Skip to main content
SpringerLink
Log in

BotTracer: Execution-Based Bot-Like Malware Detection

  • Conference paper
Book cover Information Security (ISC 2008)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5222))

Included in the following conference series:

Abstract

Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. http://research.microsoft.com/sn/detours/

  2. http://www.technologynewsdaily.com/node/4859

  3. Convert physical machines to virtual machines, http://www.vmware.com/products/converter/

  4. Enhance netstat - the code project, http://www.codeproject.com/internet/enetstatasp.asp

  5. Malware immunization through deterrence and diversion, http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0650386

  6. One of the most prolific pieces of windows malware has expired, http://news.softpedia.com/news/One-of-the-Most-Prolific-Piece-of-Window%s-Malware-Has-Expired-51466.shtml

  7. Honeyd security advisory 2004-001: Remonte detection via simple probe packet (2004), http://www.honeyd.org/adv.2004-01.asc

  8. Taxonomy of botnet threats (November 2006) , http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibr%ary/botnettaxonomywhitepapernovember2006.pdf

  9. Barford, P., Yagneswaran, V.: An inside look at botnets (2006)

    Google Scholar 

  10. Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA (November 2006)

    Google Scholar 

  11. Chen, Y.: High-performance network anomaly/intrusion detection and mitigation system (hpnaidm). In: ARO-DARPA-DHS Special Workshop on Botnets, Arlington, VA (June 2006)

    Google Scholar 

  12. Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  13. Cui, W., Katz, R.H., Tan, W.: Binder: An extrusion-based break-in detector for personal computers. In: Proceedings of USENIX (2005)

    Google Scholar 

  14. Dagon, D.: The network is the infection (2005), http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf

  15. Dagon, D., Zhou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of The 13th Annual Network and Distributed System Security Symposium, San Diego, CA (Febuary 2006)

    Google Scholar 

  16. Daswani, N., Stoppelman, M.: The Google Click Quality, and Security Teams. The anatomy of clickbot.a. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  17. Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS) (September 2005)

    Google Scholar 

  18. Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  19. Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  20. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium, Santa Clara, CA (June 2007)

    Google Scholar 

  21. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  22. Kawamoto, D.: Bots slim down to get tough. CNET News.com (November 2005)

    Google Scholar 

  23. Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing web browsers as a distributed attack infrastructure. In: Proceedings of ACM CCS (2006)

    Google Scholar 

  24. Moshchuk, A., Bragin, T., Deville, D., Gribble, S., Levy, H.: Spyproxy: Execution-based detection of malicious web content. In: Proceedings of the 16th USENIX Security Symposium, Boston, MA (August 2007)

    Google Scholar 

  25. The Honeynet Project. Know your enemy: Tracking botnets (March 2005), http://www.honeynet.org/papers/bots

  26. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  27. Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)

    Google Scholar 

  28. Schoof, R., Koning, R.: Detecting peer-to-peer botnets (Feburary 2007), http://staff.science.uva.nl/~delaat/sne-2006-2007/p17/report.pdf

  29. Stinson, E., Mitchell, J.C.: Characterizing the remote control behavior of bots. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  30. Wang, P., Sparks, S., Zou, C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)

    Google Scholar 

  31. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, Alexandria, VA (October 2007)

    Google Scholar 

  32. Zou, C., Cunningham, R.: Honeybot-aware advanced botnet construction and maintenance. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN) (June 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science, George Mason University,  

    Lei Liu & Songqing Chen

  2. Information Sciences, Los Alamos National Lab,  

    Guanhua Yan

  3. Dept. of Electrical and Computer Engineering, Iowa State University,  

    Zhao Zhang

Authors
  1. Lei Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Songqing Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guanhua Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Tzong-Chen Wu Chin-Laung Lei Vincent Rijmen Der-Tsai Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Liu, L., Chen, S., Yan, G., Zhang, Z. (2008). BotTracer: Execution-Based Bot-Like Malware Detection. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-85886-7_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-85884-3

  • Online ISBN: 978-3-540-85886-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation