Advertisement

BotTracer: Execution-Based Bot-Like Malware Detection

  • Lei Liu
  • Songqing Chen
  • Guanhua Yan
  • Zhao Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)

Abstract

Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.

Keywords

Botnet malware detection virtual machine 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
    Convert physical machines to virtual machines, http://www.vmware.com/products/converter/
  4. 4.
    Enhance netstat - the code project, http://www.codeproject.com/internet/enetstatasp.asp
  5. 5.
    Malware immunization through deterrence and diversion, http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0650386
  6. 6.
  7. 7.
    Honeyd security advisory 2004-001: Remonte detection via simple probe packet (2004), http://www.honeyd.org/adv.2004-01.asc
  8. 8.
  9. 9.
    Barford, P., Yagneswaran, V.: An inside look at botnets (2006)Google Scholar
  10. 10.
    Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA (November 2006)Google Scholar
  11. 11.
    Chen, Y.: High-performance network anomaly/intrusion detection and mitigation system (hpnaidm). In: ARO-DARPA-DHS Special Workshop on Botnets, Arlington, VA (June 2006)Google Scholar
  12. 12.
    Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  13. 13.
    Cui, W., Katz, R.H., Tan, W.: Binder: An extrusion-based break-in detector for personal computers. In: Proceedings of USENIX (2005)Google Scholar
  14. 14.
    Dagon, D.: The network is the infection (2005), http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
  15. 15.
    Dagon, D., Zhou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of The 13th Annual Network and Distributed System Security Symposium, San Diego, CA (Febuary 2006)Google Scholar
  16. 16.
    Daswani, N., Stoppelman, M.: The Google Click Quality, and Security Teams. The anatomy of clickbot.a. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  17. 17.
    Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS) (September 2005)Google Scholar
  18. 18.
    Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  19. 19.
    Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  20. 20.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium, Santa Clara, CA (June 2007)Google Scholar
  21. 21.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  22. 22.
    Kawamoto, D.: Bots slim down to get tough. CNET News.com (November 2005)Google Scholar
  23. 23.
    Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing web browsers as a distributed attack infrastructure. In: Proceedings of ACM CCS (2006)Google Scholar
  24. 24.
    Moshchuk, A., Bragin, T., Deville, D., Gribble, S., Levy, H.: Spyproxy: Execution-based detection of malicious web content. In: Proceedings of the 16th USENIX Security Symposium, Boston, MA (August 2007)Google Scholar
  25. 25.
    The Honeynet Project. Know your enemy: Tracking botnets (March 2005), http://www.honeynet.org/papers/bots
  26. 26.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  27. 27.
    Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)Google Scholar
  28. 28.
    Schoof, R., Koning, R.: Detecting peer-to-peer botnets (Feburary 2007), http://staff.science.uva.nl/~delaat/sne-2006-2007/p17/report.pdf
  29. 29.
    Stinson, E., Mitchell, J.C.: Characterizing the remote control behavior of bots. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Wang, P., Sparks, S., Zou, C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)Google Scholar
  31. 31.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, Alexandria, VA (October 2007)Google Scholar
  32. 32.
    Zou, C., Cunningham, R.: Honeybot-aware advanced botnet construction and maintenance. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN) (June 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Lei Liu
    • 1
  • Songqing Chen
    • 1
  • Guanhua Yan
    • 2
  • Zhao Zhang
    • 3
  1. 1.Dept. of Computer ScienceGeorge Mason University 
  2. 2.Information Sciences, Los Alamos National Lab 
  3. 3.Dept. of Electrical and Computer EngineeringIowa State University 

Personalised recommendations