Botnet Research Survey
Zhaosheng Zhu.et al
July 28-August 01 2008
Speaker: Hom-Jay Hom
Date:2009/10/20
Outline
Introduction
Understanding Botnet
Detecting and Tracking Botnet
Defenses Against Botnet
Conclusion and Possible Future Work
2016/7/15
2
Introduction(1/2)
Botnet is a term for a collection of software robots, or bots.
They run on groups of zombie computers controlled remotely by
attackers.
A typical bot can be created and maintained in four phases.
2016/7/15
3
Introduction(2/2)
1. Initial Infection:
vulnerability , web pages , email , USB autorun
2. Secondary Injection:
infected hosts download and run the bot code,
 The download can be via be ftp, http and P2P.
3. Malicious Activities:
The bot communicates to its controller (spam , DDoS)
 IRC or HTTP or DNS-based and P2P protocol
4. Maintenance and Upgrade:
continuously upgrades
2016/7/15
4
Understanding Botnet
Most current research focuses on understanding botnets.
There are mainly three types area:
1. Bot Anatomy:
analysis mainly focuses on its network-level
use of binary analysis tools.
2. Wide-area Measurement Study:
through tracking botnets to reveal different aspects
such as botnet size, traffic generated.
3. Botnet Modeling and Future Botnet Prediction:
2016/7/15
5
Bot Anatomy
IRC Bot
it analyzed the source code for four bots.
Agobot,SDBot, SpyBot and GT bot, ( IRC-based bots )
only Agobot is a fully-developed bot.
Agobot has provided the following five features.
2016/7/15
6
AgoBot five features
1.
Exploits:
 exploit OS vulnerabilities and back doors.
2.
Delivery:
 Shell on the remote host to download bot binary encoded.
3.
Deception:
 If it detected VMWare it stopped running.
4.
Function:
 steal system information and monitorlocal network traffic.
5.
Recruiting:
 Botmaster Recruits horizontal and vertical scannings.
2016/7/15
7
HTTP Bot
Analyzed the HTTP-based spam bot module
The command and control (C&C) is http-based.
The communication channel is encrypted.
IDA Pro Tool is used to analyze the binary and find the
encryption key.
2016/7/15
8
P2P-based
The author claims that centralized control of botnets offers a
single point of failure for the botnet.
So mare stable architectures, like P2P-based architecture.
2016/7/15
9
Fast-flux Networks(1/2)
The fast-flux networks are increasingly used as botnets.
phishing websites.
These websites are valuable assets.
hide their IP addresses.
 let a user first connect to a compromised computer.
 which serves as a proxy.
 To forward the user requests to a real server and the response
from the server to the user.
2016/7/15
10
Fast-flux Networks(2/2)
New type of techniques called Fast-flux service networks.
round-robin IP addresses.
very short Time-To-Live.
2016/7/15
11
Wide-area Measurement Study
a honeynet-based botnet detection system as well as some
findings on botnets across the Internet
The systems are composed of three module:
1. malware collection:
 nepenthes and unpatched WindowsXPin a virtualized
environment.
2.
3.
Graybox testing:
 learn botnet ”dialect”.
Botnets tracking:
 an IRC tracker lurk in IRC channel and record commands.
2016/7/15
12
Botnet Modeling and Future Botnet
Prediction
It creates a diurnal propagation model based on the fact that
computers that are offline are not infectious.
we still have no idea how close these models are to the botnets in
the real world.
2016/7/15
13
Detecting and Tracking Botnet
honeynet based
first, there are several tools available to collect malware, but
no tool for tracking the botnet.
Secondly,the tracking tool needs to understand the
botnet’s ”jargon” in order to be accepted by the botmaster.
Moreover, the increasing use of anti-analysis techniques used
by the blackhat circle.
makes the development of the tool even more challenging.
2016/7/15
14
Traffic monitoring
Identify botmasters based on transport layer
The core idea is based on the attack and control chain of the
botnet.
The major steps are listed as follows:
1. Identify bots based on their attack activities.
2. Analyze the flows of these bots to find candidate controller
connections.
3. Analyze the candidate controller connections to locate the
botmaster.
2016/7/15
15
Defenses Against Botnet
Enterprise Solutions
Trend Micro provided Botnet Identification Service
provide the customers the real-time botnet C&C botmaster
address list.
2016/7/15
16
Conclusion and Possible FutureWork
HTTP/P2P Botnet
The existing works are anatomy of some samples.
Fast-flux Network
Who do them serve?
What’s the structure of its network?
Is it the same as a typical IRC botnet or not?
Is their botmaster also fast-fluxed?
The binary analysis of its code will be extremely helpful.
2016/7/15
17
END
2016/7/15
18