Showing papers on "Cutwail botnet published in 2010"
TL;DR: This paper presents the design of an advanced hybrid peer-to-peer botnet, which provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster.
Abstract: A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peer-to-peer botnet. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. In the end, we suggest and analyze several possible defenses against this advanced botnet.
260 citations
30 Sep 2010
TL;DR: The reverse engineering insights allow for a better understanding of the technologies and behaviors of such modern HTTP botnet crimeware toolkits and opens an opportunity to inject falsified information into the botnet communications which can be used to defame this Crimeware toolkit.
Abstract: In this paper, we present our reverse engineering results for the Zeus crimeware toolkit which is one of the recent and powerful crimeware tools that emerged in the Internet underground community to control botnets. Zeus has reportedly infected over 3.6 million computers in the United States. Our analysis aims at uncovering the various obfuscation levels and shedding the light on the resulting code. Accordingly, we explain the bot building and installation/infection processes. In addition, we detail a method to extract the encryption key from the malware binary and use that to decrypt the network communications and the botnet configuration information. The reverse engineering insights, together with network traffic analysis, allow for a better understanding of the technologies and behaviors of such modern HTTP botnet crimeware toolkits and opens an opportunity to inject falsified information into the botnet communications which can be used to defame this crimeware toolkit.
227 citations
13 Dec 2010
TL;DR: Koobface's zombie infrastructure is explored and the identities of fraudulent and compromised social network accounts used to distribute malicious links to over 213,000 social network users, generating over 157,000 clicks are discovered.
Abstract: As millions of users flock to online social networks, sites such as Facebook and Twitter are becoming increasingly attractive targets for spam, phishing, and malware. The Koobface botnet in particular has honed its efforts to exploit social network users, leveraging zombies to generate accounts, befriend victims, and to send malware propagation spam. In this paper, we explore Koobface's zombie infrastructure and analyze one month of the botnet's activity within both Facebook and Twitter. Constructing a zombie emulator, we are able to infiltrate the Koobface botnet to discover the identities of fraudulent and compromised social network accounts used to distribute malicious links to over 213,000 social network users, generating over 157,000 clicks. Despite the use of domain blacklisting services by social network operators to filter malicious links, current defenses recognize only 27% of threats and take on average 4 days to respond. During this period, 81% of vulnerable users click on Koobface spam, highlighting the ineffectiveness of blacklists.
138 citations
09 Jul 2010
TL;DR: This survey classifies Botnet detection techniques into two approaches which are based on setting up honeynets and another approach which is based on Intrusion Detection System ( IDS) which has been categorized into signature-based and anomaly-based detection techniques.
Abstract: Among the diverse forms of malware, Botnet is the most widespread and serious threat which occurs commonly in today's cyber attacks. Botnets are collections of compromised computers which are remotely controlled by its originator (BotMaster) under a common Commond-and-Control (C&C) infrastructure. They provide a distributed platform for several illegal activities such as launching distributed denial of service (DDOS) attacks against critical targets, malware distribution, phishing, and click fraud. Most of the existing Botnet detection approaches concentrate only on particular Botnet command and control (C&C) protocols (e.g., IRC, HTTP) and structures (e.g., centralized), and can become ineffective as Botnets change their structure and C&C techniques. The detection of Botnet has been a major research topic in recent years. Different techniques and approaches have been proposed for detection and tracking of Botnet. This survey classifies Botnet detection techniques into two approaches. One approach is based on setting up honeynets and another approach is based on Intrusion Detection System( IDS) which has been categorized into signature-based and anomaly-based detection techniques.
104 citations
TL;DR: This paper presents a hardware and software independent honeypot detection methodology based on the following assumption: security professionals deploying honeypots have a liability constraint such that they cannot allow their honeypots to participate in real attacks that could cause damage to others, while attackers do not need to follow this constraint.
