Botnets: Lifecycle and Taxonomy

Botnets: Lifecycle and Taxonomy Nabil Hachem∗ , Yosra Ben Mustapha∗ , Gustavo Gonzales Granadillo∗ and Herve Debar∗ ∗ Institut

TELECOM Telecom SudParis CNRS Samovar UMR 5157 Evry, France Email: {nabil.hachem, yosra.ben_mustapha, gustavo.gonzalez_granadillo, herve.debar}@it-sudparis.eu

Abstract—The new threat of the Internet, but little known to the ‘general public’ is constituted by botnets. Botnets are networks of infected computers, which are headed by a pirate called also ‘Attacker’ or ‘Master’. The botnets are nowadays mainly responsible for largescale coordinated attacks. The attacker can ask the infected computers called ‘Agents’ or ‘Zombies’ to perform all sorts of tasks for him, like sending spam, performing DDoS attacks, phishing campaigns, delivering malware, or leasing or selling their botnets to other fraudsters anywhere. In this paper we present a classification that reflects the life cycle and current resilience techniques of botnets, distinguishing the propagation, the injection, the control and the attack phases. Then we study the effectiveness of the adopted taxonomy by applying it to existing botnets to study their main characteristics. We conclude by the upcoming steps in our research.

contributions in the area of understanding and classifying botnets were done. Cooke et al[1] classified botnets upon their C&C and they concluded that command and control communication is extremely flexible, and thus it’s difficult for any botnet detection to rely on specific communication characteristics. Other similar works try to summarize their taxonomy [2][3], using properties such as the propagation mechanism, the topology of C&C infrastructure used, the exploitation strategy, or the set of commands available to the perpetrators . Liu et al[4] discuss botnet formation and exploitation, the lifecycle, and two typical topologies without providing a well detailed and real taxonomy. In this paper we summarize, expand and develop a detailed taxonomy based on the different phases of botnet life cycle.

I. Introduction

Botnets follow a similar set of steps throughout their existence. The sets can be characterized as a life cycle. Figure 1 illustrates the generic life cycle of a botnet. Our understanding of the botnet life cycle can improve our ability to both detect and respond to this threat by developing a well detailed taxonomy including all different instances corresponding to each phase.

A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are most time unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer ‘robot’ or ‘bot’ that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. At a certain time, the zombie army ‘controller’ can unleash the effects of the army by sending a single command, possibly from an Internet relay chat (IRC) site or via http server. The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a web site that can be closed down by having to handle too much traffic - a distributed denial-of-service (DDoS) attack - or, in the case of spam distribution, to many computers. The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor. The motivation for a zombie master sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies. Despite the fact that botnets first appeared several years ago, they have recently sparked the interest of the research community, and network researchers have dedicated significant resources to ’study’ and ’analyse’ these attacks without reaching a comprehensive method to protect from all known forms of botnets and their illegal activities. Many

II. Botnet Life Cycle

Attacker 1: Spreading / Injection

2:

Co n

tro l

Zombie

Zombie

1: Spreading / Injection

Target

Zombie

Target

3:Application

Zombie

Target

Zombie

Fig. 1: Botnet Life Cycle A. Spreading and Injection Botnet habitually recruits new zombie machines using similar approaches as those for other malwares. These malwares spread and inject themselves into systems in

different ways, which we classify in the following methods: Distribution of malicious emails: One of the methods that botnets use to compromise new hosts is through social engineering and distribution of malicious emails. This also includes the distribution of emails and malicious codes in social networks. According to the Sophos security report[5], malware and spam rose 70% in 2010 on social networks in comparison to 2009. In a common scenario, a botnet may distribute email messages with malware attached, or perhaps an embedded link to a malware binary located elsewhere. Social engineering techniques are used to trick computer users into executing the malware, which leads to the compromise of hosts. Botnet family uses these methods to infect the machine, and subsequently, propagate. Software vulnerability: Another method by which the Botnets usually commandeer new victims is by remotely exploiting a vulnerability of the software running on the victim. A bot-infected host may pro-actively search for hosts with common windows vulnerabilities like LSASS1 . An attacker who successfully exploited such vulnerabilities could take complete control of an affected system. He could then install programs; view, change, or delete data; or create new accounts with full user rights. Once the vulnerable host found, the bot will launch this attack to compromise the victim machine. Instant messaging: A computer worm that spreads via instant messaging is being used to build an extensive ‘botnet’ of remote-controlled PCs. In September 2006 Security experts at US Company FaceTime identified the worm as ‘W32.pipeline’ and warned that it spreads via AOL’s instant messenger program2 . These type of worms disguise a malicious executable program as a jpeg image or a link to a website holding malicious codes, attached to an instant message that appears to come from someone on the messenger ‘buddy list’. Via a P2P file sharing network: Another method is to infect the machines and propagate via a P2P file sharing network. The malware binary copies itself to the shared folder of popular P2P programs and uses promising names in order to trick a victim to open the malicious binary. No vulnerabilities are exploited, but social engineering is used by these malwares binaries to propagate further. Using other Botnets: We distinguish two different forms. First, in order to propagate, some botnet operators may use other existing botnets, like the notorious kraken malware that was being spread by a separate botnet that uses the butterfly framework. In the second one, other botnets may also take over infected machines by an old malware and update them to a recent malware, recruiting them 1 Microsoft Security Bulletin MS08-002 - Important vulnerability in LSASS could allow local elevation of privilege (943485) http:// www.microsoft.com 2 FaceTime identifies New Botnets Utilizing Instant messaging to steal personal information from online shoppers and paypal customers - FaceTime March 2006 http://www.facetime.com

