15:30 - 16:00 My Bots Are Not Yours! A case study of 600+ real-world living botnets Erik Wu and Gunter Ollmann, Damballa
15:30 - 16:00 My Bots Are Not Yours! A case study of 600+ real-world living botnets, Erik Wu, Gunter Ollmann, Damballa
Botnets, with efficient built-in Control and Command (CnC) mechanisms, have become and will continue to be a major threat
to Internet security. To date, botnets have been adopted as the standard platform for adversaries to conduct economic-
and political-motivated cyber activities, ranging from simple Distributed Denial Service of Attack (DDoS) and identity
theft, through to sophisticated information exfiltration and corporate espionage.
In this paper, we present an in-depth analysis and profiling of 600+ active botnets circulating in the wild. Over a
three-month period we detected and monitored this large group of botnets, cataloguing a vast amount of data. These
observations provide a solid foundation for a better understanding from many perspectives as to what real botnets are
currently doing, how they are operating, and a clarification of some common misconceptions.
The 600+ botnets represent a diversified profile of the actual botnet threat landscape. We observed large botnets with
a half million active participants and small ones comprised of less than hundred victims. It's worth noting that the
majority of the botnets in play by cyber-criminals are in fact small ones. Further study indicates the existing methods,
e.g. using malware infection distribution estimation, to measure the botnet size are not accurate since the actual botnet
size can vary from one task mission to another. That is, the same botnet may select and activate different subnets
for distinct missions. Another interesting observation is that some botnets can share common resources. For example, a
compromised asset (endpoint host or server) can be recruited by more than one botnet around the same time. Several bots,
owned and managed by different botmasters, can co-exist within the same compromised asset. In this case, it's required
to differentiate the ownership of individual bots as "my bots are not yours"! On the other hand, some other botnet
operators may claim exclusive use of hardware and software resource, trying to terminate and kick out other bots from
their collection of victims.
To better describe the dynamic characteristics of real-world botnets and the severity level of malicious activities,
we will also discuss a novel scoring model and leverage it for the 600+ botnets analysis. This scoring model offers a
simple and intuitive way to measure real botnets' malicious destruction capability, detection and removal resilience,
and can aid the prioritization of enterprise-level remediation processes.