leveraging honest users: stealth command-and-control of ...leveraging honest users: stealth...
TRANSCRIPT
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Diogo MonicaINESC-ID/IST
Carlos RibeiroINESC-ID/IST
Abstract
Botnets are large networks of infected computers con-trolled by an attacker. Much effort has already been in-vested in the detection and analysis mechanisms, capableof defusing this type of threat. However, botnets havebeen constantly evolving, and will certainly continue todo so. We must, therefore, make an effort to foresee andstudy possible future designs, if we are to be capable oftimely development of adequate defense mechanisms.
Many of the most recent methods to detect and ana-lyze botnets are based upon the vulnerabilities of theircommand-and-control (C2) infrastructure. We thus be-lieve that attackers will follow a predictable evolution-ary pattern, and start using designs with more robust andstealth C2 channels, thus minimizing the risk of shut-down or infiltration. In this paper, we will therefore an-alyze in detail a new kind of botnet C2 infrastructure,where bots do not possess any information concerningcommand-and-control mechanisms. These stealth, iso-lated bots are controlled through honest participants notpertaining to the botnet. This architecture eliminates thepossibility of estimation of the botnet size, minimizes theprobability of detection of individual bots, and eliminatesthe possibility of researcher infiltration.
1 Introduction
Botnets are one of the dominant threats in the internet,since they harness the power of thousands of infectedhosts, and may use them to perform abusive or fraudulentactivities, such as: spamming, phishing, click-fraud, dis-tributed denial-of-service (DDoS), or stealing personaldata, such as email accounts or credit-card data [5]. Asignificant amount of research has been invested in thisarea, leading to both a better understanding of the botnetphenomenon, and to the development of new detectiontechniques.
Most of the initially proposed methods for botnet de-
tection are passive, and work either by detecting specificmalicious activity of bots (spam, DoS) [27], or by de-tecting activity on the communication channels used tocontrol the botnet [11, 24, 10]. However, these passiveapproaches can only monitor a small portion of the in-ternet; also, they will only detect botnets with the mali-cious behavior or the type of C2 targeted by that particu-lar analysis.
More recently the research community adopted a moreactive approach to the study of botnets: infiltration. Theycreate a client capable of mimicking the C2 protocol,and join the botnet. This privileged position can thenbe leveraged, to obtain accurate estimates of the sizeof the botnet, or to gain inside information needed tosupport an eventual hijacking or dismantling of the bot-net [23, 12, 15].
Unfortunately, botnets are also evolving. The first kindof C2 infrastructure used by botnets was based on cen-tral IRC servers [8]. This allowed researchers to obtainthe IP addresses of the bots, and, sometimes, even con-trol the botnet itself [5]. Botmasters then upgraded theservers to stripped-down IRC or HTTP servers, which re-duced some of the vulnerabilities of the previous servers(namely, the possibility of identification and estimationof the number of bots in the botnet). However, bot-nets still had a single point of failure: the C2 server it-self. Therefore, botnets began shifting towards peer-to-peer command-and-control infrastructures, thus becom-ing more resilient to takedown attempts. Forecasting theevolutionary adaptive changes in botnet operation pro-files is, therefore, of paramount importance, to allowtimely development of appropriate countermeasures.
Of particular concern are the stealth strategies that at-tackers may employ, to reduce the probability of detec-tion of their bots, and/or of infiltration of their botnets.The intuition is that botmasters will try to avoid the us-age of permanent command-and-control infrastructures,since they have been one of the main targets of recentresearch on botnet detection and analysis [11].
To create this new kind of botnet, attackers can lever-age the capability of modern browsers to run pieces ofembedded code (such as Javascript or Flash), thus cre-ating a layer of expendable hosts, composed by honestvisitors of malicious (or compromised) websites. Thesehosts will be responsible for doing activities that are ver-bose in nature, such as disseminating botmaster’s com-mands. As will be seen, the existence of this layer canconstitute a formidable obstacle to the analysis, and/orinfiltration of the underlying botnet.
Contributions The main contribution of this paper isthe exposure and analysis of a possible path of botnetevolution, capable of higher degrees of stealthiness andresilience against infiltration. Hopefully, this will leadto the timely development of adequate countermeasuresagainst this next generation of botnets. In particular, sev-eral novel results are presented:
− We present and analyze new type of botnet C2 archi-tecture, capable of achieving much higher degreesof resilience to infiltration and size estimation bythe research community;
− We show that such an architecture can be lever-aged to create an overlay (for stolen information re-trieval) that cannot be used by anyone but the bot-master;
− We analyze authentication scheme that allows botsto unambiguously identify honest hosts being usedby the botmaster to disseminate commands, usingonly the botmaster’s public key as a trust anchor;
− We also discuss a tunneling scheme that may al-low the botmaster to retrieve information withoutthe risk of exposure of his own identity;
− A case-study implementation of such an architec-ture is made;
− Also, the performance of this architecture is ana-lyzed, both analytically and via Monte Carlo anal-ysis, thus obtaining the practical bounds withinwhich this overall botnet scheme may constitute athreat to network operations.
2 Background Model
As stated, our approach is focused on stealth botnets,whose command-and-control architecture can avoid in-filtration, size estimation, and reduce the detection prob-ability of the individual bots. In this section, we will stateboth the model and the assumptions to be made through-out the paper.
The details of how bots are infected will not be ad-dressed. We will assume the existence of a population ofcomputers infected with a malicious binary, which con-tains: the code needed to perform the malicious activi-ties; the public key of the botmaster; the initial botmas-ter’s commands (e.g. send spam e-mail). Note that botsdo not possess any data (e.g. IP address, domain-names)concerning the botmaster, other than its public key.
We further assume that bots can receive commandsfrom the botmaster through a common TCP port opento the internet. Attackers can achieve this even in hostssitting behind NATs, through the use of the Internet Gate-way Device (IGD) Protocol, implemented via UPnP, thusproviding port mapping capabilities. Also, it is commonin malware to have firewall killers, and, in general, toeliminate some of the restrictions that a well configuredhost may present.
Finally, and in order to simplify calculations, we as-sume that the IP addresses of infected hosts are uni-formly distributed throughout the fraction of the IP ad-dressing space currently assigned, and that the wholepopulation of infected hosts is online.