to a new botnet, as the GTbot who had the ability to scan for Sub7-infected machines and updating them to GTbot. A common misperception of cyber-crime botnets is that a one-to-one relationship exists between a malware bot agent and an individual botnet[6]. We can distinguish three types or relationships: a- Multiple variants of a single bot agent report to the same C&C. b- Subsequent botnets sharing the same malware family name. c- A single criminal operator employing entirely different malware components. Once the victim infected, it will typically executes a script (known as shellcode) that fetches the image of the actual bot binary from a specified location. Upon completion of the download, the bot binary installs itself to the target machine so that it starts automatically each time the victim is rebooted[7]. B. Command and Control The channel used to issue commands ‘C&C channel’ can be implemented using different models, topologies and variety of applications (e.g. HTTP, P2P, IRC, etc.). In this section we will be detailing more these methods and applications for two main reasons. First, C&Cs of botnets are unique and unlikely to change among bots and their variants. Second, the botnet C&C is essential to support an operational and effective botnets. As a result, if we manage to bring down (ex: Hosting provider McColo of Botnet Srizbi3 ) or simply to cause an interruption in the communication linkage, botmasters will not be able to contact their army and perform the coordinated attacks. Therefore understanding the C&C function in botnets has great value for us in our fight against botnets[8]. 1) C&C Models: There were many approaches for categorizing C&C models. We categorize them into two different models: The centralized and the distributed model. We believe these two C&C models combined with the rest of C&C characteristics (topology, protocol, direction, initiation) are sufficient to cover all the botnets found today, without excluding the possibility that future botnets may use new command and control systems that are completely different from any of the mentioned models, noting the quickly evolving nature of botnets. Centralized C&C model: A centralized topology is characterized by a central point forwarding messages among clients or publishing them. In this centralized model the master selects a host to be the contacting point of all bots (C&C server). It can be a compromised machine or a legitimate provider for public service. When the victim is infected it will ‘connect’ to the C&C server and then will wait or check for pending commands from the botmaster. These servers run certain services like IRC 3 ‘Host of internet spam groups is cut off’, Brian Krebs - Washington post(November 12,2008)

S

B2

B1

B2

B1 B2

B2

B3 B1

B1 B3 S

S

B4

S S

B5

B3 B4

B4

(a) Single Star

B4

B5

B3

B5

B5

(b) Multi Server

(c) Hierarchical

(d) Random

Fig. 2: Topologies

and HTTP.This kind of botnets may have mechanisms for protecting their communications. For instance, IRC channels may be protected by passwords for bots and masters to prevent eavesdropping. The vast majority of botnets use this model due to the simplicity to implement and customize it, and a botmaster can easily control thousands of bots using the centralized model. Furthermore messaging latency in the centralized model is small; hence botmasters can coordinate and launch attacks easily. The centralized model has two major weaknesses: The risk of compromising the whole system due to the discovery of the central location, and the ease of being detected since many clients connect to the same point. This model of C&C leads to three different topologies of botnet: a- Single Star Topology: A simple central master C&C server to which all bots directly connect. The C&C server send commands to the connected bots in a similar way to the client server model(figure 2 (a)). b- Multiserver Star topology: For redundancy and scalability issues, botmasters can adopt multiple interconnected servers, with the bots distributed among them. These servers will be carefully coordinating with one another and then will be giving the appearance that they are having a central state(figure 2 (b)). c- Hierarchical Topology: This topology involves some bots as proxy servers for the C&C servers. It does reduce the number of bots that need to be aware of the location of the central server. This tactic has been observed in conjunction with fast flux that we discuss later(figure 2 (c)). Distributed C&C Model: For the time being the only existing model replacing the centralized model is the distributed based on peer to peer. The P2P is still a challenging issue, but in fact using this technique is not novel but few studies focus on such types of methods. Compared with the centralized model, the distributed model is much harder to discover and dismantle. Since the communication system does not heavily depend on a few selected servers, destroying a single, or even a number