Abstract: Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security defenders can attract botnet compromises and become spies in exposing botnet membership and botnet attacker behaviours, they are widely used by security defenders in botnet defence. Therefore, attackers constructing and maintaining botnets will be forced to find ways to avoid honeypot traps. In this paper, we present a hardware and software independent honeypot detection methodology based on the following assumption: security professionals deploying honeypots have a liability constraint such that they cannot allow their honeypots to participate in real attacks that could cause damage to others, while attackers do not need to follow this constraint. Attackers could detect honeypots in their botnets by checking whether compromised machines in a botnet can successfully send out unmodified malicious traffic. Based on this basic detection principle, we present honeypot detection techniques to be used in both centralised botnets and Peer-to-Peer (P2P) structured botnets. Experiments show that current standard honeypots and honeynet programs are vulnerable to the proposed honeypot detection techniques. At the end, we discuss some guidelines for defending against general honeypot-aware attacks.
85 citations
Proceedings Article•
27 Apr 2010TL;DR: A 4-month infiltration of the MegaD botnet, beginning in October 2009, provides insight into MegaD's management structure, its complex and evolving C&C architecture, and its ability to withstand takedown.
Abstract: Recent work has leveraged botnet infiltration techniques to track the activities of bots over time, particularly with regard to spam campaigns. Building on our previous success in reverse-engineering C&C protocols, we have conducted a 4-month infiltration of the MegaD botnet, beginning in October 2009. Our infiltration provides us with constant feeds on MegaD's complex and evolving C&C architecture as well as its spam operations, and provides an opportunity to analyze the botmasters' operations. In particular, we collect significant evidence on the MegaD infrastructure being managed by multiple botmasters. Further, FireEye's attempt to shutdown MegaD on Nov. 6, 2009, which occurred during our infiltration, allows us to gain an inside view on the takedown and how MegaD not only survived it but bounced back with significantly greater vigor.
In addition, we present new techniques for mining information about botnet C&C architecture: "Google hacking" to dig out MegaD C&C servers and "milking" C&C servers to extract not only the spectrum of commands sent to bots but the C&C's overall structure. The resulting overall picture then gives us insight into MegaD's management structure, its complex and evolving C&C architecture, and its ability to withstand takedown.
83 citations
11 Jun 2010
TL;DR: This paper proposed a new general detection framework for Botnets based on finding similar communication patterns and behaviors among the group of hosts that are performing at least one malicious activity.
Abstract: Botnet is most widespread and occurs commonly in today's cyber attacks, resulting in serious threats to our network assets and organization's properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Commond-and-Control (C&C) infrastructure. They are used to distribute commands to the Bots for malicious activities such as distributed denial-of-service (DDoS) attacks, spam and phishing. Most of the existing Botnet detection approaches concentrate only on particular Botnet command and control (C&C) protocols (e.g., IRC,HTTP) and structures (e.g., centralized), and can become ineffective as Botnets change their structure and C&C techniques. In this paper, we proposed a new general detection framework. This proposed framework is based on finding similar communication patterns and behaviors among the group of hosts that are performing at least one malicious activity. The point that distinguishes our proposed detection framework from many other similar works is that there is no need for prior knowledge of Botnets such as Botnet signature.
63 citations
Posted Content•
TL;DR: This paper provides taxonomy of Botnets C&C channels and evaluates well-known protocols which are being used in each of them and proposed a new general detection framework which currently focuses on P2P based and IRC based Botnets.
Abstract: Botnet is most widespread and occurs commonly in today's cyber attacks, resulting in serious threats to our network assets and organization's properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Command-and-Control (C&C) infrastructure. They are used to distribute commands to the Bots for malicious activities such as distributed denial-of-service (DDoS) attacks, spam and phishing. Most of the existing Botnet detection approaches concentrate only on particular Botnet command and control (C&C) protocols (e.g., IRC,HTTP) and structures (e.g., centralized), and can become ineffective as Botnets change their structure and C&C techniques. In this paper at first we provide taxonomy of Botnets C&C channels and evaluate well-known protocols which are being used in each of them. Then we proposed a new general detection framework which currently focuses on P2P based and IRC based Botnets. This proposed framework is based on definition of Botnets. Botnet has been defined as a group of bots that perform similar communication and malicious activity patterns within the same Botnet. The point that distinguishes our proposed detection framework from many other similar works is that there is no need for prior knowledge of Botnets such as Botnet signature.
53 citations
18 Jul 2010
TL;DR: The architecture of a contemporary advanced bot commonly known as Asprox, a type of malware that combines the two threat vectors of forming a botnet and of generating SQL injection attacks, is described.
Abstract: The presence of large pools of compromised computers, also known as botnets, or zombie armies, represents a very serious threat to Internet security. This paper describes the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines the two threat vectors of forming a botnet and of generating SQL injection attacks. The main features of the Asprox botnet are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service networks, use of SQL injection attacks for recruiting new bots and social engineering tricks to spread malware binaries. The objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern botnet designs in general. This knowledge can be used to develop more effective methods for detecting botnets, and stopping the spreading of botnets on the Internet.
31 citations
28 Oct 2010
TL;DR: This paper describes a new botnet that is called Chuck Norris after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!
Abstract: This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!
26 citations
01 Dec 2010
TL;DR: This study analyzes web botnet behaviors and develops a detection mechanism based on anomaly web flow traffic over an administrative network domain that can detect web botnets efficiently both in the simulated networks and a real campus network.
Abstract: Botnets are a combination of cyber attack, infection, and dissemination, and they become one of the most severe threats on the Internet. Cross the Internet, the infected host might launch any kind of attacks such as DDoS (Distributed Denial-of-Service) or Phishing. Comparing with botnets using other command-and-control (C&C) channels, web-based botnets are difficult to detect, because the C&C messages of web botnet are spread over HTTP protocol hiding behind normal flows. Most previous work tackles IRC-based botnet detection, while this study analyzes web botnet behaviors and develops a detection mechanism based on anomaly web flow traffic over an administrative network domain. Web bots exhibit routine and regular web connections which can be used to identify unusual web flow in a network. The experimental results show that the proposed approach can detect web botnets efficiently both in the simulated networks and a real campus network.
01 Apr 2010
TL;DR: This paper proposes a new detection framework which focuses on P2P based botnets, and defines a botnet as a group of bots that will perform similar communication and malicious activity patterns within the same botnet.
Abstract: Botnet is most widespread and occurs commonly in today‘s cyber attacks, resulting in serious threats to our network assets and organization’s properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Command-and-Control (C&C) infrastructure. They are used to distribute commands to Bots for malicious activities such as distributed denial-of-service (DDoS) attacks, spam and phishing. Most of the existing botnet detection approaches concentrate only on particular botnet command and control (C&C) protocols (e.g., IRC,HTTP) and structures (e.g., centralized), and can become ineffective as botnets change their structure and C&C techniques. In this paper we proposed a new detection framework which focuses on P2P based botnets. This proposed framework is based on our definition of botnets. We define a botnet as a group of bots that will perform similar communication and malicious activity patterns within the same botnet. In our proposed detection framework, we monitor the group of hosts that show similar communication pattern in one stage and also performing malicious activities in another step, and finding common hosts on them.
01 Jan 2010
TL;DR: A brief detail of Botnet, DDoS attack and analysis of bot behavior is given and one of them is DDoS, the most serious emerging threat.
Abstract: With the rapid development of information technology, internet has affect the people in all aspects such as public utilities, telecommunication, financial transaction and defense system, all depends on information technology and their security. By using latest technology and internet, attackers may perform malicious activities. Botnet is the most serious emerging threat. Botnet performs various kinds of malicious activities and one of them is DDoS. DDoS degrades the performance of a network disconnects the host and performs bandwidth depletion and resource depletion attack. This paper gives a brief detail of Botnet, DDoS attack and analysis of bot behavior.
24 Apr 2010
TL;DR: This paper introduced botnet communication and attack patterns, and the discovery method of botnet based on abnormal behavior was studied, and an automatic identification system is designed to help analyze and dispose botnet effectively.