3 Architecture
Contrarily to usual botnets, in our architecture bots donot attempt to contact any controlling third-party server;they simply execute the original botmaster’s orders, andpassively listen for commands. This can be seen as achange in the normal communication paradigm. Usu-ally, bots actively participate in some control infrastruc-ture, both to retrieve information from the botmaster (e.g.updates to the malicious binaries, new commands, etc.),and to send information back (e.g. stolen credit carddata, email addresses, etc.). However, in the consid-ered architecture, bots are passive in terms of C2, andcommands are pushed directly into the compromised ma-chines. Command origin authentication is done by ver-ifying if the incoming requests are signed with the bot-master’s private key (remember that all the bots have thecorresponding public key). This type of authentication isalready being used in the wild [21].
This design presents a much greater threat than theusual usual pull model: Researchers controlling indi-vidual bots cannot infiltrate the C2 infrastructure, since,from the perspective of a bot, there is none. This meansthat, by controlling a bot, researchers cannot estimatebotnet size, or gain any type of privileged position in thebotnet that might lead to a possible attack vector. More-over, none of the research methods for bot identificationby detection of the C2 communication pattern is applica-ble, since there is no outbound (from bots to botmaster)C2 traffic.
2
However, attackers face two obvious difficulties withthis overall design:
Command dissemination. The botmaster doesnot possess an established command disseminationchannel, and, thus, needs to individually send thecommands to each and every infected bot; however,since bots never ”phone home”, the attacker doesnot know the IP addresses of the infected hosts, andcommands will thus have to be sent to the bots by arandom (or semi-random) scanning strategy. Com-mand dissemination will thus become a problem ofstatistical nature;
Information retrieval. Since bots do not possessthe IP address of the botmaster, creating an up-stream information flow (if information retrieval isrequired) is a particularly difficult problem.
Unfortunately, both these difficulties may be over-come by a motivated botmaster.
3.1 Command disseminationDirect command dissemination by the botmaster, whilefeasible, has some disadvantages for the botmaster:
− The botmaster would be exposing himself, by di-rectly scanning the internet. Even if the attackeruses a compromised host to act as a proxy, exposinga host directly controlled by the botmaster may leadto exposure of the botmaster’s true IP address;
− The botmaster may take too long to reach all theparticipants in the botnet. This is particularly im-portant when the botmaster wants a command to beexecuted as soon as possible.
The botmasters might consider establishing a two-leveled hierarchy of infected hosts, with different objec-tives on both levels: one lower level to perform the mali-cious activities (worker bots), and a higher intermediatelevel, whose sole purpose would be to disseminate thebotmaster commands to the worker bots (as was donein [25]). If botmasters opt for this solution, one maytry to impersonate one of these information relay hostswhich might allow us to thwart the propagation of thecommands, gain enough trust to be able to launch aneclipse attack, or launch other disrupting attacks to theC2 infrastructure [13].
Unfortunately, we believe that botmasters may try tocircumvent both theses difficulties through the use of anew kind of intermediate C2 layer, between the botmas-ter and the bots, composed solely of honest participants.These participants are called honest, since they will notbe infected with the malicious binary, and are, thus, tech-nically not part of the botnet. This intermediate C2 layer
Botmaster
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bots
Vulnerable Webserver
Web Users
Figure 1: Global architecture.
works in the following way: The botmaster deploys awebsite (or infects an existing one) possessing a specificmalicious code. This malicious code will not attempt toinfect the host through a drive-by-download, gain controlof the web user’s hosts, or exploit any vulnerability. In-stead, it will have an obfuscated piece of code, to be ranby the browser, that will make the web user’s browserunwillingly disseminate command messages to the bots.
This may be done by leveraging the capabilities ofscripting languages like javascript. All users withjavascript enabled on their browsers will execute the ma-licious code, and will, thus, become a part of the com-mand dissemination layer. Such a command dissemina-tion mechanism can be seen in Figure 1.
Bots will receive commands from the intermediatehonest website users, without acknowledging their re-ception1. The only traffic sent by the bots is the one gen-erated by the TCP handshake (one SYN/ACK message).Furthermore, attackers may chose commonly open portsbelonging to potentially legitimate services, hinderingresearchers from simply enumerating bots by the pres-ence of an uncommon open port. This makes the taskof detecting C2 traffic very difficult. Moreover, a re-searcher cannot achieve anything by replaying the re-ceived commands, except further spreading of the com-mand throughout the infected population.
This intermediate layer of command disseminationpresents several advantages for the attacker.
− Command dissemination is not done by the botmas-ter, reducing the probability of it being detected.
− Detection of a command dissemination attempt,only reveals the address of a honest user accessingsome malicious website. It does not reveal any partof the botnet, nor the malicious website itself.
1For the moment this assumption creates a worst-case scenariowhich will be abandoned at a later section.
3
− Since there will be typically many victims access-ing the malicious website, the time taken to deliverthe commands to the bot population decreases dra-matically.
A skeleton version of this command disseminationscheme (including the intermediate layer build-up via amalicious website) has been implemented, for case-studypurposes. Implementation details, and a detailed perfor-mance analysis will be presented in Section 4 to appreci-ate it’s threat potential.
3.2 IPv6It has been repeatedly shown that a full scan of all ofthe IPv4 space is feasible. With the advent of IPv6, theIP address space will change from from 32 to 128 bits,dramatically increasing the amount of work needed byrandom scanning worms to cover the whole internet bya factor of 296 [18]. However, this increase in addressingspace might not be effective in stopping this method ofpropagation. In [14], the propagation speed of a wormin an IPv6 world is analyzed, and the authors present re-sults indicating that such a worm can exhibit propagationspeeds comparable to an IPv4 random-scanning worm.In this work, the authors realized that the directory andnaming services necessary for the functioning of the in-ternet can be exploited, thereby considerably reducingthe required scanning range. More specifically, insteadof scanning random IPs, worms can perform DNS ran-dom scanning, i.e., guessing DNS names instead of IPaddresses. Others works like [28, 18, 29] present severalother techniques that allow worms to reduce the searchspace: scanning only assigned space; using public infor-mation about the currently active IP ranges; using exist-ing peer-to-peer networks to gather IP addresses; usingsearch engines and DNS zone transfers, amongst others.
Furthermore, there is one advantage that IPv6 net-works bring to random scanning worms, and therefore,to the botnet architecture presented: the effective disap-pearance of NATs. With the increase of the use of pub-lic IPv6 addresses for regular hosts, the number of botsreachable from the internet will also increase, benefitingpotential attackers.
The advent of IPv6 will, therefore, not restrain mali-cious attackers from using random scanning schemes ontheir future botnets and might end up being beneficial forfor attackers.
3.3 Information UpstreamUntil now, we have been describing how the attacker mayattempt to disseminate commands to the bots, in a stealthmanner. However, bots are often required to send in-formation back to the botmaster (e.g. credit-card data).
In the discussed architecture bots cannot send informa-tion to the botmaster or some rendezvous host, since theydo not possess the required IP addresses, or links to anyother botnet participant. This isolation ensures a high de-gree of robustness and stealthiness of the botnet, but cre-ates a challenging environment if an upstream channel isrequired. However, even this difficulty may be circum-vented by the botmaster.
We will describe two possible implementations of anupstream information channel in these stringent condi-tions. Each one of them is capable of providing a work-able upstream channel, while preserving the three fol-lowing characteristics:
1. The fact that they cannot be infiltrated by a re-searcher through the C2 channel;
2. The stealthiness (and, therefore, detection avoid-ance) conferred by the absence of a traditional C2
channel;
3. The fact that compromising any number of botsdoes still not allow botnet size estimation.
3.3.1 Spamming Botnets
If the main objective of the botnet is sending spam, onerather ingenious way of solving the upstream problem,is sending the information encoded along with the spamemail, thus hiding the upstream communication in plainsight. This can be done without allowing researchers toread the information, by encrypting all the transmittedinformation with the botmaster’s public key. With thisupstream solution, there is virtually no communicationdone by the bot that doesn’t fit the ”sending spam” pro-file, since bots are never required to respond to a com-mand, or have any kind of interaction with the rest ofthe botnet. To access the data, the botmaster only has toreceive spam, something very easy to accomplish thesedays.
Obviously, researchers can use the spamming activityto detect the active participants of a botnet, but an activebot will, at most, only compromise itself.
This upstream solution raises again the issue of ran-domness and performance in the information retrievalprocess. The analysis of this specific information up-stream channel will not be presented in this paper.
3.3.2 Information gathering Botnets
In the case of botnets whose purpose is solely covert in-formation gathering (and not spam), the previous schemeis not an option. In this type of botnet, information isusually stolen locally from infected hosts, through theuse of key-loggers, and other mechanisms that usuallydo not require interaction with external systems. This
4
means that, to send information upstream, bots will haveto break silence, even though, assumedly, the amount ofinvolved information is not big enough, in itself, to leadto bot detection. However, it is still possible to create anupstream channel that:
1. Minimizes the risk of detection;
2. Allows the bots to keep operating undetected;
3. Does not expose the botmaster.
To achieve this, the command dissemination mecha-nism must change. In particular, bots receiving a validcommand must now send an acknowledge to the dissem-ination layer host from whom the command originated.This information will allow the hosts in the dissemina-tion layer to detect which contacted hosts are part of thebotnet, something that will be crucial for allowing thebotmaster to retrieve data from the bots, as will be seenfurther ahead in the text.
Clearly, requiring bots to acknowledge commands,opens a path for researchers to identify the participantsin the botnet. Since commands are disseminated ran-domly over the internet, researchers can easily collectthem. Therefore, to determine if a specific IP address ispart of the botnet, a researcher could, in principle, sim-ply replay one of the received commands, and verify ifan acknowledge was sent back. Unfortunately, even thisweakness can be circumvented by the botmaster, as dis-cussed below.
Dissemination layer authentication If we could forgeor replay commands, prompting acknowledgement fromthe bots, the botnet size could be estimated, and the in-fected machines identified. However, botmasters mustensure that bots only acknowledge commands directlyoriginating from hosts in the dissemination layer. Theauthentication must be done by the bots without accessto any information other than the botmaster’s public key(that is the only trust anchor they possess), and withoutthe need to transmit (in order to avoid detection).
Such an authentication scheme can be devised, basedon a simple assumption: researchers are unable to accessthe code of the malicious website used to gather dissem-ination layer hosts, before expiration of the command is-sued by the botmaster (commands sent by the botmasterwill thus possess a time-validity stamp). This schemerequires, not only the existence of a public/private key-pair owned by the botmaster (Kbm/K−1
bm ), but also onekey-pair for each of the deployed dissemination websites(Kw/K−1
w ). The protocol is depicted in Figure 2. The fol-lowing abbreviations are used in this figure: Kx/K−1
x asx’s public/private keys; {m}K−1
x representing m signed
Bot Master (bm)
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bot
Dissemination Website(W)
Dissemination Layer Host
1
2
Kbm, K-1w, {Kw}K-1
bm, {C}K-1bm
Kbm{Kw}K-1bm, {M}K-1
w
1
2
1
Figure 2: Dissemination layer authentication.
with x’s private key; C represents the command to dis-seminate; finally, M is the message sent to the bot. Pro-tocol operation progresses as follows:
1. After compromising a vulnerable website, the bot-master inserts the malicious code, which includesthe following information: the botmaster’s publickey (Kbm); the site-specific private key (K−1
w ); thesite-specific public key, signed with the botmaster’sprivate key ({Kw}K−1
bm ); and the command to besent, also signed with the botmaster’s private key({C}K−1
bm );
2. When any host accesses the infected website, themalicious code is sent to the host, to be executed;
3. This host (which is now part of the command dis-semination layer) sends the command message (M),signed with the site-specific private key ({M}K−1
w ),to possible bots. It also sends the site-specific pub-lic key, signed with the botmaster’s private key({Kw}K−1
bm ). Message (M) contains the commandto be executed (C) and the destination bot address;
4. The bot verifies the authenticity of M and C, andthe associated time stamp. If M and C are authenticand not yet expired, command C is executed, and anacknowledge is sent to the intermediate layer host.
This protocol creates a verifiable trust chain betweenthe botmaster’s public key, and message M: the bot ver-ifies if the site-specific public key received is signed bythe botmaster, using the known botmaster’s public key;then, it uses that public key to verify the signature ofmessage M; finally, it verifies if the Dst IP correspondsto it’s own IP address. If these three steps are success-ful, the bot knows that the host from which this messagewas received, has had access to one of the botmaster’s
5
command dissemination websites. Note that the bot stillhas to verify the authenticity of C, and the time-stamp as-sociated with it. Under the assumption that researcherswill not be able of accessing the code in the dissemina-tion website before command expiration (expiration timemay be chosen in such a way as to guarantee that thisassumption holds true with a desired high probability),reception of an authentic, non-expired command allowsthe bot to reply with an acknowledge message, withoutexposing itself to researchers. If this assumption doesnot hold true, and researchers are somehow successful inobtaining access to the dissemination website prior to theexpiration of C, all we obtained is the capability to iden-tify IP addresses pertaining to the botnet, with no betterstrategy than random scanning within a short time inter-val. The insertion of false commands will still not bepossible.
