Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Insights from the inside: a view of botnet management from infiltration
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
A probabilistic population study of the Conficker-C botnet
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
Conficker and beyond: a large-scale empirical study
Proceedings of the 26th Annual Computer Security Applications Conference
Measuring pay-per-install: the commoditization of malware distribution
SEC'11 Proceedings of the 20th USENIX conference on Security
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
| Hi-index | 0.00 |
In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. These botnets represent two distinct types of botnets in terms of the methods they use to recruit new victims. We propose the use of cross-analysis between these different types of botnets as well as between botnets of the same type in order to gain insights into the nature of their infection. In this analysis, we examine commonly-infected networks which appear to be extremely prone to malware infection. We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. Based on our cross-analysis results, we further derive new implications and insights for defense. For example, we empirically show the promising power of cross-prediction of new unknown botnet victim networks using historic infection data of some known botnet that uses the same infection type with more than 80% accuracy.