Abstract: Botnet is one of the major security threats to Internet. In this paper, botnet communication and attack patterns were introduced, and the discovery method of botnet based on abnormal behavior was studied. For the current botnet, mainly based on IRC protocol, an automatic identification system is designed to help analyze and dispose botnet effectively
Proceedings Article•
30 Dec 2010TL;DR: Analysis of evasion technique expected to contribute to malicious botnet detection study and how to evade detection method is analyzed.
Abstract: Malicious botnet is the greatest threat of the internet security. Malicious botnet sent to very large number of malicious spam message a day and them using DDoS attack should not be used the internet service. For defend the threat, many researcher studied how to detect malicious botnet, but malicious botnet evade detection method through evolution. In this paper, we analyze how to evade detection method. Analysis of evasion technique expected to contribute to malicious botnet detection study.
25 Oct 2010
TL;DR: AIS is utilized to effectively detect malicious activities such as spam and port scanning in bot infected hosts in Botnets to make it more efficient.
Abstract: Botnet is most widespread and occurs commonly in today's cyber attacks, resulting in serious threats to our network assets and organization's properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Commond-and-Control (C&C) infrastructure. In this paper, we proposed a new general Botnet detection framework. Since Artificial Immune System (AIS) is a new bio-inspired model which is applied for solving various problems in the field of information security, we used this concept in our proposed framework to make it more efficient. Our framework is based on definition of Botnets. Botnet has been defined as a group of bots that perform similar communication and malicious activity patterns within the same Botnet. We utilized AIS to effectively detect malicious activities such as spam and port scanning in bot infected hosts.
19 Jul 2010
TL;DR: This paper describes a new type of botnet that uses Web 2.0 service as a C&C channel and a temporary storage for their stolen information and proposes a novel approach to thwart this type of attack.
Abstract: Recently, botnet, a network of compromised computers, has been recognized as the biggest threat to the Internet. The bots in a botnet communicate with the botnet owner via a communication channel called Command and Control (C&C) channel. There are three main C&C channels: Internet Relay Chat (IRC), Peer-to-Peer (P2P) and web-based protocols. By exploiting the flexibility of the Web 2.0 technology, the web-based botnet has reached a new level of sophistication. In August 2009, such botnet was found on Twitter, one of the most popular Web 2.0 services. In this paper, we will describe a new type of botnet that uses Web 2.0 service as a C&C channel and a temporary storage for their stolen information. We will then propose a novel approach to thwart this type of attack. Our method applies a unique identifier of the computer, an encryption algorithm with session keys and a CAPTCHA verification.
TL;DR: Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Commond-and-Control system.
Abstract: Botnet is most widespread and occurs commonly in today's cyber attacks, resulting in serious threats to our network assets and organization's properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Commond-and-Control (CC Botnet; Bot; IRC; P2P
[...]
08 Nov 2010
TL;DR: The status of the botnets, how they work, and how they may be defeated are reviewed.
Abstract: A botnet is a network of computers on the Internet infected with software robots, bots. There are numerous botnets. Some of them control millions of computers. Botnets have become the platform for the scourge of the Internet, namely, spam e-mails, launch denial of service attacks, click fraud, theft of sensitive information, cyber sabotage, cyber warfare, etc. In this paper, we review the status of the botnets, how they work, and how they may be defeated.
09 Sep 2010
TL;DR: The characteristics the transmission manner and the harm of botnet are introduced, studies the detection, tracking and removal technologies in botnet based on the analysis of samples from the bot start, and summarized the trends of botnets.
Abstract: Botnet is one of the most serious threats to the security of the Internet nowadays. This paper introduces the characteristics the transmission manner and the harm of botnet, studies the detection, tracking and removal technologies in botnet based on the analysis of samples from the bot start, and summarized the trends of botnet.
Journal Article•
TL;DR: The "faked honeypot" detection model, which combines honeypot and the flow analysis, is proposed, which can effectively improve the detection rate of semi-distributed P2P botnet.
Abstract: In the game of attack and defense,semi-distributed P2P botnet becomes the most dominant form of botnet as the applications of P2P are widely used.This paper describes the basic principle of how the attackers create their semi-distributed botnet and the model of its increasing,proposes the "faked honeypot" detection model,which combines honeypot and the flow analysis.When anomalies appear in host network,the programs and services are closed,the host is made to lay aboard to the honeypot,and detected by flow analysis.Experimental result shows that the method can effectively improve the detection rate of semi-distributed P2P botnet.
TL;DR: This paper focuses on characterizing spamming botnets by leveraging both spam payload and spam nodes traffic properties and presents two measurement frameworks that based on the second character of bots to measure the size of the botnet.
Abstract: Botnets have become one of the most serious threats to the Internet. They are now the key platform for many Internet attacks, such as spa m, distributed denial-of-service(DDoS), and we call these attacks “the second character of bots”. I n this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam nodes traffic properties. M easurement of botnets is an important and challenging work. H owever, most existing approaches work only o n specific botnet command and control (c&c) protocols (e.g., IRC) and structures (e.g., centralized). I n this paper, we present two measurement frameworks (MFNL and MFAL) that based on the second character of bots to measure the size of the botnet. W e have easily implemented our prototype system and evaluated it using many real network traces , and we also compare these two app r oaches from several points.
04 Oct 2010
TL;DR: This paper reviews the method of active protection from the secondary damage by bot infection (DDoS attack, spam sending, and personal/financial information stealing, etc.), by designing the advanced quarantine technique that extracts and blocks traffic from the botnet only, and based on the important information of the botnets.
Abstract: Cyber attacks using a botnet have a bad influence on the information system, such as recent 7.7 DDoS incident by the botnet and explosive growth of spam e-mails. The purpose of the attack is also changing from curiosity and showing-off to economic interest such as the DDoS attack against the competitor and accessing confidential information. This paper reviews the method of active protection from the secondary damage by bot infection (DDoS attack, spam sending, and personal/financial information stealing, etc.), by designing the advanced quarantine technique that extracts and blocks traffic from the botnet only, and based on the important information of the botnet.
Journal Article•
TL;DR: This paper briefly describes the development process of botnets and definition, focusing on analysis ofbotnets workflow, and the final summary ofBotnets hazards and defense methods.
Abstract: Botnets After 10 years of development,already has a variety of communication and attack.It can capture the user without the knowledge of the host,in the theft of sensitive information,while the host to the network attacks.Botnet has the security of the Internet constitutes a serious threat.This paper briefly describes the development process of botnets and definition,focusing on analysis of botnets workflow,the final summary of botnets hazards and defense methods.
Journal Article•
[...]
TL;DR: In this paper, three models of botnet are analyzed in depth, and the latest techniques in finding and tracking the botnets are also discussed.
Abstract: Botnet is a novel attack strategy evolved from traditional malware forms, which provides attackers with stealthy, flexible and efficient one-to-many commands and control mechanisms, and could control a number of zombies achieve information theft, distributed denial-of-service, and spam sending. Botnet is a serious threat to the Internet security. In this paper, three models of botnet are analyzed in depth, and the latest techniques in finding and tracking the botnet are also discussed.
01 Nov 2010
TL;DR: A Guilt-by-Association approach to determining botnet footprint starting from a subset of known domains belonging to a specific botnet, and demonstrating the approach using recent botnets is described.
Abstract: : In this paper, we describe a Guilt-by-Association approach to determining botnet footprint starting from a subset of known domains belonging to a specific botnet, and demonstrate our approach using recent botnets. Our empirical results leverage the botnet database that we have collected over a period of 12 months with our real-time fast flux network detection algorithm [1]. Botnets exploit a network of compromised machines (zombies) for illegal activities such as Distributed Denial of Service (DDoS) attacks, spam campaigns, phishing scams and malware delivery using DNS record manipulation techniques. Our results, which build upon our behaviour [2] and social network analysis [3] results, show that it is possible to identify a large portion of a botnet once a small segment of that botnet is identified through manual means, and to explain the differences in botnet footprint prediction using our proposed connectivity metric.