Overlay Construction We will now discuss how thebotmaster can retrieve bot information from the dissemi-nation layer without becoming exposed.
One possible way of implementing the upstream chan-nel is to have the hosts in the dissemination layer retrievethe information from each contacted bot, and post it backto the compromised websites. However, this would cre-ate one (or several) places to which the botmaster wouldhave to access for final information retrieval. If one ormore of these points could be identified, we could waitfor botmaster access, and accomplish direct botmasteridentification. Moreover, by taking these websites down,we could also prevent the botmaster from retrieving thestolen information.
The botmaster may, however, build an overlay withinthe bots of the botnet, which only the botmaster can lo-cate and use, to retrieve upstream information from thebots. The mechanism is as follows: when a host in thedissemination layer receives an acknowledge from a botto which it sent a command, it encrypts the bot’s IP ad-dress with the botmaster’s public key. Then, it pushesthis information to every other bot found in subsequentdissemination attempts. Each time a new bot is found, itsencrypted address is appended to the list, and pushed tosubsequently found bots. Each host in the disseminationlayer is, therefore, creating a path (a multiply-linked list,in fact) containing all the bots it finds while disseminat-ing the commands. Each bot will possess a list of theencrypted addresses of the bots previously contacted bythe same dissemination layer host. Since the list is en-crypted with Kbm, only the botmaster is capable of usingit. The mechanism is depicted in Figure 3.
As will be seen in the analysis section, for realistic val-ues of the parameters, each one of these individual pathswill not possess, on average, more than a couple dozensof IP addresses. Since the IP addresses scanned by the
Encrypted finger
Dissemination Layer Host
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Command Dissemination
ABCD
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
2 134
N/A
{A}Kbm {A}Kbm,{B}Kbm,{C}Kbm
1
2 4
{A}Kbm,{B}Kbm3
Figure 3: Construction of an encrypted bot overlay bythe intermediate hosts.
dissemination layer are chosen at random, the individualpaths created by different dissemination hosts may, how-ever, intercept. If the number of intersections is largeenough, the overlay may present a high degree of con-nectivity, extending throughout the set of contacted bots.The degree of connectivity of the overlay, as a functionof the involved parameters, will be seen in the analysissection (Section 4). This overlay can be easily extendedto have bidirectional paths, by having the disseminationhosts sending the encrypted IP address of a newly foundbot, to the last bot (or k bots) contacted.
With the overlay in place, retrieving information fromthe botnet becomes a trivial task to the botmaster: hesimply has to find one of the bots of the overlay (by ran-dom scanning), and then travel through the overlay tofind the rest of the bots in the overlay, pulling the infor-mation stored in each bot along the way. We stress thefact that, since the fingers are encrypted with Kbm, onlythe botmaster can navigate the overlay.
Accessing the Overlay By simply joining the botnetwith honeypots, and waiting for information retrieval re-quests, we might be capable of recording the IP addressof the botmaster, if we were part of the overlay, or if we
6
were contacted by the botmaster while trying to reacha bot in the overlay. This might give us an edge, eventhough only a probabilistic one.
The botmaster can, however, circumvent this weak-ness. Let us consider the following algorithm:
1. The botmaster (to be referred as Bot0) contacts oneof the bots in the overlay (let us call it Bot1), and re-quests its overlay list (which is encrypted with Kbm,as discussed above).
2. With probability ρ , Bot0 nominates Bot1 to be re-sponsible for information retrieval, and the algo-rithm proceeds to Step 5. With probability (1−ρ),the botmaster returns one of the overlay bot ad-dresses (randomly chosen, and in plain text) to Bot1,and Bot1 is requested to connect with the bot inthat address (call it Bot2), and obtain its overlay list(which Bot1 will forward back to Bot0);
3. With probability ρ , Bot0 nominates Bot2 (throughBot1) to be responsible for information retrieval,and the algorithm proceeds to Step 5. With proba-bility (1−ρ), the botmaster returns one of the over-lay bot addresses (randomly chosen, and in plaintext) to Bot2 (via Bot1), and Bot2 is requested toconnect with the bot in that address (call it Bot3),and obtain its overlay list (which Bot2 and Bot1 willforward back to Bot0);
4. And so on, for Bot3, Bot4, ...Botq;
5. The bot nominated as responsible for informationretrieval (Botq) crawls the full overlay, using thebotmaster (via the tunnel) to decrypt the overlay ad-dress fingers of each successive bot, and sending thecollected information back through the establishedtunnel. This step will be further refined below.
With this algorithm, the botmaster is creating a tunnelthrough which the information will be retrieved, the re-trieval itself being a task of the last bot in the tunnel Botq.Since the retrieved information is sent to Botq already en-crypted with Kbm, only the botmaster will be able to readit.
The intuition of this approach is that each bot in thetunnel looks to its successor in the exact same way thebotmaster looks to the first contacted bot. Hence, there isno way for a contacted researcher to determine if his an-tecessor is the botmaster, or simply an innocent bot at anintermediate position in the tunnel. On the other hand,nodes in this tunnel only know the IP addresses of theprevious and the next bots in the tunnel, and, thus, thetunnel cannot be traced back to its origin. This mecha-nism is depicted in Figure 4.
BM
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
q
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
Figure 4: Construction of a tunnel through q randomlychosen bots.
4 Analysis
In this section, we will analyze the performance of boththe downstream and upstream techniques described inthe previous sections. This analysis will highlight theimpact on performance of the several system parameters,and provide the practical bounds within which this over-all botnet scheme may constitute a threat to network op-erations. The performance of both the command dissem-ination and the overlay construction mechanisms cannotbe validated in a real-world scenario, since this wouldrequire controlling several thousands of nodes, whichlargely exceeds the number of nodes at our disposal, evenwhen using platforms such as Planetlab. The perfor-mance analysis will, thus, use both analytical and sim-ulated results without the benefit of real-life deployment.
