Hardening Botnet by a Rational Botmaster

Authors:
Zonghua Zhang;Ruo Ando;Youki Kadobayashi
Affiliations:
Information Security Research Center, NICT, Tokyo, Japan 184-8795;Information Security Research Center, NICT, Tokyo, Japan 184-8795;Information Security Research Center, NICT, Tokyo, Japan 184-8795
Venue:
Information Security and Cryptology
Year:
2009

Citing 26
Cited 0

Asynchronous consensus and broadcast protocols

Journal of the ACM (JACM)
Computer virus-antivirus coevolution

Communications of the ACM
Random oracles in constantipole: practical asynchronous Byzantine agreement using cryptography (extended abstract)

Proceedings of the nineteenth annual ACM symposium on Principles of distributed computing
Intrusion-Tolerant Enclaves

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Malicious Bots Threaten Network Security

Computer
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
MisleadingWorm Signature Generators Using Deliberate Noise Injection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Siren: Catching Evasive Malware (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Honeypot-Aware Advanced Botnet Construction and Maintenance

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Automating mimicry attacks using static binary analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Mapping internet sensors with probe response attacks

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Vulnerabilities of passive internet threat monitors

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior

SAINT-W '07 Proceedings of the 2007 International Symposium on Applications and the Internet Workshops
Peer-to-peer botnets: overview and case study

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
An advanced hybrid peer-to-peer botnet

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Spamming botnets: signatures and characteristics

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Traffic Aggregation for Malware Detection

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Anti-Honeypot Technology

IEEE Security and Privacy
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Group signatures

EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions

EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Botnet has gained the most prevalence in today's cyber-attacks, resulting in significant threats to our network assets and organization's property. A botnet is composed of a group of bots and controlled by a botmaster, serving as a powerful tool to enforce various attacks, e.g., launching massive attacks like spamming and DDoS, stealing sensitive information. While a bunch of anti-bot techniques have been proposed, the evolution trend of botnets show that sophisticated botmasters can always manage to evade the botnet countermeasures. From the standpoint of potential attackers, and by examining the vulnerabilities of the existing botnets, this paper aims at exploring the means for hardening botnets, especially the obfuscation of communication channels between bot and botmaster. In particular, a stronger botnet variant named bot-enclave, is proposed to illustrate how the robustness of C &C (command-and-control) servers can be enhanced, and how the botnet communications can be protected from being tracked and intercepted. More practically, by identifying the trade off between botnet utility metrics, we show that the sophistication level of bot-enclave can be tuned up by a rational botmaster in order to construct more economical, feasible and effective botnet variants. The findings may significantly help us to gain insight into the characteristics of next-generation botnets, to be aware of the evolution trend before their actual occurrence, and ultimately to suggest the development of proactive anti-botnet techniques.