Skip to main content
SpringerLink
Log in

\(\textsc {BotWatcher}\)

Transparent and Generic Botnet Tracking

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

Botnets are one of the most serious threats to Internet security today. Modern botnets have complex infrastructures consisting of multiple components, which can be dynamically installed, updated, and removed at any time during the botnet operation. Tracking botnets is essential for understanding the current threat landscape. However, state-of-the-art analysis approaches have several limitations. Many malware analysis systems like sandboxes have a very limited analysis time-out, and thus only allow limited insights into the long-time behavior of a botnet. In contrast, customized tracking systems are botnet-specific and need to be adopted to each malware family, which requires tedious manual reverse engineering.

In this paper, we present BotWatcher, a novel approach for transparent and generic botnet tracking. To this end, we leverage dynamic analysis and memory forensics techniques to execute the initial malware sample and later installed modules in a controlled environment and regularly obtain insights into the state of the analysis system. The key idea behind BotWatcher is that by reasoning about the evolution of system state over time, we can reconstruct a high-level overview of the botnet lifecycle, i.e., the sequence of botnet actions that caused this evolution. Our approach is generic since it relies neither on previous knowledge of the botnet nor on OS-specific features. Transparency is achieved by performing outside-OS monitoring and not installing any analysis tools in the analysis environment. We implemented BotWatcher for Microsoft Windows and Mac OS X (both 32- and 64-bit architectures), and applied it to monitor four botnets targeting Microsoft Windows. To the best of our knowledge, we are the first to present a generic, transparent, and fully automated botnet tracking system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    MD5 sum Upatre: \(\mathtt {D4A999B1314CFE152774F709BB4EC94B}\).

  2. 2.

    MD5 sum Emotet: \(\mathtt {06B92478CB19FDE2665038CBDD0B1420}\).

  3. 3.

    MD5 sum Gamarue: \(\mathtt {28E01A0E29155E5B993DFF915ACEA976}\).

  4. 4.

    MD5 sum Necurs: \(\mathtt {C39FBB4B968C882705F3DACAEF3F51C5}\).

  5. 5.

    MD5 sum OSX/VidInstaller: 4ddf5d89249c58c5f0f9b38300b49b91.

References

  1. Blue Coat Labs, CryptoLocker, Kegotip, Medfos Malware Triple-Threat, 26 September 2015. http://bluecoat.com/security-blog/2013-10-11/cryptolocker-kegotip-medfos-malware-triple-threat

  2. Kaspersky Lab ZAO, The Banking Trojan Emotet: Detailed Analysis, 26 September 2015. http://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis

  3. Microsoft Malware Protection Center, MSRT January 2015 - Dyzap, 26 September 2015. http://blogs.technet.com/b/mmpc/archive/2015/01/13/msrt-january-2015-dyzap.aspx

  4. Microsoft Malware Protection Center, Unexpected reboot: Necurs, 26 September 2015. http://blogs.technet.com/b/mmpc/archive/2012/12/07/unexpected-reboot-necurs.aspx

  5. Oracle VirtualBox, 26 September 2015. www.virtualbox.org

  6. The Bro Network Security Monitor, 26 September 2015. www.bro.org

  7. The netfilter project (1999). www.netfilter.org

  8. The Volatility Foundation, 26 September 2015. www.volatilityfoundation.org

  9. ZeuS Tracker, 26 September 2015. www.zeustracker.abuse.ch

  10. Zscaler Research, Evolution of Upatre Trojan Downloader, 26 September 2015. www.research.zscaler.com/2014/11/evolution-of-upatre-trojan-downloader.html

  11. Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: Network and Distributed System Security Symposium (NDSS) (2010)

    Google Scholar 

  12. Barabosch, T.: Complementary material used in Botwatcher: Transparent and Generic Botnet Tracking, 26 September 2015. http://net.cs.uni-bonn.de/wg/cs/staff/thomas-barabosch/

  13. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 235–254. Springer, Heidelberg (2014)

    Google Scholar 

  14. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Network and Distributed System Security Symposium (NDSS) (2011)

    Google Scholar 

  15. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)

    Google Scholar 

  16. Denneman, F.: Memory Deep Dive - Optimizing for Performance, 26 September 2015. http://frankdenneman.nl/2015/02/20/memory-deep-dive/

  17. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Horne, B., Matheson, L.R., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 141–159. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS) (2008)

    Google Scholar 

  20. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: USENIX Security Symposium (2014)

    Google Scholar 

  21. Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM Conference on Computer and Communications Security (CCS) (2011)

    Google Scholar 

  22. Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: practical containment for measuring modern malware systems. In: ACM SIGCOMM Internet Measurement Conference (IMC) (2011)

    Google Scholar 

  23. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Annual Computer Security Applications Conference (ACSAC) (2014)

    Google Scholar 

  24. Plohmann, D., Gerhards-Padilla, E.: Case study of the Miner Botnet. In: International Conference on Cyber Conflict (CYCON) (2012)

    Google Scholar 

  25. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy (S&P) (2013)

    Google Scholar 

  26. Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  27. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: network traffic analysis of malicious software. In: Proceedings of Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2011)

    Google Scholar 

  28. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: analysis of a Botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (2009)

    Google Scholar 

  29. Weis, S.: Protecting data in use from firmware and physical attacks. In: BlackHat (2014)

    Google Scholar 

  30. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. In: IEEE Symposium on Security and Privacy (S&P) (2007)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our shepherd Christian Rossow for his assistance to improve the quality of this paper. We also want to express our gratitude toward the reviewers for their helpful feedback, valuable comments and suggestions.

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Bonn, Germany

    Thomas Barabosch, Adrian Dombeck, Khaled Yakdan & Elmar Gerhards-Padilla

  2. University of Bonn, Bonn, Germany

    Khaled Yakdan

Authors
  1. Thomas Barabosch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adrian Dombeck
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Khaled Yakdan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elmar Gerhards-Padilla
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Barabosch .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Barabosch, T., Dombeck, A., Yakdan, K., Gerhards-Padilla, E. (2015). \(\textsc {BotWatcher}\) . In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation