Botnet measurement techniques

| TrackBacks (1) |
One of the more interesting papers I saw at NDSS was Dagon, Zou, and Lee's Modeling Botnet Propagation Using Time Zones. In case you don't know, a Botnet is a set of computers that are all infected with some piece of malware and under the control of some bad actor (the botmaster). Botnets can be used to send spam, phishing e-mail, mount DDoS attacks, or commit click fraud, among other things.

In order for a botnet to be useful, the botmaster needs to be able to send it instructions, e.g., "Send this spam message". This is typically done by having the infected machine contact a command-and-control (C&C) server (typically a machine that the botmaster has compromised rather than his actual machine) and ask it for instructions. Dagon et al. took advantage of this technique to take over and measure the botnet. The basic idea is to collect a sample of the malware from a honeypot or an infected machine and then disassemble the binary to get the identity of the machine that's being used as the C&C server. Once you've done that you can contact the domain name holder or the registrar and get them to redirect the address to a machine that you control (a sinkhole). Once the bot connects to your sinkhole, you can control it. At minimum, this technique can be used to get an accurate estimate of the scale of the infection and of course it has the nice side effect that any bot you capture isn't being used in attacks.

One nice feature of this technique is that it's likely to have high accuracy because you're directly measuring infected machines rather than scanning or attack activity. In addition, because the authors actually completed TCP handshakes with the bots, this technique is fairly resistant to address spoofing--a machine with a simple forged address can't complete the TCP 3-way handshake. The authors report that they've seen botnets as large as 350,000 infected machines, which matches the estimates of botnet size you often see bandied about.

It's interesting to ask how you'd counter this technique. One obvious choice would be to simply hardwire the IP address of the C&C machine, but then if the owner of that machine fixes it, the entire botnet is lost. The ability to retarget is why the botmasters are using DNS in the first place. Another natural thing to do is use better obfuscation techniques to make it harder for the defender to figure out what DNS address you're looking up, but eventually your binary will be reverse engineered. Periodically downloading new binaries with different rendezvous points would presumably help here if the obfuscation were done differently each time.

What you really want is to remove the reliance on a central point of control. For instance, you could post instructions to a popular newsgroup like and let the bots contact Google Groups to get their instructions. You could use cryptographic techniques (digital signatures) to make it impossible for anyone else to emplace new instructions though they would still be removable, of course. Similar techniques could be used with P2P/filesharing systems. FreeNet, for instance, is designed to be hard to censor, though I don't know how true that is in practice.

1 TrackBacks

Listed below are links to blogs that reference this entry: Botnet measurement techniques.

TrackBack URL for this entry:

free group galleries from free group galleries on February 28, 2006 10:54 AM

TITLE: free group galleries URL: IP: BLOG NAME: free group galleries DATE: 02/28/2006 10:54:01 AM Read More