A Novel Search Engine-Based Method for Discovering Command and Control Server

  • Xiaojun GuoEmail author
  • Guang Cheng
  • Wubin Pan
  • Truong Dinhtu
  • Yixin Liang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9530)


To solve the problem of getting command and control (C&C) server address covertly for malware of Botnet or advanced persistent threats, we propose a novel C&C-server address discovery scheme via search engine. This scheme is com-posed of five modules. The botmaster uses publish module to issue C&C-server IPs in diaries of several free blogs on Internet firstly. Then these diaries could be indexed by search engine (SE). When the infected terminal becomes a bot, it uses keyword production module to produce search keyword and submits some or all these keywords to SEs to obtain the search engine result pages (SERPs). For items in SERPs, the bot uses filtering algorithm to remove noise items and leave valid items whose abstract contain C&C-server IPs. Lastly the bot utilizes extraction and conversion module to extract these C&C-server IPs and translates them into binary format. The experimental results show that our proposed scheme is fully able to discover and obtain C&C-server IPs via various search engines. Furthermore, if we set proper threshold value for SE, it can extract C&C-server IPs accurately and efficiently.


Top-K algorithm Search engine Command and control server Botnet Advanced persistent threat (APT) 



This work is completed under the support of the Scientific Research Innovation Projects for General University Graduate of Jiangsu province (KYLX_0141); the Fundamental Research Funds for the Central Universities; the National High Technology Research and Development Program (“863” Program) of China (2015AA015603); Jiangsu Future Networks Innovation Institute: Prospective Research Project on Future Networks (BY2013095-5-03); Six talent peaks of high level Talents Project of Jiangsu province (2011-DZ024); Natural Science Foundation of Tibet Autonomous Region of China (2015ZR-13-17, 2015ZR-14-18).


  1. 1.
    Khattak, S., Ramay, N.R., Khan, K.R., et al.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutorials 16(2), 898–924 (2014)CrossRefGoogle Scholar
  2. 2.
    Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014)Google Scholar
  3. 3.
    Juels, A., Yen, T.F.: Sherlock Holmes and the case of the advanced persistent threat. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, pp. 63–72 (2012)Google Scholar
  4. 4.
    Rafael, A.R.G., Gabriel, M.F., Pedro, G.T.: Survey and taxonomy of botnet research through life-cycle. ACM Comput. Surv. 45(4), 1–33 (2013)Google Scholar
  5. 5.
    Zand, A., Vigna, G., Yan, X., et al.: Extracting probable command and control signatures for detecting botnets. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1657–1662. ACM (2014)Google Scholar
  6. 6.
    Ken, C., Levi, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  7. 7.
    Damballa. Top-5 most prevalent DGA-based crimeware families.
  8. 8.
    Yadav, S., Reddy, A.K.K., Reddy, A.L.N., et al.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)CrossRefGoogle Scholar
  9. 9.
    Antonakakis, M., Perdisci, R., Nadji, Y., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
  10. 10.
    Bilge, L., Kirda, E., Kruegel, C., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the 2011 Symposium on Network and Distributed System Security (2011)Google Scholar
  11. 11.
    Riden, J.: Know your enemy: fast-flux service networks, the honeynet project.
  12. 12.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)Google Scholar
  13. 13.
    Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp. 24−31 (2008)Google Scholar
  14. 14.
    Stover, S., Dittrich, D., Hemandez, J., et al.: Analysis of the storm and nugache trojans: P2P is here. In: Proceedings of USENIX, pp. 8–27 (2007)Google Scholar
  15. 15.
    Dittrich, D., Dietrich, S.: P2P as botnet command and control: a deeper insight. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp. 41–48 (2008)Google Scholar
  16. 16.
    Thorsten, H., Moritz, S., Frederic, D., et al.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9 (2008)Google Scholar
  17. 17.
    Chang, S., Daniels, T.E.: P2P botnet detection using behavior clustering and statistical tests. In: Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, pp. 23–30 (2009)Google Scholar
  18. 18.
    Zhang, J.J., Perdisci, R., Lee, W.K., et al.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks, pp. 121–132 (2011)Google Scholar
  19. 19.
    Zhao, D., Traore, I., Ghorbani, A., et al.: Peer to peer botnet detection based on flow intervals. Inf. Secur. Privacy Res. 376, 87–102 (2012)CrossRefGoogle Scholar
  20. 20.
    Singh., K., Guntuku, S.C., Thakur, A., et al.: Big data analytics framework for peer-to-peer botnet detection using random forests. Inf. Sci., (Online Press) (2014)Google Scholar
  21. 21.
    Zhao, D., Traore, I., Sayed, B., et al.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013)CrossRefGoogle Scholar
  22. 22.
    Stevanovic, M., Pedersen, J.M.: An efficient flow-based botnet detection using supervised machine learning. In: Proceeding of the 2014 IEEE International Conference on Computing, Networking and Communications, pp. 797–801 (2014)Google Scholar
  23. 23.
    Garg, S., Sarje, A.K., Peddoju, S.K.: Improved detection of P2P botnets through network behavior analysis. In: Martínez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014, CCIS, vol. 420, pp. 334–345. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  24. 24.
    The MD5 Message-Digest algorithm.
  25. 25.
    Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. In: Proceedings of 11th Annual Digital Forensics Research Conference, pp. S62–S67. New Orleans, USA (2011)Google Scholar
  26. 26.
    Hedley, J.: Jsoup HTML parser.
  27. 27.
    He, Z., Lo, E.: Answering why-not questions on top-k queries. IEEE Trans. Knowl. Data Eng. 26(6), 300–1315 (2014)Google Scholar
  28. 28.
  29. 29.
    Brewer, R.: Advanced persistent threats: minimising the damage. Netw. Secur. 4, 5–9 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Xiaojun Guo
    • 1
    • 2
    • 3
    • 4
    Email author
  • Guang Cheng
    • 1
    • 2
  • Wubin Pan
    • 1
    • 2
  • Truong Dinhtu
    • 1
    • 2
  • Yixin Liang
    • 1
    • 2
  1. 1.School of Computer Science and EngineeringSoutheast UniversityNanjingChina
  2. 2.Key Laboratory of Computer Network and Information IntegrationSoutheast UniversityNanjingChina
  3. 3.School of Information EngineeringXizang Minzu UniversityXianyangChina
  4. 4.XiZang Key Laboratory of Optical Information Processing and Visualization TechnologyXizang Minzu UniversityXianyangChina

Personalised recommendations