Abstract
In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. These botnets represent two distinct types of botnets in terms of the methods they use to recruit new victims. We propose the use of cross-analysis between these different types of botnets as well as between botnets of the same type in order to gain insights into the nature of their infection. In this analysis, we examine commonly-infected networks which appear to be extremely prone to malware infection. We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. Based on our cross-analysis results, we further derive new implications and insights for defense. For example, we empirically show the promising power of cross-prediction of new unknown botnet victim networks using historic infection data of some known botnet that uses the same infection type with more than 80% accuracy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Pauli, D.: Srizbi Botnet Sets New Records for Spam: PC World (retrieved 2008-07-20)
Shin, S., Gu, G.: Conficker and Beyond: A Large-Scale Empirical Study. In: Proceedings of 2010 Annual Computer Security Applications Conference, ACSAC 2010 (2010)
Microsoft Security Techcenter, Conficker Worm, http://technet.microsoft.com/en-us/security/dd452420.aspx
UPI, Virus strikes 15 million PCs, http://www.upi.com/Top_News/2009/01/26/Virus-strikes-15-million-PCs/UPI-19421232924206/
Symantec, Trojan.Srizbi, http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99
McAfee, Srizbi Infection, http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=142902
SecureWorks, Ozdok/Mega-D Trojan Analysis, http://www.secureworks.com/research/threats/ozdok/?threat=ozdok
m86security, Mega-d, http://www.m86security.com/trace/i/Mega-D,spambot.896.asp.
Chien, E., Downadup.: Attempts at Smart Network Scanning, http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldzmidt, M., Wobber, T.: How Dynamic are IP Addresses?. In: Proceedings of ACM Special Interest Group on Data Communication, SIGCOMM (2007)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets (2007)
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)
Krishnan, S., Kim, Y.: Passive identification of Conficker nodes on the Internet. University of Minnesota - Technical Document (2009)
CAIDA, Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope, http://www.caida.org/research/security/ms08-067/conficker.xml
Weaver, R.: A Probabilistic Population Study of the Conficker-C Botnet. In: Proceedings of the Passive and Active Measurement Conference (2010)
John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proceedings of the Annual Network and Distributed System Security, NDSS (2009)
Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2010)
Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of ACM Computer and Communications Security, CCS (2009)
BOTLAB, A Study in Spam, http://botlab.org/
Shadowserver, Botnet Measurement and Study, http://shadowserver.org/wiki/
IP2Location, IP2Location Internet IP Address 2009 Report, http://www.ip2location.com/
IANA, IANA IPv4 Address Space Registry, http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
Cai, X., Heidenmann, J.: Understanding Address Usage in the Visible Internet: USC/ISI Technical Report ISI-TR-656 (2009)
Alderfer, H., Flynn, S., Birchmeier, B., Schulz, E.: Information Policy Country Report. University of Michigan School of Information Report, Turkey (2009)
Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime: CERT/CC Technical Report (2005)
Uri Raz, How do spammers harvest email addresses ?, http://www.private.org.il/harvest.html
FAQs.org, FAQ: How do spammers get people’s email addresses ?, http://www.faqs.org/faqs/net-abuse-faq/harvest/
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proceedings of USENIX Security Symposium (2011)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shin, S., Lin, R., Gu, G. (2011). Cross-Analysis of Botnet Victims: New Insights and Implications. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-23644-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23643-3
Online ISBN: 978-3-642-23644-0
eBook Packages: Computer ScienceComputer Science (R0)