Skip to main content
SpringerLink
Log in

Cross-Analysis of Botnet Victims: New Insights and Implications

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6961))

Included in the following conference series:

Abstract

In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. These botnets represent two distinct types of botnets in terms of the methods they use to recruit new victims. We propose the use of cross-analysis between these different types of botnets as well as between botnets of the same type in order to gain insights into the nature of their infection. In this analysis, we examine commonly-infected networks which appear to be extremely prone to malware infection. We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. Based on our cross-analysis results, we further derive new implications and insights for defense. For example, we empirically show the promising power of cross-prediction of new unknown botnet victim networks using historic infection data of some known botnet that uses the same infection type with more than 80% accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Pauli, D.: Srizbi Botnet Sets New Records for Spam: PC World (retrieved 2008-07-20)

    Google Scholar 

  2. Shin, S., Gu, G.: Conficker and Beyond: A Large-Scale Empirical Study. In: Proceedings of 2010 Annual Computer Security Applications Conference, ACSAC 2010 (2010)

    Google Scholar 

  3. Microsoft Security Techcenter, Conficker Worm, http://technet.microsoft.com/en-us/security/dd452420.aspx

  4. UPI, Virus strikes 15 million PCs, http://www.upi.com/Top_News/2009/01/26/Virus-strikes-15-million-PCs/UPI-19421232924206/

  5. Symantec, Trojan.Srizbi, http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99

  6. McAfee, Srizbi Infection, http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=142902

  7. SecureWorks, Ozdok/Mega-D Trojan Analysis, http://www.secureworks.com/research/threats/ozdok/?threat=ozdok

  8. m86security, Mega-d, http://www.m86security.com/trace/i/Mega-D,spambot.896.asp.

  9. Chien, E., Downadup.: Attempts at Smart Network Scanning, http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning

  10. Xie, Y., Yu, F., Achan, K., Gillum, E., Goldzmidt, M., Wobber, T.: How Dynamic are IP Addresses?. In: Proceedings of ACM Special Interest Group on Data Communication, SIGCOMM (2007)

    Google Scholar 

  11. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets (2007)

    Google Scholar 

  12. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Krishnan, S., Kim, Y.: Passive identification of Conficker nodes on the Internet. University of Minnesota - Technical Document (2009)

    Google Scholar 

  14. CAIDA, Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope, http://www.caida.org/research/security/ms08-067/conficker.xml

  15. Weaver, R.: A Probabilistic Population Study of the Conficker-C Botnet. In: Proceedings of the Passive and Active Measurement Conference (2010)

    Google Scholar 

  16. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proceedings of the Annual Network and Distributed System Security, NDSS (2009)

    Google Scholar 

  17. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2010)

    Google Scholar 

  18. Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of ACM Computer and Communications Security, CCS (2009)

    Google Scholar 

  19. BOTLAB, A Study in Spam, http://botlab.org/

  20. Shadowserver, Botnet Measurement and Study, http://shadowserver.org/wiki/

  21. IP2Location, IP2Location Internet IP Address 2009 Report, http://www.ip2location.com/

  22. IANA, IANA IPv4 Address Space Registry, http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

  23. Cai, X., Heidenmann, J.: Understanding Address Usage in the Visible Internet: USC/ISI Technical Report ISI-TR-656 (2009)

    Google Scholar 

  24. Alderfer, H., Flynn, S., Birchmeier, B., Schulz, E.: Information Policy Country Report. University of Michigan School of Information Report, Turkey (2009)

    Google Scholar 

  25. Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime: CERT/CC Technical Report (2005)

    Google Scholar 

  26. Uri Raz, How do spammers harvest email addresses ?, http://www.private.org.il/harvest.html

  27. FAQs.org, FAQ: How do spammers get people’s email addresses ?, http://www.faqs.org/faqs/net-abuse-faq/harvest/

  28. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proceedings of USENIX Security Symposium (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SUCCESS Lab, Texas A&M University, College Station, TX, USA

    Seungwon Shin, Raymond Lin & Guofei Gu

Authors
  1. Seungwon Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raymond Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Robin Sommer Davide Balzarotti Gregor Maier

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shin, S., Lin, R., Gu, G. (2011). Cross-Analysis of Botnet Victims: New Insights and Implications. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23644-0_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23643-3

  • Online ISBN: 978-3-642-23644-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation