A Probabilistic Population Study of the Conficker-C Botnet

Weaver, Rhiannon

doi:10.1007/978-3-642-12334-4_19

Rhiannon Weaver¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 6032))

Included in the following conference series:

International Conference on Passive and Active Network Measurement

1376 Accesses
6 Citations

Abstract

We estimate the number of active machines per hour infected with the Conficker-C worm, using a probability model of Conficker-C’s UDP P2P scanning behavior. For an observer with access to a proportion δ of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study of the P2P protocol, and on network and behavioral variability by relative hour of the day. We use these distributional results in conjunction with the Lévy form of the Central Limit Theorem to estimate the total number of active hosts in a single hour. We apply the model to observed data from Conficker-C scans sent over a 51-day period (March 5th through April 24th, 2009) to a large private network.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In: Proceedings of the First Annual Workshop on Hot Topics in Botnets (March 2007)
Google Scholar
Casella, G., Berger, R.: Statistical Inference. Duxbury Press, Boston (1990)
MATH Google Scholar
Chan, M., Hamdi, M.: An active queue management scheme based on a capture-recapture model. IEEE Journal on Selected Areas in Communications 21(4), 572–583 (2003)
Article Google Scholar
Dupuis, J., Schwarz, C.: A Bayesian approach to the multistate Jolly-Seber capture-recapture model. Biometrics 63, 1015–1022 (2007)
MATH MathSciNet Google Scholar
Faber, S.: Silk Conficker. C Plug-in (2009), CERT Code release, http://tools.netsa.cert.org/wiki/display/tt/SiLK+Conficker.C+Plugin
Fienberg, S., Johnson, M., Junker, B.: Classical multilevel and bayesian approaches to population size estimation using multiple lists. Journal of the Royal Statistical Society: Series A 162(3), 383–405 (1999)
Google Scholar
Fitzgibbon, N., Wood, M.: Conficker.C: A technical analysis (March 2009), Sophos white paper, http://www.sophos.com/sophos/docs/eng/marketing_material/conficker-analysis.pdf
Horowitz, K., Malkhi, D.: Estimating network size from local information. Information Processing Letters 88, 237–243 (2003)
Article MATH MathSciNet Google Scholar
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Automating analysis of large-scale botnet probing events. In: ASAICCS 2009 (March 2009)
Google Scholar
Mane, S., Mopuru, S., Mehra, K., Srivastava, J.: Network size estimation in a peer-to-peer network. Tech. Rep. TR 05-030, University of Minnesota Department of Computer Science and Engineering (2005)
Google Scholar
McAfee: Conficker.C over the wire. McAfee Network Security blog publication (March 2009), http://www.avertlabs.com/research/blog/index.php/2009/04/01/confickerc-on-the-wire-2
Paxson, V., Floyd, S.: Wide-area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3(3), 226–244 (1995)
Article Google Scholar
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C Actived P2P scanner. SRI international Code release/document (2009), http://www.mtc.sri.com/Conficker/contrib/scanner.html
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Tech. rep., SRI International (2009)
Google Scholar
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C P2P protocol and implementation. Tech. rep., SRI International (2009)
Google Scholar
Psaltoulis, D., Kostoulas, D., Gupta, I., Briman, K., Demers, A.: Decentralized schemes for size estimation in large and dynamic groups. Tech. Rep. UIUCDCS-R-2005-2524, University of Illinois Department of Computer Science (2005)
Google Scholar
Schwarz, C., Arnason, A.: A general methodology for the analysis of capture-recapture experiments in open populations. Biometrics 52(3), 860–873 (1996)
Article MATH MathSciNet Google Scholar
Taylor, H., Karlin, S.: An Introduction to Stochastic Modeling. Academic Press, London (1998)
MATH Google Scholar

Download references

Author information

Authors and Affiliations

CERT, Software Engineering Institute,
Rhiannon Weaver

Authors

Rhiannon Weaver
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science and Engineering, University of Washington, 185 Stevens Way, Seattle, 98195, WA, USA
Arvind Krishnamurthy
Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology (ETH) Zurich, CH-8092, Zurich, Switzerland
Bernhard Plattner

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Weaver, R. (2010). A Probabilistic Population Study of the Conficker-C Botnet. In: Krishnamurthy, A., Plattner, B. (eds) Passive and Active Measurement. PAM 2010. Lecture Notes in Computer Science, vol 6032. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12334-4_19

Download citation

DOI: https://doi.org/10.1007/978-3-642-12334-4_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12333-7
Online ISBN: 978-3-642-12334-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics