Four Years of Botnet Hunting: An Assessment

  • Gilles Berger-Sabbatel
  • Andrzej Duda
Part of the Communications in Computer and Information Science book series (CCIS, volume 429)

Abstract

In this paper, we present a wrap up of the malware analysis done during the last four years. We have developed a platform that includes tools for capturing malware, running code in a controlled environment, and analyzing its interactions with external entities. The platform enables us to capture malware samples, classify them and observe their communication behavior in a protected environment in a way that the malware does not perform any harmful activity. We report on some statistics on the captured malware and provide an example of an analysis session with the Mwna tool.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Berger-Sabbatel, G., Korczyński, M., Duda, A.: Architecture of a Platform for Malware Analysis and Confinement. In: Proceedings of the MCSS 2010: Multimedia Communications, Services and Security, Cracow, Poland (June 2010)Google Scholar
  2. 2.
    Berger-Sabbatel, G., Duda, A.: Analysis of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2011. CCIS, vol. 149, pp. 207–215. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Berger-Sabbatel, G., Duda, A.: Classification of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2012. CCIS, vol. 287, pp. 24–35. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Korczyński, M., Berger-Sabbatel, G., Duda, A.: Two Methods for Detecting Malware. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2013. CCIS, vol. 368, pp. 95–106. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, HotBots 2007, p. 4. USENIX Association, Berkeley (2007)Google Scholar
  6. 6.
    Yan, G., Chen, G., Eidenbenz, S., Li, N.: Malware propagation in online social networks: Nature, dynamics, and defense implications. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 196–206. ACM, New York (2011)Google Scholar
  7. 7.
    Invernizzi, L., Benvenuti, S., Comparetti, P.M., Kruegel, C., Vigna, G.: EVILSEED: A Guided Approach to Finding Malicious Web Pages. In: Proceedings of the 33th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA (May 2012)Google Scholar
  8. 8.
    Steggink, M., Idziejczak, I.: Detection of peer-to-peer botnets. Research report for system and network engineering, University of Amsterdam, The Netherlands (2008), http://work6.delaat.net/rp/2007-2008/p22/report.pdf
  9. 9.
    Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., Eaton, G.: Behavioral analysis of fast flux service networks. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, CSIIRW 2009, pp. 48:1–48:4. ACM, New York (2009)Google Scholar
  10. 10.
    Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, pp. 24–31 (October 2008)Google Scholar
  11. 11.
    Zhuge, J., Holz, T., Han, X., Guo, J., Zou, W.: Characterizing the irc-based botnet phenomenon. Technical report, Department for Mathematics and Computer Science, University of Mannheim; TR-2007-010 (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Gilles Berger-Sabbatel
    • 1
  • Andrzej Duda
    • 1
  1. 1.CNRS Grenoble Informatics Laboratory UMR 5217Grenoble Institute of TechnologySaint Martin d’Hères CedexFrance

Personalised recommendations