https://doi.org/10.1007/978-3-030-62433-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62433-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62432-3

  • Online ISBN: 978-3-030-62433-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation