没有合适的资源?快使用搜索试试~ 我知道了~
资源详情
资源评论
资源推荐
A Survey of Botnets
YongQing Ni, DaeHun Nyang
Information Security Research Laboratory
Graduate School of IT & Telecommunication - InHa University
253 YongHyun-dong, Nam-gu, Incheon 402-751, Korea
niyongqing@gmail.com, nyang@inha.ac.kr
http://seclab.inha.ac.kr
Abstract. In the recent years, botnets have become a big issue on the
internet threaten. As the first botnet which was based on IRC came out,
various and more resilient botnets with new technique are springing up
nowadays. To be well prepared for the future attacks from the Botnets, a
widely and deep-going survey is now at the top of agenda. In this paper,
we present a detailed study of botnets based on different channels, and we
also propose an accurate category of the botnets. Furthermore, to better
understand the detection mechanisms to botnets, we make an in-depth
comparison based on variety of approaches.
Keywords: Botnet, Category, Channel, Peer-to-Peer.
1 Introduction
The botnet is a group of compromised computers working together under the
control of a remote attacker(“botmaster”)[3,4,1], usually for illegal purposes. It
is also a creative attack strategy evolved from traditional malware attacking
forms. In the past several years, malware attacks to the internet are becoming
more and more prevalent all over the world, and the botnet turns into the main
cause of these malicious attacks, such as email spam, Dos/DDos, phishing etc.
The common control structure for botmaster is IRC-based. The botmaster
posts the bot commands[5] using IRC channel. And all the botcommands will
be transmitted to the infected machines(“bots”) from the IRC server which is
controlled by the botmaster. With this control structure, the botmaster can eas-
ily infect other machines and control the bots which are involved in the specific
server. Thus, such botnet is easy to create, easy to manage and they respond
to commands fast. However, it is also easy to detect. Currently, many detect
approaches to the IRC-based botnet have been proposed. Such as Honeypot[6],
which can be used to track and monitor all the commands issued by attack-
ers, is still being updated and developed by many participators from the world.
GuoFei and his partners proposed a novel monitoring strategy on botnet, named
BotHunter[7] which focuses on recognizing the infection and coordination dia-
log that occurs during a successful mailware infection. Yousof Al-Hammadi and
Uwe Aickelin, they presented to detect the botnet through log correlation[8]. By
monitoring the change of behavior in log files from different hosts, the communi-
cations will be monitored and they can distinguish the normal conversation and
behaviors or abnormal ones.
Different from the common control structure mentioned above, Peer-to-Peer[9]
communication structure generated a new generation of botnet which we usu-
ally abbreviate it to P2P-based botnet. The significant feature on P2P-based
botnet is that there’s no any central server for distributing commands, each of
bots plays the role as both client and server. Compared to IRC-based botnet,
the P2P-based one is more difficult to be tracked directly and much more resi-
lent. With the prevalence of P2P-based botnet, the threaten to internet security
becomes more serious every day which also leads to a detection storm in the
research community. Julian B. Grizzard et al.[9] provide an overview of P2P-
based botnet and present a specific case study on Trojan.Peacomm bot. Christ
Nunnery and Brent ByungHoon Kang argue locating zombie nodes and botmas-
ters as first step to detect P2P-based botnet. T. Holz et al.[11] propose their
strategy of measurements and mitigation on P2P-based botnet, and they apply
the approach to Storm Worm which is the most wide-spread P2P-based botnet
in the wild. With the new methodology applied in P2P-based botnet detection,
newly build-up P2P-based botnets are also gradually produeced. A advanced
hybrid[13] P2P botnet is proposed by Ping Wang et al. They argue new and
various of P2P-based botnets will be developed in the near future, so they as-
sume and present an advanced hybrid P2P-based botnet with robust network
connectivity and individualized encryption which is harder to be detected.
In the remaider of this paper, we will present more details in taxonomy of
botnets and the detection mechanisms. Section 2 shows a category of botnets in
wild based on our current research. According to the classification in Section 2,
we describes the main detection mechanisms to botnets in Section 3. In Section
4, we present the trend of botnets and future work. Finally, we make a conclusion
in Section 5.
2 A Category of botnets
With the first bot appeared in wild, a variety of botnets are released. Currently,
the botnets have been the biggest threaten to the internet security which aroused
a wide public concern in the security community. Lots of researchers and anti-
virus/malware companies start to study the mechanism of botnets and mitigate
the threaten from the botnets. But till now, there’s no any systematic and detail
investigation and analisis about the structures current wide-spread botnets based
on. So, we propose a category of botnets, and argue that study on botnets
structure is much important than just focus on single or special one.
2.1 IRC-based Botnet
As is well known, Internet Relay Chat(IRC) is a form of real-time communica-
tion system over the internet. But the attackers utilize it to form a botnet for
malicious purposes. They send the bot commands[14] to the infected IRC server,
and the server disperses the bot commands to the all bots logged in the current
server. Thus, the IRC-based botnet is formed. So, in the following paragraph,
we will introduce the main scheme of IRC-based botnet in detail.
Figure 1 below shows a general work flow of botnet controll mechanism.
Fig. 1. IRC-based Work Flow
To fully understand the mechanim of whole botnet, we consider three schemes
in our following analisis: Infection Scheme, Malware Propagation and Self-Protection.
And for each scheme, we will choose three well known bots(AgoBot[15], SDBot,
SpyBot) as our instances to show the details of botnet control mechanism.
AgoBot (i)Infection Scheme: The Command and Control System of AgoBot
derived from the IRC, so the Command language of AgoBot contains Bot Com-
mands and Standard IRC Commands. In Bot Commands Set, there includes all
the request and control commands to achieve specific funcions for attackers. P.
Barford and V. Yegneswaran provide us a detail table of commands [16], we do
not list them any more. We focus on the description of Infection Scheme.
Figure 2 describes the details in Infection Scheme. The attacker delivers the
Bot Commands(bot.open/bot.execute) to open or execute an specific file on the
Host
%
%
%
%
%
%
%
%
%
剩余12页未读,继续阅读
FLYFIGHT
- 粉丝: 0
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 高等数学第一章第二节数列的极限
- Python 版冒泡排序算法源代码
- tensorflow-gpu-2.7.2-cp38-cp38-manylinux2010-x86-64.whl
- tensorflow-2.7.3-cp39-cp39-manylinux2010-x86-64.whl
- tensorflow-2.7.2-cp39-cp39-manylinux2010-x86-64.whl
- Python版本快速排序源代码
- Python 语言版的快速排序算法实现
- 450815388207377安卓_base.apk
- 超微主板 X9DRE-TF+ bios 支持 nvme启动
- 基于Python通过下载气象数据和插值拟合离散数据曲线实现对寒潮过程的能量分析
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0