Botnet Analysis and Detection

Project Description

The primary intent of Internet attacks has evolved from a quest for fame to gaining financial profits via installed malware exploiting computer system vulnerabilities. Recently, botnets have become one of the biggest threats to the Internet community. Botnets are vast networks of compromised computers taken over by malware and under the control of a single master. Due to the widespread adoption of broadband Internet connections, botnets are growing in size, number and impact, allowing them to accumulate tremendous amounts of power and bandwidth for performing large-scale attacks; such attacks include distributed denial of service attacks (DDoS? ) against servers or even the Internet infrastructure of a country[2]. Botnets are also the major source for vast quantities of unsolicited email messages (i.e., spam, phishing, etc), and infect thousands of vulnerable systems with privacy-violating spyware and other malicious codes. In effect, botnets have become the most significant platform, or infrastructure, for almost all online criminal activities. The critical difference between botnets and previous malware is the use of IRC (or other protocols) as a flexible and extensible method for a Command and Control (C&C) channel, permitting the coordination of thousands of individual bots to launch large-scale and more powerful attacks. The financial incentives and modularization of botnet malware facilitates the integration of new attack methods and anti-detection techniques. Consequently, the number of customized botnet software and their variants is increasing dramatically.

Although the security community has already known for years that botnets are responsible for many Internet-scale problems such as scanning, exploiting, and spam, there are still no effective methods to identify and remove botnets; even the true size and scope of these underground networks are not fully known. By their fundamental design, botnets are difficult to detect and stop because of their dynamic and adaptive nature, which enables them to easily incorporate new mechanisms to circumvent conventional detection and mitigation techniques. For example, botnet controllers are moving from IRC to more advanced C&C channels such as HTTP and P2P? , making it significantly more difficult to detect and take down the entire botnet.

The objective of this research project is to gain a fundamental and comprehensive understanding of the structure and behavior of botnets. Based on this, we aim at developing an effective detection and tracking system for accurately identifying the botmaster and the compromised computers participating in the botnet. Considering the significant financial loss incurred by botnets, their efficient detection is of great importance to both industry and the research community. In addition, early detection of botnets will help network operators clean up compromised computers inside their network, preventing further spread of botnet infection and protecting new users from loss of private information. Because botnets are major sources for Denial of Service attack (i.e., bringing down a server by sending large volume of traffic) and spam emails (e.g., it is estimated that over 70% of all spam emails are sent from botnets), accurate identification of botnets reduces the infection and attack danger to others while providing better protected from unsolicited emails (i.e. spam, phishing, etc.).

People

• Xin Hu
• Matthew Knysz?
• Yuanyuan Zeng

Publication

Xin Hu, Matthew Knysz, Kang G. Shin, " RB-Seeker: Auto-detection of Redirection Botnets. " Proceedings of 16th Annual Network & Distributed System Security Symposium (NDSS'09) 2009

-- Main.huxin - 16 Feb 2009