Characterizing Bots’ Remote Control Behavior

  • Elizabeth Stinson
  • John C. Mitchell
Part of the Advances in Information Security book series (ADIS, volume 36)


A botnet is a collection of bots, each generally running on a compromised system and responding to commands over a “command-and-control” overlay network. We investigate observable differences in the behavior of bots and benign programs, focusing on the way that bots respond to data received over the network. Our experimental platform monitors execution of an arbitrary Win32 binary, considering data received over the network to be tainted, applying library-call-level taint propagation, and checking for tainted arguments to selected system calls. As a way of further distinguishing locally-initiated from remotely-initiated actions, we capture and propagate “cleanliness” of local user input (as received via the keyboard or mouse). Testing indicates behavioral separation of major bot families (ago, DSNX, evil, G-SyS, sd, Spy) from benign programs with low error rate


host-based behavior-based detection taint interposition system call 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Turoff, A.: Defensive CGI Programming with Taint Mode and CGI::UNTAINTGoogle Scholar
  2. 2.
    Schneier, B.: How Bot Those Nets? In Wired Magazine, July 27, 2006.Google Scholar
  3. 3.
    Dagon, D.: Botnet Detection and Response: The Network Is the Infection. In Operations, Analysis, and Research Center Workshop, July 2005.Google Scholar
  4. 4.
    Ilett, D.: Most spam generated by botnets, says expert. ZDNet, Sept. 22, 2004.Google Scholar
  5. 5.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In IEEE Symposium on Security and Privacy, May 2001.Google Scholar
  6. 6.
    Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Steps to Reducing Unwanted Traffic on the Internet, July 2005.Google Scholar
  7. 7.
    Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based Spyware Detection. In Proc. 15th USENIX Security Symposium, August 2006.Google Scholar
  8. 8.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. First Edition, Addison-Wesley, Upper Saddle River, NJ, 2006.Google Scholar
  9. 9.
    Hunt, G., Brubacher, B.: Detours: Binary Interception of Win32 Functions. In 3rd USENIX Windows NT Symposium, July 1999.Google Scholar
  10. 10.
    Butler, J.: Bypassing 3rd Party Windows Buffer Overflow Protection. In phrack Volume 0x0b, Issue 0x3e, Phile #0x0, 7/13/2004.Google Scholar
  11. 11.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding Data Lifetime via Whole System Simulation. In Proc. of the USENIX 13th Security Symposium, August 2004.Google Scholar
  12. 12.
    Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed Systems Symposium, February 2005.Google Scholar
  13. 13.
    Rabek, J., Khazan, R., Lewandowski, S., Cunningham, R.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In Proc. of the ACM Workshop on Rapid Malcode, October 2003.Google Scholar
  14. 14.
    Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, May 2002.Google Scholar
  15. 15.
    Locking Ruby in the Safe Scholar
  16. 16.
    LURHQ. Phatbot Trojan Analysis. Scholar
  17. 17.
    Overton, M.: Bots and Botnets: Risks, Issues, and Prevention. In Virus Bulletin Conference, Dublin, Ireland, October 2005.Google Scholar
  18. 18.
    Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. CERT Coordination Center, December 2005.Google Scholar
  19. 19.
    perlsec Scholar
  20. 20.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In IEEE Symposium on Security and Privacy, May 1996.Google Scholar
  21. 21.
    Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds. In Network and Distributed System Security Symposium, May 2005.Google Scholar
  22. 22.
    Strider GhostBuster Rootkit Detection Scholar
  23. 23.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Network & Distributed Systems Security, Feb. 2003.Google Scholar
  24. 24.
    Honeynet Project & Research Alliance. Know your Enemy: Tracking Botnets.Google Scholar
  25. 25.
    Shankar, U., Talwar, K., Foster, J., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In Proc. 10th USENIX Security Symp., Aug. 2001.Google Scholar
  26. 26.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium, August 2002.Google Scholar
  27. 27.
    Naraine, R. Money Bots: Hackers Cash In on Hijacked PCs. eWeek, Sept. 2006.Google Scholar
  28. 28.
    Cui, W., Katz, R., Tan, W.: BINDER: An Extrusion-based Break-in Detector for Personal Computers. In Proc. of the 21st Annual Computer Security Applications Conference, December 2005.Google Scholar
  29. 29.
    Martin, K.: Stop the bots. In The Register, April, 2006.Google Scholar
  30. 30.
    Keizer, G.: Bot Networks Behind Big Boost In Phishing Attacks. TechWeb, Nov. 2004.Google Scholar
  31. 31.
    Christodorescu, M., Jha, S.: Testing Malware Detectors. In Proc. of the International Symposium on Software Testing and Analysis, July 2004.Google Scholar
  32. 32.
    MSDN Library. Using Messages and Message Queues.Google Scholar
  33. 33.
    Symantec Internet Security Threat Report, Trends for July 05-December 05. Volume IX, Published March 2006.Google Scholar
  34. 34.
    Sturgeon, W.: Net pioneer predicts overwhelming botnet surge. ZDNet News, January 29, 2007.Google Scholar
  35. 35.
    Symantec Internet Security Threat Report, Trends for January 06-June 06, Volume X. Published September 2006.Google Scholar
  36. 36.
    Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In European Symposium On Research In Computer Security, September 2006.Google Scholar
  37. 37.
    Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In Proc. of ACM SIGCOMM/USENIX Internet Measurement Conference, October 2006.Google Scholar
  38. 38.
    Jevans, D.: The Latest Trends in Phishing, Crimeware and Cash-Out Schemes. Private correspondence.Google Scholar
  39. 39.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. Manuscript.Google Scholar
  40. 40.
    Goebel, J., Holz, T.: Rishi: Identify Bot-Contaminated Hosts by IRC Nickname Evaluation. 1st Workshop on Hot Topics in Understanding Botnets, April 2007.Google Scholar
  41. 41.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-Scale Botnet Detection and Characterization. 1st Workshop on Hot Topics in Understanding Botnets, April 2007.Google Scholar
  42. 42.
    Wang, Y., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. Microsoft Technical Report MSR-TR-2005-25.Google Scholar
  43. 43.
    Lam, V., Antonatos, S., Akritidis, P., Anagnostakis, K.: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. In the 13th ACM Conference on Computer and Communications Security, October 2006.Google Scholar
  44. 44.
    Stinson, E., Mitchell, J.: Characterizing the Remote Control Behavior of Bots. Manuscript.∖~{}stinson/pub/botswat_long.pdfGoogle Scholar
  45. 45.
    mIRC Help, Viruses, Trojans, and Worms.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Elizabeth Stinson
    • 1
  • John C. Mitchell
    • 1
  1. 1.Department of Computer ScienceStanford UniversityStanford

Personalised recommendations