Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure

Authors:
Chris Nunnery;Greg Sinclair;Brent ByungHoon Kang
Affiliations:
University of North Carolina at Charlotte;University of North Carolina at Charlotte;University of North Carolina at Charlotte
Venue:
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Year:
2010

Citing 5
Cited 5

Peer-to-peer botnets: overview and case study

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
The heisenbot uncertainty problem: challenges in separating bots from chaff

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamalytics: an empirical analysis of spam marketing conversion

Proceedings of the 15th ACM conference on Computer and communications security
Towards complete node enumeration in a peer-to-peer botnet

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Walowdac - Analysis of a Peer-to-Peer Botnet

EC2ND '09 Proceedings of the 2009 European Conference on Computer Network Defense

The underground economy of spam: a botmaster's perspective of coordinating large-scale spam campaigns

LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
BOTMAGNIFIER: locating spambots on the internet

SEC'11 Proceedings of the 20th USENIX conference on Security
Tracking DDoS attacks: insights into the business of disrupting the web

LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
Fluxing botnet command and control channels with URL shortening services

Computer Communications
PeerRush: mining for unwanted p2p traffic

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this study, we advance the understanding of botmaster-owned systems in an advanced botnet, Waledac, through the analysis of file-system and network trace data from the upper-tiers in its architecture. The functionality and existence of these systems has to-date only been postulated as existing knowledge has generally been limited to behavioral observations from hosts infected by bot binaries. We describe our new findings for this botnet relating to botmaster interaction, topological nuances, provided services, and malicious output, providing a more complete view of the botnet infrastructure and insight into the motivations and methods of sophisticated botnet deployment. The exposure of these explicit details of Waledac reveals and clarifies overall trends in the construction of advanced botnets with tiered architectures, both past, such as the Storm botnet which featured a highly similar architecture, and future. Implications of our findings are discussed, addressing how the botnet's auditing activities, authenticated spam dispersion technique, repacking method, and tier utilization affect remediation and challenge current notions of botnet configuration and behavior.