We will assume a botnet with a static population ofN = 150000 bots. This number of bots is easily achiev-able, and in fact, there are botnets that largely exceedthis number [23]. These bots will be considered to beuniformly distributed throughout the presently assignedIPv4 address space. Using the Bogon list ( [2]), whichcontains unallocated or reserved address blocks in theIPA address space, only S = 3086889768 possible IP ad-dresses will be considered. We must also consider: therate at which the browsers running on the intermediatehosts are capable of sending out requests (r); the numberof days the dissemination website is up, or the maliciouscode is active on the dissemination site (d); the numberof visitors the dissemination website receives per day (v);and the average number of minutes that a user spends onthe dissemination website (m).
Without loss of generalization, two of these parame-ters, r and d, will be considered constant throughout theanalysis. Since the scanning rate r varies from browser tobrowser, we tested it on three browsers (Firefox, Safari,and Chrome), and on two distinct platforms (Windowsand OS X). We obtained approximately the same perfor-
7
mance in all cases (about 250 requests per second). Thisis well below the reported performance of some previ-ous well known cases (e.g. Code Red, [30]). Parameterd will be assumed to be d = 1, which means that we willassume only 24 hours of dissemination layer activity, un-til command (C) expiration. This choice is based on theassumption that researchers need at least 24 hours to getthe source code of the dissemination website. This seemsto be a conservative assumption, since, as reported in theliterature (e.g. [19]), it has been difficult to collect scriptseven from malicious websites that stay online for longerperiods of time.
4.1 Case-study implementation
For a case-study, we implemented some parts of the de-scribed architecture. To recruit intermediate layer hosts,we created a Javascript program that was loaded and ranon the victims’ browsers2. The reason for the choice ofJavascript is the fact that it is both present in all modernbrowsers, and turned on by default.
We started by implementing a script capable of by-passing the browser’s same origin policy. This policyprevents access to most methods and properties acrosspages on different websites [4]. Unfortunately, there arewidely available tools such as EasyXDM [3], that allowbypass of this security mechanism across all mainstreambrowsers3. Then, the malicious script was made to scana given IP address range, by sending AJAX requests toall the IP addresses, and collecting correct replies fromthe simulated bots. We also tested the rate at which ourmalicious script was able to generate AJAX requests,to obtain parameter r (the scan-rate of the intermediatehosts). The significative difference between the scan-rate obtained and the scan rates of usual worms can beexplained by the fact that browsers are not optimized tosend large numbers of simultaneous requests. Finally,we tested public-key encryption libraries in Javascript, toverify the feasibility of the dissemination layer authenti-cation mechanism.
Adobe Flash could also have been used. It is still ubiq-uitous in modern browsers, and it also possesses the ca-pability of doing HTTP requests to hosts, and, therefore,the capability of command dissemination. One interest-ing characteristic of Flash is Adobe Stratus (see [1]),a service that allows clients to send data from clientto client, without passing through a server (P2P com-munication). This capability would allow cooperationbetween the intermediate hosts, thereby increasing thenumber of bots reached in each dissemination campaign,
2The victims referred here, are test computers allocated for that spe-cific purpose.
3HTML5 formalizes a method for this: the postMessage interface,removing the need for external tools.
as will be seen further ahead in the text.On the issue of how to get honest website visitors to
run malicious code, there are two basic approaches: at-tackers may create their own websites with that specificpurpose in mind [26], and advertise them through spamemail, trending topics on twitter, search engine poison-ing, abusing URL shorteners, etc; alternatively, existingwebsites can be used. We note that common vulnera-bilities like XSS and SQL injection are sufficient to getlegitimate users running malicious code. The most com-mon method for malware infection is precisely drive-bydownloads, in which attackers create malware-servingwebsites to recruit bots. This is, in fact, commonly done.Using these sites to also recruit intermediate layer hostswould imply only a minor addition to common attackprocedures.
4.2 Command DisseminationOne of the first performance issues to be addressed isthe degree of completeness of command diffusion. Sincebots are completely stealth (they simply listen for com-mands from the botmaster), their IP addresses are notknown to the botmaster, or to the intermediate hosts, andcommands must be sent randomly to the internet addressspace, in the hope of reaching a considerable portion ofthe universe of existing bots. In this analysis, we willassume that a single host does not repeat IP addresses,even though any address may turn out to be scanned asmuch as v times, once by each host in the disseminationlayer. This inefficiency in the global scanning strategycould be fixed, if the botmaster would allow cooperationbetween the intermediate hosts. Attempting to reach allbots in practical time is an impossible goal, but the pos-sibility of reaching a significant percentage of bots mustbe investigated.
Since each one of the hosts in the dissemination layerhas a fixed scanning rate r, and d is considered fixed,there are only two parameters influencing the mean per-centage of bots that will receive the disseminated com-mands: v and m. Denoting by s(n) the number of botsreached after n randomly addressed requests (n being thesequential number of a given request within the global setof all requests transmitted by the v intermediate hosts),the equation governing bot discovery by random scan ofthe used IPv4 address space is given by Equation 1:
E{s(n)}= E{s(n−1)}+ N−E{s(n−1)}S− n
v, (1)
E{·} being the expected value operator.The solution to this difference equation, when written
as a function of the number of hosts in the disseminationlayer (v) is given by Equation 2:
8
E{s(v)}= N(
1−(
1− m · r ·60 ·dS
)v). (2)
In Figure 5, we plotted the mean fraction of bots re-ceiving the disseminated command sent out by the bot-master, as a function of the number of hosts in the dis-semination layer (Equation 2), for three different valuesof m (m = 10, m = 15 and m = 20).
As a side note, and as a justification for our choicesof the value of m, once a victim visits a malicious web-site, attackers can use a combination of Clickjacking andTabnabbing to ensure that the malicious javascript is keptrunning for as long as possible. Additionally, the intro-duction of WebWorkers by HTML5 gives attackers theability of executing threads running malicious code with-out slowing down or making the victim’s browser unre-sponsive, which also helps attackers maintain their coderunning without detection. These tricks, together withthe concept of tabbed browsing, mean that most userswill have each individual tab remain open throughout thebrowsing session, which could stretch for hours. Thiseasily puts the average lifetime of an individual instanceof the malicious javascript in the order of tens of minutes.
As previously stated, the dissemination strategy couldbe made considerably more efficient if the botmaster al-lowed cooperation between the intermediate hosts, sincein that case no address would be scanned twice, implyinga constant bot discovery rate. To appreciate this increasein efficiency, the bot discovery performance of such anapproach is also represented in Figure 5, for the caseof m = 20. From Figure 5, we can conclude that thenon-cooperative approaches require, for effectiveness, amedium sized dissemination site (2000 < v < 20000).Sites with lower visitor rates will generate low popu-lated dissemination layers, and low levels of access to thebot population (percentages of botnet coverture smallerthan 20%). Alternatively, a set of smaller sized web siteswould be needed.
