Cross-Analysis of Botnet Victims: New Insights and Implications

  • Seungwon Shin
  • Raymond Lin
  • Guofei Gu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)

Abstract

In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. These botnets represent two distinct types of botnets in terms of the methods they use to recruit new victims. We propose the use of cross-analysis between these different types of botnets as well as between botnets of the same type in order to gain insights into the nature of their infection. In this analysis, we examine commonly-infected networks which appear to be extremely prone to malware infection. We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. Based on our cross-analysis results, we further derive new implications and insights for defense. For example, we empirically show the promising power of cross-prediction of new unknown botnet victim networks using historic infection data of some known botnet that uses the same infection type with more than 80% accuracy.

Keywords

Infection Type Manhattan Distance Infection Vector Spam Email Remote Host 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Pauli, D.: Srizbi Botnet Sets New Records for Spam: PC World (retrieved 2008-07-20)Google Scholar
  2. 2.
    Shin, S., Gu, G.: Conficker and Beyond: A Large-Scale Empirical Study. In: Proceedings of 2010 Annual Computer Security Applications Conference, ACSAC 2010 (2010)Google Scholar
  3. 3.
    Microsoft Security Techcenter, Conficker Worm, http://technet.microsoft.com/en-us/security/dd452420.aspx
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    SecureWorks, Ozdok/Mega-D Trojan Analysis, http://www.secureworks.com/research/threats/ozdok/?threat=ozdok
  8. 8.
  9. 9.
    Chien, E., Downadup.: Attempts at Smart Network Scanning, http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning
  10. 10.
    Xie, Y., Yu, F., Achan, K., Gillum, E., Goldzmidt, M., Wobber, T.: How Dynamic are IP Addresses?. In: Proceedings of ACM Special Interest Group on Data Communication, SIGCOMM (2007)Google Scholar
  11. 11.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  12. 12.
    Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Krishnan, S., Kim, Y.: Passive identification of Conficker nodes on the Internet. University of Minnesota - Technical Document (2009)Google Scholar
  14. 14.
    CAIDA, Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope, http://www.caida.org/research/security/ms08-067/conficker.xml
  15. 15.
    Weaver, R.: A Probabilistic Population Study of the Conficker-C Botnet. In: Proceedings of the Passive and Active Measurement Conference (2010)Google Scholar
  16. 16.
    John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proceedings of the Annual Network and Distributed System Security, NDSS (2009)Google Scholar
  17. 17.
    Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2010)Google Scholar
  18. 18.
    Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of ACM Computer and Communications Security, CCS (2009)Google Scholar
  19. 19.
    BOTLAB, A Study in Spam, http://botlab.org/
  20. 20.
    Shadowserver, Botnet Measurement and Study, http://shadowserver.org/wiki/
  21. 21.
    IP2Location, IP2Location Internet IP Address 2009 Report, http://www.ip2location.com/
  22. 22.
  23. 23.
    Cai, X., Heidenmann, J.: Understanding Address Usage in the Visible Internet: USC/ISI Technical Report ISI-TR-656 (2009)Google Scholar
  24. 24.
    Alderfer, H., Flynn, S., Birchmeier, B., Schulz, E.: Information Policy Country Report. University of Michigan School of Information Report, Turkey (2009)Google Scholar
  25. 25.
    Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime: CERT/CC Technical Report (2005)Google Scholar
  26. 26.
    Uri Raz, How do spammers harvest email addresses ?, http://www.private.org.il/harvest.html
  27. 27.
    FAQs.org, FAQ: How do spammers get people’s email addresses ?, http://www.faqs.org/faqs/net-abuse-faq/harvest/
  28. 28.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proceedings of USENIX Security Symposium (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Seungwon Shin
    • 1
  • Raymond Lin
    • 1
  • Guofei Gu
    • 1
  1. 1.SUCCESS LabTexas A&M UniversityCollege StationUSA

Personalised recommendations