\(\textsc {BotWatcher}\)

Transparent and Generic Botnet Tracking
  • Thomas BaraboschEmail author
  • Adrian Dombeck
  • Khaled Yakdan
  • Elmar Gerhards-Padilla
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


Botnets are one of the most serious threats to Internet security today. Modern botnets have complex infrastructures consisting of multiple components, which can be dynamically installed, updated, and removed at any time during the botnet operation. Tracking botnets is essential for understanding the current threat landscape. However, state-of-the-art analysis approaches have several limitations. Many malware analysis systems like sandboxes have a very limited analysis time-out, and thus only allow limited insights into the long-time behavior of a botnet. In contrast, customized tracking systems are botnet-specific and need to be adopted to each malware family, which requires tedious manual reverse engineering.

In this paper, we present BotWatcher, a novel approach for transparent and generic botnet tracking. To this end, we leverage dynamic analysis and memory forensics techniques to execute the initial malware sample and later installed modules in a controlled environment and regularly obtain insights into the state of the analysis system. The key idea behind BotWatcher is that by reasoning about the evolution of system state over time, we can reconstruct a high-level overview of the botnet lifecycle, i.e., the sequence of botnet actions that caused this evolution. Our approach is generic since it relies neither on previous knowledge of the botnet nor on OS-specific features. Transparency is achieved by performing outside-OS monitoring and not installing any analysis tools in the analysis environment. We implemented BotWatcher for Microsoft Windows and Mac OS X (both 32- and 64-bit architectures), and applied it to monitor four botnets targeting Microsoft Windows. To the best of our knowledge, we are the first to present a generic, transparent, and fully automated botnet tracking system.


Botnet tracking Memory forensics Malware analysis 



We would like to thank our shepherd Christian Rossow for his assistance to improve the quality of this paper. We also want to express our gratitude toward the reviewers for their helpful feedback, valuable comments and suggestions.


  1. 1.
    Blue Coat Labs, CryptoLocker, Kegotip, Medfos Malware Triple-Threat, 26 September 2015.
  2. 2.
    Kaspersky Lab ZAO, The Banking Trojan Emotet: Detailed Analysis, 26 September 2015.
  3. 3.
    Microsoft Malware Protection Center, MSRT January 2015 - Dyzap, 26 September 2015.
  4. 4.
    Microsoft Malware Protection Center, Unexpected reboot: Necurs, 26 September 2015.
  5. 5.
    Oracle VirtualBox, 26 September 2015.
  6. 6.
    The Bro Network Security Monitor, 26 September 2015.
  7. 7.
    The netfilter project (1999).
  8. 8.
    The Volatility Foundation, 26 September 2015.
  9. 9.
    ZeuS Tracker, 26 September 2015.
  10. 10.
    Zscaler Research, Evolution of Upatre Trojan Downloader, 26 September 2015.
  11. 11.
    Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: Network and Distributed System Security Symposium (NDSS) (2010)Google Scholar
  12. 12.
    Barabosch, T.: Complementary material used in Botwatcher: Transparent and Generic Botnet Tracking, 26 September 2015.
  13. 13.
    Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 235–254. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Network and Distributed System Security Symposium (NDSS) (2011)Google Scholar
  15. 15.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)Google Scholar
  16. 16.
    Denneman, F.: Memory Deep Dive - Optimizing for Performance, 26 September 2015.
  17. 17.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  18. 18.
    Horne, B., Matheson, L.R., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 141–159. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  19. 19.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS) (2008)Google Scholar
  20. 20.
    Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: USENIX Security Symposium (2014)Google Scholar
  21. 21.
    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM Conference on Computer and Communications Security (CCS) (2011)Google Scholar
  22. 22.
    Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: practical containment for measuring modern malware systems. In: ACM SIGCOMM Internet Measurement Conference (IMC) (2011)Google Scholar
  23. 23.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Annual Computer Security Applications Conference (ACSAC) (2014)Google Scholar
  24. 24.
    Plohmann, D., Gerhards-Padilla, E.: Case study of the Miner Botnet. In: International Conference on Cyber Conflict (CYCON) (2012)Google Scholar
  25. 25.
    Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy (S&P) (2013)Google Scholar
  26. 26.
    Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  27. 27.
    Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: network traffic analysis of malicious software. In: Proceedings of Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2011)Google Scholar
  28. 28.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: analysis of a Botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (2009)Google Scholar
  29. 29.
    Weis, S.: Protecting data in use from firmware and physical attacks. In: BlackHat (2014)Google Scholar
  30. 30.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. In: IEEE Symposium on Security and Privacy (S&P) (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Thomas Barabosch
    • 1
    Email author
  • Adrian Dombeck
    • 1
  • Khaled Yakdan
    • 1
    • 2
  • Elmar Gerhards-Padilla
    • 1
  1. 1.Fraunhofer FKIEBonnGermany
  2. 2.University of BonnBonnGermany

Personalised recommendations