4.3 Overlay ConnectivityThe total number of bots reached in the command dis-semination phase is not, however, the only parameterfrom which the threat level depends. Another issue thatmust be addressed is the capability to form an overlay ofsufficient size to allow proper operation of the upstreaminformation retrieval mechanism (see Section 3). Theproblem is two sided: we must evaluate the mean sizeand statistical distribution of the path of bots reachedby each one of the intermediate hosts; also, we mustconsider the connectivity between these different indi-vidual paths, since both parameters will determine themaximum size of the connected overlay and, hence, its
Figure 5: Fraction of population reached with a varyingnumber of dissemination hosts for (S)mall, (M)ediumand (B)ig websites.
information retrieval capability. The worst case overlaywill be one that includes all the bots reached in the com-mand dissemination phase, a situation that correspondsto a fully connected set of individual paths.
The number k of successes (k contacted bots) in theprocess of randomly scanning the IPv4 address space bya single host follows a hypergeometric distribution. Thatis:
P(k) =
(Nk
)(S−N
m · r ·60 ·d− k
)(
Sm · r ·60 ·d
) (3)
Its mean value (mean length of the individual bot paths)is given by (m · r · 60 · d ·N)/S and is, therefore, a linearfunction in both r and m.
Evaluating the connectivity of the global overlay (thatis, the connectivity of the set of individual bot paths)now becomes a typical problem of graph analysis. Toperform this evaluation, we simulated several dissemina-tion campaigns using Mathematica. For each campaign,v bot chains of random IP addresses (from the set of Sused addresses) were generated. The length of each indi-vidual chain was obtained with (3) with the appropriateparameters. We then evaluated the overall connectivityof the generated graph, and determined the mean sizeof the biggest cluster of bots. As a preliminary note,we note that the parameter with the biggest impact onthe connectivity (length) of the overlay is the number ofminutes spent on the dissemination website by the visi-tors (m), due to its impact on the length of the individualpaths.
9
30 5 10 15 20 25
1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Perc
enta
ge o
f bot
s %
Number of minutes
2000 hosts
10000 hosts20000 hosts
5000 hosts
Figure 6: Percentage of overlay connectivity with a vary-ing number of minutes of dissemination.
In Figure 6 we present the mean size of the largestconnected cluster of bots (as a percentage of the totalnumber of bots present in the graph), plotted as a func-tion of m. The Monte Carlo simulation to generate thiscurve consisted of 100 different simulated dissemina-tion campaigns, with N = 150000, S = 3086889768 andv = {2000, 5000, 10000, 20000}. We can see that, evenfor the smallest value of v, m > 20 implies that the set ofbots contacted in the dissemination command becomesalmost fully connected, thus creating a worrisome over-lay, highly capable of supporting information retrieval.
A final performance issue should be addressed: themean amount of time required for the botmaster to con-tact the overlay. We should note, however, that this is nota critical issue. Once the overlay is set up, there is no par-ticular timeline for the botmaster to comply with in thislast information retrieval phase. However, the existenceof dynamics in the bot population may introduce breaksin the connected overlay (bots going off-line), splittingit into smaller sub-paths and, thus, hampering the effec-tiveness of the retrieval process. Hence, we should alsoconsider this additional parameter l - the mean number ofscan attempts it takes the botmaster to contact the over-lay, by randomly scanning the used IP address space (lcan then be directly translated into time). Since the tun-neling scheme doesn’t affect the probability structure ofthe scan, the scan process is still governed by a hyperge-ometric arrival process (Equation 3), but with N replacedby the mean overlay max size (p). This implies that theprobability mass distribution for the number of scan at-tempts needed to reach one of the bots of the overlay (u)is:
P(u) =[
pS− p−u+1
]u−1
∏i=0
S− p− iS− i
(4)
The mean number of tries required to reach one of thebots of the overlay becomes:
l = E{u}= S/p. (5)
With the results of Equation 5, Figure 6 and Equation 2,the effectiveness of the overall botnet downstream andupstream flows can be evaluated and, thus, the overalldanger to network operations properly considered.
5 Discussion
These results show that the possibility of emergence ofthis type of botnet constitutes a serious threat, requiringnew defensive approaches. From the previous section,we note that the time taken for researchers to identifythe malicious website plays a critical role on the feasibil-ity of the proposed architecture. Currently, the detectionof malicious websites takes several days, and if a mali-cious website stays online for a smaller period of time,it will probably remain undetected. Furthermore, thereis a lot of fragmentation on the available website black-lists, allowing users to access websites that were alreadydetected as malicious in other blacklists. We need, there-fore, to focus our efforts in developing improved mech-anisms to detect and blacklist malicious websites, in afaster and more efficient manner.
Also, the discussed architecture reduces the useful-ness of “client-side” honeypots emulating normal end-user systems. Since bots do not possess information re-garding the C2 infrastructure, capturing them is of lim-ited use. Therefore, in order to be able to detect and mit-igate this threat, we should switch our focus to “server-sided” honeypots, detecting and analyzing the creationof the malicious websites themselves, instead of bot in-fections.
Finally, there is a vastly unexplored space concerningheuristics that allow browsers to detect malicious behav-ior that does not directly target the user’s browser. As ofnow, having javascript code sending thousands of back-to-back connections is not considered malicious by themajority of detection methods, since they focus on thedetection of specific attacks (exploit attempts, for exam-ple). Heuristics that enable detection of code that createsa large number of connections to different remote desti-nations, with a potentially large number of those beingfailed requests, should be put in place. These heuristicswould also be useful in the detection of other types ofattacks, such as browser-based denial-of-service, wheremalicious code is also sent to hundreds of legitimateclients, having them send thousands of requests to somespecific remote location, thereby effectively creating adistributed denial-of-service attack.
10
6 Related Work
Botnet detection has been a major research topic in re-cent years. Lately, researchers have been focusing ondetection of the command-and-control traffic, as a wayto detect the presence of infected machines, and analysethe botnet infrastructure [24, 7, 17, 6].
Centralized botnets are the most commonly knownand studied botnets. Most of these botnets use IRCservers as their centralized control point, having the botsjoining in as normal clients. The existence of a central-ized control point is the biggest weakness of this kind ofinfrastructure, since it represents a single point of fail-ure in the architecture. Also, this particular kind of C2
infrastructure allows researchers to extract informationabout the botnet, such as its size and the participants’s IPaddresses.
Several techniques have been found to detect this typeof C2 infrastructure. In [11], the authors proposed sev-eral statistical algorithms to detect these botnets, basedon their multiple crowd-like behavior. An extension ofthis work was done in [10], where the authors presenteda framework to perform clustering on the monitored C2
communication and malicious activities, performing across-correlation between them to attain the final results.Also, some researchers have studied particular details ofthe IRC protocol, enabling the detection of this specifickind of botnets [9]. Unfortunately, botnets are also inconstant evolution, and, more recently, there was a shiftin C2 architectures towards the use of P2P networks.This new C2 infrastructure is focused on survivability,and is therefore, considerably harder to take down. How-ever, due to the open and decentralized nature of peer-to-peer protocols, the academic community has also foundseveral ways of detecting and infiltrating them.
In [16], researchers were able to infiltrate the Stormbotnet by impersonating proxy peers in the overlay net-work used for the C2 infrastructure. They were able totake advantage of this privileged position in the overlay,to rewrite URLs in the spam sent by the bots. Also, thereare several results on botnet size estimation that exploitthe openness of the C2 infrastructure overlay to estimatethe botnets’ size, or to extract the stolen information fromthe bots [13]. One other way of disrupting the operationof these botnets has been to attack the bootstrap proce-dure, and tamper with the domain name service (DNS),as bots typically resolve domain names to connect totheir C2 infrastructure. Therefore, by collaborating withthe domain registrar, it is possible to change the mappingof a botnet domain to point to a machine controlled bythe researchers.
It is our intuition that botmasters will try to camou-flage their C2 infrastructure, and maybe avoid its use al-together, if possible. One such example of camouflage
can be found in [22]. Overbot is a P2P C2 infrastruc-ture proposed by Starnberger et al., that camouflages botsas normal P2P clients, thwarting researchers from distin-guishing a compromised host from a honest P2P partici-pant. This solution turns out to be impractical for severalreasons, one of them being the fact that it requires theexistence of several sensor bots inside the P2P network,possessing the botmaster’s private key, and sniffing allcontrol communications that passes trough them. A sim-ilary stealthy approach is also described in [20], wherethe authors design a botnet architecture that makes useof the Skype P2P network as a C2 infrastructure.
In the literature, there are some references to the prin-ciple of no single bot knowing more about the infrastruc-ture than its own local information [8]. This would allowthe detection and compromise of an unbounded numberof bots, since none of them possesses enough knowledgeto allow the compromise or exposure of the full botnet.However, to the best of our knowledge, this is the firstwork to show that this principle can be implemented in apractical way.
7 Conclusions
Most of the recent approaches to botnet detection andanalysis are based upon the vulnerabilities of the botnet’sinternal C2 infrastructure. In this paper, we showed that,with the present capabilities of scripting languages likejavascript, it is already possible to devise a botnet whichdoes not, in fact, possess an internal C2 infrastructure,and is, therefore, impervious to such methods of analysis.
An example of such an architecture was discussed,were bots do not possess any information concerningcommand-and-control mechanisms. These stealth, iso-lated bots are controlled through honest participants notpertaining to the botnet. This architecture eliminates thepossibility of estimation of the botnet size, minimizes theprobability of detection of individual bots, and eliminatesthe possibility of researcher infiltration. The impact onperformance of the several system parameters was ana-lyzed, the bounds within which such an architecture mayconstitute a threat were determined, and a case-studyarchitecture was implemented. We believe that, giventhe recent focus on detecting the C2 communication pat-tern of botnets by the academic community, botmasterswill follow a predictable evolutionary pattern, and try toemploy this type of architecture to harden their botnetsagainst researchers. As was shown, for some combina-tions of the relevant parameters, these botnets may con-stitute serious, effective threats, very difficult to analyzeand defuse. An effort is, therefore, needed, if we are topreclude the emergence of this type of botnet.
11
References
[1] Adobe labs - stratus. http://labs.adobe.com/
technologies/stratus, 2010.
[2] The bogon reference. http://www.team-cymru.org/Services/Bogons, Aug. 2010.
[3] Easyxdm - cross-domain messaging. http://
easyxdm.net, 2010.
[4] Same origin policy - web security. http:
//www.w3.org/Security/wiki/Same_
Origin_Policy, Jan. 2010.
[5] ABU RAJAB, M., ZARFOSS, J., MONROSE, F.,AND TERZIS, A. A multifaceted approach to un-derstanding the botnet phenomenon. In IMC ’06:Proceedings of the 6th ACM SIGCOMM conferenceon Internet measurement (New York, NY, USA,2006), ACM, pp. 41–52.
[6] AKIYAMA, M., KAWAMOTO, T., SHIMAMURA,M., YOKOYAMA, T., KADOBAYASHI, Y., ANDYAMAGUCHI, S. A proposal of metrics for bot-net detection based on its cooperative behavior. InSAINT-W ’07: Proceedings of the 2007 Interna-tional Symposium on Applications and the InternetWorkshops (Washington, DC, USA, 2007), IEEEComputer Society, p. 82.
[7] CHOI, H., LEE, H., LEE, H., AND KIM, H. Bot-net detection by monitoring group activities in dnstraffic. In Computer and Information Technology,2007. CIT 2007. 7th IEEE International Confer-ence on (2007).
[8] COOKE, E., JAHANIAN, F., AND MCPHERSON,D. The zombie roundup: understanding, detecting,and disrupting botnets. In SRUTI’05: Proceedingsof the Steps to Reducing Unwanted Traffic on theInternet on Steps to Reducing Unwanted Traffic onthe Internet Workshop (Berkeley, CA, USA, 2005),USENIX Association, pp. 6–6.
[9] GOEBEL, J., AND HOLZ, T. Rishi: identify botcontaminated hosts by irc nickname evaluation. InHotBots’07: Proceedings of the first conference onFirst Workshop on Hot Topics in UnderstandingBotnets (Berkeley, CA, USA, 2007), USENIX As-sociation, pp. 8–8.
[10] GU, G., PERDISCI, R., ZHANG, J., AND LEE,W. Botminer: clustering analysis of network trafficfor protocol- and structure-independent botnet de-tection. In SS’08: Proceedings of the 17th confer-ence on Security symposium (Berkeley, CA, USA,2008), USENIX Association, pp. 139–154.
