Skip to main content
SpringerLink
Log in

Characterizing Bots’ Remote Control Behavior

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

Abstract

A botnet is a collection of bots, each generally running on a compromised system and responding to commands over a “command-and-control” overlay network. We investigate observable differences in the behavior of bots and benign programs, focusing on the way that bots respond to data received over the network. Our experimental platform monitors execution of an arbitrary Win32 binary, considering data received over the network to be tainted, applying library-call-level taint propagation, and checking for tainted arguments to selected system calls. As a way of further distinguishing locally-initiated from remotely-initiated actions, we capture and propagate “cleanliness” of local user input (as received via the keyboard or mouse). Testing indicates behavioral separation of major bot families (agobot, DSNXbot, evilbot, G-SySbot, sdbot, Spybot) from benign programs with low error rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Turoff, A.: Defensive CGI Programming with Taint Mode and CGI:: UNTAINT

    Google Scholar 

  2. Schneier, B.: How Bot Those Nets? In Wired Magazine (July 27, 2006)

    Google Scholar 

  3. Dagon, D.: Botnet Detection and Response: The Network Is the Infection. In: Operations, Analysis, and Research Center Workshop (July 2005)

    Google Scholar 

  4. Ilett, D.: Most spam generated by botnets, says expert. ZDNet UK (September 22, 2004)

    Google Scholar 

  5. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (May 2001)

    Google Scholar 

  6. Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Steps to Reducing Unwanted Traffic on the Internet (July 2005)

    Google Scholar 

  7. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based Spyware Detection. In: Proc. 15th USENIX Security Symposium (August 2006)

    Google Scholar 

  8. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley, Upper Saddle River, NJ (2006)

    Google Scholar 

  9. Hunt, G., Brubacher, B.: Detours: Binary Interception of Win32 Functions. In: 3rd USENIX Windows NT Symposium (July 1999)

    Google Scholar 

  10. Butler, J.: Bypassing 3rd Party Windows Buffer Overflow Protection. In: phrack Volume 0x0b, Issue 0x3e, Phile #0x0, 7/13/2004

    Google Scholar 

  11. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding Data Lifetime via Whole System Simulation. In: Proc. of the USENIX 13th Security Symposium (August 2004)

    Google Scholar 

  12. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Network and Distributed Systems Symposium (February 2005)

    Google Scholar 

  13. Rabek, J., Khazan, R., Lewandowski, S., Cunningham, R.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proc. of the ACM Workshop on Rapid Malcode (October 2003)

    Google Scholar 

  14. Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy (May 2002)

    Google Scholar 

  15. Locking Ruby in the Safe http://www.rubycentral.com/book/taint.html

  16. LURHQ. Phatbot Trojan Analysis. http://www.lurhq.com/phatbot.html

  17. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware Malware Detection. In: IEEE Symposium on Security and Privacy (May 2005)

    Google Scholar 

  18. Overton, M.: Bots and Botnets: Risks, Issues, and Prevention. In: Virus Bulletin Conference, Dublin, Ireland (October 2005)

    Google Scholar 

  19. Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. CERT Coordination Center (December 2005)

    Google Scholar 

  20. perlsec http://perldoc.perl.org/perlsec.html

  21. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (May 1996)

    Google Scholar 

  22. Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds. In: Network and Distributed System Security Symposium (May 2005)

    Google Scholar 

  23. Strider GhostBuster Rootkit Detection http://research.microsoft.com/rootkit/

  24. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Network & Distributed Systems Security (February 2003)

    Google Scholar 

  25. Honeynet Project & Research Alliance. Know your Enemy: Tracking Botnets

    Google Scholar 

  26. The majority of bot code was obtained from: http://tinyurl.com/3y4cfd

  27. Shankar, U., Talwar, K., Foster, J., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proc. 10th USENIX Security Symp. (August 2001)

    Google Scholar 

  28. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proc. 11th USENIX Security Symposium (August 2002)

    Google Scholar 

  29. Parizo, E.: s New bots, worm threaten AIM network. SearchSecurity (December 2005)

    Google Scholar 

  30. Naraine, R.: Money Bots: Hackers Cas. In: on Hijacked PCs. eWeek (September 2006)

    Google Scholar 

  31. Cui, W., Katz, R., Tan, W.: BINDER: An Extrusion-based Break-in Detector for Personal Computers. In: Proc. of the 21st Annual Computer Security Applications Conference (December 2005)

    Google Scholar 

  32. Martin, K.: Stop the bots. In: The Register (April 2006)

    Google Scholar 

  33. Keizer, G.: Bot Networks Behind Big Boos. In: Phishing Attacks. TechWeb (November 2004)

    Google Scholar 

  34. Christodorescu, M., Jha, S.: Testing Malware Detectors. In: Proc. of the International Symposium on Software Testing and Analysis (July 2004)

    Google Scholar 

  35. MSDN Library. Using Messages and Message Queues http://tinyurl.com/27hc37

  36. Symantec Internet Security Threat Report, Trends for July 2005, December 2005. vol. IX, Published (March 2006)

    Google Scholar 

  37. Sturgeon, W.: Net pioneer predicts overwhelming botnet surge. ZDNet News (January 29, 2007)

    Google Scholar 

  38. Symantec Internet Security Threat Report, Trends for January 2006-June 2006, vol. X. Published (September 2006)

    Google Scholar 

  39. Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Advances in Information Security. Special Workshop on Malware Detection, Springer, Heidelberg (2006)

    Google Scholar 

  40. Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: European Symposium On Research In Computer Security (September 2006)

    Google Scholar 

  41. Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of ACM SIGCOMM/USENIX Internet Measurement Conference (October 2006)

    Google Scholar 

  42. Jevans, D.: The Latest Trends in Phishing, Crimeware and Cash-Out Schemes. Private correspondence

    Google Scholar 

  43. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation (manuscript)

    Google Scholar 

  44. Goebel, J., Holz, T.: Rishi: Identify Bot-Contaminated Hosts by IRC Nickname Evaluation. In: 1st Workshop on Hot Topics in Understanding Botnets (April 2007)

    Google Scholar 

  45. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-Scale Botnet Detection and Characterization. In: 1st Workshop on Hot Topics in Understanding Botnets (April 2007)

    Google Scholar 

  46. Kristoff, J.: Botnets. NANOG32 (October 2004)

    Google Scholar 

  47. Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using DNSBL counter-intelligence. In: 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (July 2006)

    Google Scholar 

  48. Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-Peer Botnets: Overview and Case Study. In: 1st Workshop on Hot Topics in Understanding Botnets (April 2007)

    Google Scholar 

  49. Wang, Y., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. Microsoft Technical Report MSR-TR-2005-25

    Google Scholar 

  50. Lam, V., Antonatos, S., Akritidis, P., Anagnostakis, K.: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. In: 13th ACM Conference on Computer and Communications Security (October 2006)

    Google Scholar 

  51. Schneier, B.: Semantic Attacks: The Third Wave of Network Attacks. In: the Cryptogram newsletter (October 15, 2000)

    Google Scholar 

  52. Stinson, E., Mitchell, J.: Characterizing the Remote Control Behavior of Bots. Manuscript. http://www.stanford.edu/~stinson/pub/botswat_long.pdf

  53. mIRC Help, Viruses, Trojans, and Worms. http://www.mirc.co.uk/help/virus.html

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Stanford University, Stanford, CA 94305,  

    Elizabeth Stinson & John C. Mitchell

Authors
  1. Elizabeth Stinson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John C. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stinson, E., Mitchell, J.C. (2007). Characterizing Bots’ Remote Control Behavior. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73614-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73613-4

  • Online ISBN: 978-3-540-73614-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation