Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures

  • Erhan J. Kartaltepe
  • Jose Andre Morales
  • Shouhuai Xu
  • Ravi Sandhu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6123)

Abstract

Botnets have become a major threat in cyberspace. In order to effectively combat botnets, we need to understand a botnet’s Command-and-Control (C&C), which is challenging because C&C strategies and methods evolve rapidly. Very recently, botmasters have begun to exploit social network websites (e.g., Twitter.com) as their C&C infrastructures, which turns out to be quite stealthy because it is hard to distinguish the C&C activities from the normal social networking traffic. In this paper, we study the problem of using social networks as botnet C&C infrastructures. Treating as a starting point the current generation of social network-based botnet C&C, we envision the evolution of such C&C methods and explore social networks-based countermeasures.

Keywords

Botnet command-and-control social networks security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Athanasopoulos, E., Makridakis, A., Antonatos, S., Antoniades, D., Ioannidis, S., Anagnostakis, K., Markatos, E.: Antisocial networks: Turning a social network into a botnet. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 146–160. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Balatzar, J., Costoya, J., Flores, R.: The real face of koobface: The largest web 2.0 botnet explained. Technical report, Trend Micro (2009)Google Scholar
  3. 3.
    Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proc. Reducing Unwanted Traffic on the Internet, SRUTI ’06 (2006)Google Scholar
  4. 4.
    Chapman, M., Davida, G.I.: Plausible deniability using automated linguistic stegonagraphy. In: Conference on Infrastructure Security (October 2002)Google Scholar
  5. 5.
    Cheng, A., Evans, M.: Inside twitter: An in-depth look inside the twitter world, http://www.sysomos.com/insidetwitter
  6. 6.
    Collins, M., Reiter, M.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Collins, M., Shimeall, T., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: Proc. IMC ’07 (2007)Google Scholar
  8. 8.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proc. SRUTI ’05 (2005)Google Scholar
  9. 9.
    Microsoft Corporation. Network monitor 3.3, http://go.microsoft.com/fwlink/?LinkID=103158&clcid=0x409
  10. 10.
    CWSandbox.org. Cwsandbox—behavior-based malware analysis, http://www.cwsandbox.org
  11. 11.
    Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Choi, L., Paek, Y., Cho, S. (eds.) ACSAC 2007. LNCS, vol. 4697, Springer, Heidelberg (2007)Google Scholar
  12. 12.
    DigiNinja. Kreiosc2: Poc using twitter as its command and control channel, http://www.digininja.org
  13. 13.
    Easton, T., Johnson, K.: Social zombies. In: DEFCON ’09 (2009)Google Scholar
  14. 14.
    Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: Proc. HotBots ’07 (2007)Google Scholar
  15. 15.
    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: Proc. HotBots ’07 (2007)Google Scholar
  16. 16.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Security ’08 (2008)Google Scholar
  17. 17.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: USENIX Security ’07 (2007)Google Scholar
  18. 18.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proc. NDSS ’08 (2008)Google Scholar
  19. 19.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET ’08 (2008)Google Scholar
  20. 20.
    Hu, X., Knysz, M., Shin, K.G.: Rb-seeker: Auto-detection of redirection botnets. In: Proc. NDSS ’09 (2009)Google Scholar
  21. 21.
    Finjan Software Inc. Web security trends report q4 2007. Technical report, Finjan Software Inc. (2007), http://www.finjan.com/Content.aspx?id=827
  22. 22.
    John, J., Moshchuk, A., Gribble, S., Krishnamurthy, A.: Studying spamming botnets using botlab. In: Proc. NSDI ’09 (2009)Google Scholar
  23. 23.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proc. HotBots ’07 (2007)Google Scholar
  24. 24.
    Morales, J.A., Clarke, P.J., Deng, Y., Kibria, B.G.: Identification of file infecting viruses through detection of self-reference replication. Journal in Computer Virology (2008)Google Scholar
  25. 25.
    Nazario, J.: Twitter based botnet command and control (2009), http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel
  26. 26.
    Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: Proc. MALWARE ’08 (2008)Google Scholar
  27. 27.
    PassMark.com. Passmark performancetest 7.0, http://www.passmark.com/products/pt.htm
  28. 28.
    Poland, S.: How to create a twitter bot (2007), http://blog.stevepoland.com/how-to-create-a-twitter-bot/
  29. 29.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. IMC ’06 (2006)Google Scholar
  30. 30.
    Singh, K., Srivastava, A., Giffin, J., Lee, W.: Evaluating email’s feasibility for botnet command and control. In: Proc. DSNGoogle Scholar
  31. 31.
    Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Szor, P.: The Art of Computer Virus Research and Defense. Symantec Press (2005)Google Scholar
  33. 33.
    Weka 3 data mining software, http://www.cs.waikato.ac.nz/ml/weka/
  34. 34.
    Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. In: Proc. SIGCOMM ’08, pp. 171–182 (2008)Google Scholar
  35. 35.
    Zhao, Y., Xie, Y., Yu, F., Ke, Q., Yu, Y., Chen, Y., Gillum, E.: Botgraph: large scale spamming botnet detection. In: Proc. NSDI ’09 (2009)Google Scholar
  36. 36.
    Zhu, Z., Yegneswaran, V., Chen, Y.: Using failure information analysis to detect enterprise zombies. In: Proc. Securecomm ’09 (2009)Google Scholar
  37. 37.
    Zhuang, L., Dunagan, J., Simon, D., Wang, H., Osipkov, I., Hulten, G., Tygar, J.: Characterizing botnets from email spam records. In: Proc. LEET ’08 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Erhan J. Kartaltepe
    • 1
  • Jose Andre Morales
    • 1
  • Shouhuai Xu
    • 2
  • Ravi Sandhu
    • 1
  1. 1.Institute for Cyber SecurityUniversity of Texas at San Antonio 
  2. 2.Department of Computer ScienceUniversity of Texas at San Antonio 

Personalised recommendations