Last-minute presentation:

15:30 - 16:00 My Bots Are Not Yours! A case study of 600+ real-world living botnets Erik Wu and Gunter Ollmann, Damballa

15:30 - 16:00 My Bots Are Not Yours! A case study of 600+ real-world living botnets, Erik Wu, Gunter Ollmann, Damballa

Botnets, with efficient built-in Control and Command (CnC) mechanisms, have become and will continue to be a major threat to Internet security. To date, botnets have been adopted as the standard platform for adversaries to conduct economic- and political-motivated cyber activities, ranging from simple Distributed Denial Service of Attack (DDoS) and identity theft, through to sophisticated information exfiltration and corporate espionage.

In this paper, we present an in-depth analysis and profiling of 600+ active botnets circulating in the wild. Over a three-month period we detected and monitored this large group of botnets, cataloguing a vast amount of data. These observations provide a solid foundation for a better understanding from many perspectives as to what real botnets are currently doing, how they are operating, and a clarification of some common misconceptions.

The 600+ botnets represent a diversified profile of the actual botnet threat landscape. We observed large botnets with a half million active participants and small ones comprised of less than hundred victims. It's worth noting that the majority of the botnets in play by cyber-criminals are in fact small ones. Further study indicates the existing methods, e.g. using malware infection distribution estimation, to measure the botnet size are not accurate since the actual botnet size can vary from one task mission to another. That is, the same botnet may select and activate different subnets for distinct missions. Another interesting observation is that some botnets can share common resources. For example, a compromised asset (endpoint host or server) can be recruited by more than one botnet around the same time. Several bots, owned and managed by different botmasters, can co-exist within the same compromised asset. In this case, it's required to differentiate the ownership of individual bots as "my bots are not yours"! On the other hand, some other botnet operators may claim exclusive use of hardware and software resource, trying to terminate and kick out other bots from their collection of victims.

To better describe the dynamic characteristics of real-world botnets and the severity level of malicious activities, we will also discuss a novel scoring model and leverage it for the 600+ botnets analysis. This scoring model offers a simple and intuitive way to measure real botnets' malicious destruction capability, detection and removal resilience, and can aid the prioritization of enterprise-level remediation processes.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

AusCert2014

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,340 registered users.