Abstract
Robot Networks (BotNets) are one of the most serious threats faced by the online community today. Since their appearance in the late 1990’s, much effort has been expended in trying to thwart their unprecedented growth. However, with robust and advanced capabilities, it is very difficult for average users to avoid or prevent infection by BotNet malware. Moreover, whilst BotNets have increased in scale, scope and sophistication, the dearth of standardized and effective investigative procedures poses huge challenges to digital investigators in trying to probe such cases. In this paper we present a practical (and repeatable) host-based investigative methodology to the collection of evidentiary information from a Bot-infected machine. Our approach collects digital traces from both the network and physical memory of the infected local host, and correlates this information to identify the resident BotNet malware involved.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ramsbrock, D.: Mitigating the Botnet Problem: From Victim to Botmaster, Master Thesis, George Mason University (2008), http://mars.gmu.edu:8080/dspace/bitstream/1920/3136/1/Ramsbrock_Daniel.pdf
Barford, P., Yegneswaran, V.: An inside look at BotNets. In: Proceedings of Special Workshop on Malware Detection. Advances in Information Security. Springer, Heidelberg (2006)
Cooke, E., Jahanian, F., McPherson, D.: The Zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, Cambridge, MA, July 07, p. 6 (2005)
Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets, HotBots (2007)
Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of 13th Annual Network and Distributed System Security Symposium (NDSS), February 2006, pp. 235–249 (2006)
Dagon, D.: Botnet detection and response: The network is the infection. In: Proceedings of the Operations, Analysis, and Research Center Workshop, OARC (2005)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet Detection by Monitoring Group Activities in DNS Traffic. In: Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Fukushima, Japan, October 16-19, pp. 715–720 (2007)
Romaña, D.A.L., Musashi, Y.: Entropy Based Analysis of DNS Query Traffic in the Campus Network. In: Proceedings for The 4th International Conference on Cybernetics and Information Technologies, System and Applications (CITSA 2007), Orlando, FL, USA, pp. 162–164 (2007)
Schonewille, A., Helmond, D.: The Domain Name Service as an IDS: How DNS can be used for detecting and monitoring badware in a network. University of Amsterdam (2006)
Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: USENIX Workshop on Hot Topics in Understanding Botnets, HotBots (2007)
Kristoff, J.: Botnets, detection and mitigation: DNS-based techniques. Information Security Day, Northwestern University (July 2005), http://www.it.northwestern.edu/bin/docs/botskristoff_jul05.ppt
Farmer, D., Venema, W.: Data Gathering and the Order of Volatility, Appendix B, Forensic Discovery. Addison-Wesley, Reading (2005), http://www.porcupine.org/forensics/forensic-discovery/appendixB.html
Wireshark, http://www.wireshark.org
Fport, http://www.foundstone.com/us/resources/proddesc/fport.htm
Pslist, http://technet.microsoft.com/en-us/sysinternals/bb896682.asp
Mandiant Memoryze v.1.2.18.0, http://www.mandiant.com/software/memoryze.htm
Volatility Framework, https://www.volatilesystems.com/default/volatility
Memory DD v1.3, http://www.mantech.com/msma/MDD.asp
X-Ways Capture v1.18, http://www.x-ways.net/capture/index-m.html
F-Response Field Kit Edition v1.18, http://www.f-response.com/
Encase Forensic Tool, http://www.guidancesoftware.com/
FTK imager, http://www.accessdata.com/
Helix Live CD, http://www.e-fense.com/products.php
Lee, R.: Memory Forensic Acquisition and Analysis 101, 2008-11-19, http://sansforensics.wordpress.com/2008/11/19/memory-forensic-analysis-finding-hidden-processes/
Schiller, C., Binkley, J., Evron, G., Willems, C.: Botnets – The killer web app. Syngress, 179–208 (February 2007)
Grizzard, J., Sharma, V., Nunnery, C.: Peer-to-Peer Botnets: Overview and Case Study. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, p. 1, April 10 (2007)
Taxonomy of Botnet Threats, A Trend Micro White Paper (November 2006), http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/botnettaxonomywhitepapernovember2006.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Law, F.Y.W., Chow, K.P., Lai, P.K.Y., Tse, H.K.S. (2010). A Host-Based Approach to BotNet Investigation?. In: Goel, S. (eds) Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 31. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11534-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-11534-9_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11533-2
Online ISBN: 978-3-642-11534-9
eBook Packages: Computer ScienceComputer Science (R0)