A multifaceted approach to understanding the botnet phenomenon

Rajab, Moheeb Abu; Zarfoss, Jay; Monrose, Fabian; Terzis, Andreas

doi:10.1145/1177080.1177086

Cited by 397 publications

(281 citation statements)

References 10 publications

(19 reference statements)

Supporting

Mentioning

267

Contrasting

Unclassified

Order By: Relevance

“…Also, we have seen how such campaigns often lead to the automated deployment of large numbers of domains pointing to a few servers and following well-defined patterns in their naming schema. For all these reasons, as already noted in [20] for other type of threats, DNS seems to be a promising point of view for the detection of such anomalies.…”

Section: Lessons Learned and Countermeasuresmentioning

confidence: 72%

“…For example, in the context of spam botnets, researchers have used spam messages [31] and DNS queries [20,22] as proxy indicators of infected machines. Active approaches are also possible.…”

Section: Rogue Av Monetizationmentioning

confidence: 99%

“…Clients from all around the world interacted with the rogue AV servers. The countries that were most visiting them were USA (147,729 distinct client IPs), UK (20,275), and Italy (12,413). Some rogue AV sites appear to be more popular than others, in terms of the distinct client IP addresses that were served by each.…”

Section: Rogue Av Monetizationmentioning

confidence: 99%

See 2 more Smart Citations

An Analysis of Rogue AV Campaigns

Cova

Leita²,

Thonnard

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics.To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them. The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.

show abstract

Section: Lessons Learned and Countermeasuresmentioning

confidence: 72%

Section: Rogue Av Monetizationmentioning

confidence: 99%

See 1 more Smart Citation

An Analysis of Rogue AV Campaigns

Cova

Leita²,

Thonnard

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In the arena of attacks exploiting network nodes, botnets [4] represent an important resource for cybercrime organizations. In particular, a botnet is a network of infected hosts (known as bots, agents, or zombies) under the control of a bot-master that can send specific attack commands to the bots in order to carry out distributed and coordinated operations [5], typically (but not only) aimed at launching cyber-attacks.…”

Section: Introductionmentioning

confidence: 99%

Mobile Botnets Development: Issues and Solutions

Farina¹,

Cambiaso²,

Papaleo³

et al. 2014

IJFCC

View full text Add to dashboard Cite

Abstract-Due to their limited capabilities, mobile devices have rarely been adopted as attack vectors. In this paper, we consider the execution of coordinated and distributed attacks perpetrated by mobile devices (mobile botnet). We first describe current botnets architectures, analyzing their strengths and weaknesses. Then, we identify problems deriving from the development of a mobile botnet. Appropriate solutions to such problems have been proposed, thus providing an important resource during design and development stages of a mobile botnet. ⎯ Index Terms-Distributed attacks, network attacks, network security, system architecture, smartphones, denial of service.

show abstract

“…Highly organized and coordinated attacks by botnets are able to make malicious activities such as distributed denial of service (DDoS), e-mail spam, and click fraud [2]. A set of infected and compromised computers (bots) connected to the Internet is controlled remotely by an unauthorized user (botmaster) and, if employed for nefarious purposes, is called a botnet [3]- [5]. To scale up the botnet, bots infect additional computers by sending malware, using various strategies such as self-replicating worms, email viruses, or password guessing.…”

Section: Introductionmentioning

confidence: 99%

Analysis on the Sequential Behavior of Malware Attacks

Rosyid

Ohrui

Kikuchi

et al. 2011

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYOvercoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.

show abstract

A multifaceted approach to understanding the botnet phenomenon

Cited by 397 publications

References 10 publications

An Analysis of Rogue AV Campaigns

An Analysis of Rogue AV Campaigns

Mobile Botnets Development: Issues and Solutions

Analysis on the Sequential Behavior of Malware Attacks

Contact Info

Product

Resources

About