[11] GU, G., ZHANG, J., AND LEE, W. BotSniffer:Detecting botnet command and control channels innetwork traffic. In Proceedings of the 15th AnnualNetwork and Distributed System Security Sympo-sium (NDSS’08) (February 2008).
[12] HOLZ, T., STEINER, M., DAHL, F., BIERSACK,E., AND FREILING, F. Measurements and miti-gation of peer-to-peer-based botnets: a case studyon storm worm. In LEET’08: Proceedings ofthe 1st Usenix Workshop on Large-Scale Exploitsand Emergent Threats (Berkeley, CA, USA, 2008),USENIX Association, pp. 1–9.
[13] HOLZ, T., STEINER, M., DAHL, F., BIERSACK,E., AND FREILING, F. Measurements and miti-gation of peer-to-peer-based botnets: a case studyon storm worm. In LEET’08: Proceedings ofthe 1st Usenix Workshop on Large-Scale Exploitsand Emergent Threats (Berkeley, CA, USA, 2008),USENIX Association, pp. 1–9.
[14] KAMRA, A., FENG, H., MISRA, V., ANDKEROMYTIS, A. The effect of dns delays onworm propagation in an ipv6 internet. In INFO-COM 2005. 24th Annual Joint Conference of theIEEE Computer and Communications Societies.Proceedings IEEE (march 2005), vol. 4, pp. 2405– 2414 vol. 4.
[15] KANG, B. B., CHAN-TIN, E., LEE, C. P., TYRA,J., KANG, H. J., NUNNERY, C., WADLER, Z.,SINCLAIR, G., HOPPER, N., DAGON, D., ANDKIM, Y. Towards complete node enumeration ina peer-to-peer botnet. In ASIACCS ’09: Proceed-ings of the 4th International Symposium on Infor-mation, Computer, and Communications Security(New York, NY, USA, 2009), ACM, pp. 23–34.
[16] KANICH, C., KREIBICH, C., LEVCHENKO, K.,ENRIGHT, B., VOELKER, G. M., PAXSON, V.,AND SAVAGE, S. Spamalytics: an empirical anal-ysis of spam marketing conversion. In CCS ’08:Proceedings of the 15th ACM conference on Com-puter and communications security (New York,NY, USA, 2008), ACM, pp. 3–14.
[17] KARASARIDIS, A., REXROAD, B., AND HOE-FLIN, D. Wide-scale botnet detection and charac-terization. In HotBots’07: Proceedings of the firstconference on First Workshop on Hot Topics in Un-derstanding Botnets (Berkeley, CA, USA, 2007),USENIX Association, pp. 7–7.
[18] KEROMYTIS, A. D., BELLOVIN, S. M., ANDCHESWICK, B. Worm propagation strategies in anipv6 internet. USENIX 31 (February 2006), 70–76.
12
[19] LIKARISH, P., AND JUNG, E. A targeted webcrawling for building malicious javascript collec-tion. In DSMM ’09: Proceeding of the ACM firstinternational workshop on Data-intensive softwaremanagement and mining (New York, NY, USA,2009), ACM, pp. 23–26.
[20] NAPPA, A., FATTORI, A., BALDUZZI, M.,DELL’AMICO, M., AND CAVALLARO, L. Take adeep breath: a stealthy, resilient and cost-effectivebotnet using skype. In Proceedings of the 7th in-ternational conference on Detection of intrusionsand malware, and vulnerability assessment (Berlin,Heidelberg, 2010), DIMVA’10, Springer-Verlag,pp. 81–100.
[21] P. PORRAS, H. S., AND YEGNESWARAN, V.A foray into conficker’s logic and rendezvouspoints. In LEET’09: Proceedings of the 2nd UsenixWorkshop on Large-Scale Exploits and EmergentThreats (2009), USENIX Association.
[22] STARNBERGER, G., KRUEGEL, C., AND KIRDA,E. Overbot: a botnet protocol based on kadem-lia. In SecureComm ’08: Proceedings of the 4thinternational conference on Security and privacyin communication networks (New York, NY, USA,2008), ACM, pp. 1–9.
[23] STONE-GROSS, B., COVA, M., CAVALLARO, L.,GILBERT, B., SZYDLOWSKI, M., KEMMERER,R., KRUEGEL, C., AND VIGNA, G. Your bot-net is my botnet: analysis of a botnet takeover. InCCS ’09: Proceedings of the 16th ACM conferenceon Computer and communications security (NewYork, NY, USA, 2009), ACM, pp. 635–647.
[24] STRAYER, W., WALSH, R., LIVADAS, C., ANDLAPSLEY, D. Detecting botnets with tight com-mand and control. In Local Computer Networks,Proceedings 2006 31st IEEE Conference on (14-162006), pp. 195 –202.
[25] WANG, P., SPARKS, S., AND MEMBER, C. C. Z.An advanced hybrid peer-to-peer botnet. In In Pro-ceedings of the First Workshop on Hot Topics inUnderstanding Botnets (2007).
[26] WONDRACEK, G., HOLZ, T., PLATZER, C.,KIRDA, E., AND KRUEGEL, C. Is the internetfor porn? an insight into the online adult indus-try. In Proceedings of the Ninth Workshop on theEconomics of Information Security (WEIS 2010)(2010).
[27] XIE, Y., YU, F., ACHAN, K., PANIGRAHY, R.,HULTEN, G., AND OSIPKOV, I. Spamming bot-
nets: signatures and characteristics. SIGCOMMComput. Commun. (2008).
[28] YANG, W., SHEN, X.-M., CHANG, G.-R., ANDYAO, Y. A p2p-based worm in next gernation net-work. In Proceedings of the 2010 Fourth Inter-national Conference on Genetic and EvolutionaryComputing (Washington, DC, USA, 2010), ICGEC’10, IEEE Computer Society, pp. 418–421.
[29] YANGUI, X., JIACHUN, Z., XIANGCHUN, L.,AND HUANYAN, Q. Worm detection in an ipv6 in-ternet. In Computational Intelligence and Security,2009. CIS ’09. International Conference on (dec.2009), vol. 2, pp. 366 –370.
[30] ZOU, C. C., TOWSLEY, D., AND GONG, W. Onthe performance of internet worm scanning strate-gies. Perform. Eval. 63, 7 (2006), 700–723.
13