of bots, it won’t lead necessarily to the destruction of an entire botnet. However, the design of the P2P systems are more complex and there are no guarantees on message delivery or latency. Many P2P networks have a central server or a seed list of peers that can be contacted for adding a new peer. This process named a bootstrap has a single point of failure for a P2P based botnet and researchers have presented a specific hybrid P2P to overcome this problem4 . This C&C model follows a random topology where the attacker connects to any zombie in the network and issues commands (figure 2 (d)). 2) Internal Communication Protocol: The bots and masters communicate following well defined network protocols and applications. They use existing and previously employed techniques to implement their own channels. Understanding the protocol comes with high priority in order to build a strategy to fight and destruct the botnet. First, their communication characteristics provide an understanding of the botnets origins, and the possible software tools being used. Second, understanding the communication applications and the embedded protocols in it helps security researchers in decoding the conversations and monitoring traffic [8]. The internal communication protocols of the botnet are classified as follows: IRC : an IRC (Internet Relay Chat)[9] is used to connect the client with the agents. IRC is mainly designed for group and simple client and server communication via communication forums called channels. The inherent Flexibility of this protocol, as well as the availability of several open source implementations, enables third parties to extend it in a way that suit their needs. On the other hand, botnets steadily migrated away from the original IRC C&C channel, as this port was seldom opened due to firewall restrictions and as the protocol is easily identified in network traffic after the in-numerous studies done in this domain. HTTP: HTTP botnets use HTML to communicate; natu4 ‘Bobax Trojan analysis’, J. Stewart http://www.secureworks. com/research/threats/bobax/?threat=bobax

rally they try to blend into normal HTTP traffic. HTTP has been already used by many botnets for C&C. The bot issues a query to the HTTP server and the botmaster replies with the commands. Other novel tactics, called botnet Web 2.0-based attacks were recently seen. In these attacks the botmaster publishes the attack and the bot once connected to the Internet checks for any pending commands from botmaster. Any website that lets users upload virtually any type of content, and then publishes it in sequential form(without line breaks such as those denoted by the HTML tag
for a single-line break) can be exploited to store Trojans’ encrypted configurations. This includes almost any social networking or Web 2.0 platform that enables the almost unrestricted posting of comments, creation of public profiles and the setup of newsgroups. P2P: Some more advanced botnets used other protocols for their P2P decentralized communications. A variant of Phatbot used code from WASTE5 that implements an encrypted P2P protocol designed for private messaging and file transfer among a small numbers of trusted parties. Other applications use the known TCP/IP protocols for communicating, like the short-lived Mayday botnet that had this architecture with two separate peer-to-peer technologies. One protocol communicates using the Internet Control Message Protocol (ICMP) and the other using Transmission Control Protocol (TCP). Instant Messaging IM : The only element that distinguishes it from the oriented IRC channels is that it uses instant messaging (AOL, MSN, ICQ, etc.) to transmit data. The lack of popularity of these botnets come from the difficulties in controlling and creating new accounts for each IM bot; the bots should be on the network and stay online. A network of such reacts very slowly to the instructions. This type of botnet is not widespread yet. 3) Communication: Regardless of the protocol, topology and model used, a bot’s essential requirement in terms of communication is that it receives or retrieves commands and executes them. Initiation: There are two different ways to initiate the communications: a- Push Method: In this method the botmaster pushes out a command to a bot. The pushed command can be stored on a certain opened channel, which means that all newly joined bots will receive it. In the Push method the command can be executed almost immediately by all bots, which allows a last-minute command to be executed. On the other hand, the botmaster either must be aware of how to reach all of his bots or must broadcast the command to the set of all possible bots[10]. b- Pull method: The bot initiates the communication to check for new commands. This check could be performed either according to a regular schedule or at 5 ‘Phatbot Trojan analysis’, J. Stewart http://www.secureworks. com/research/threats/phatbot/?threat=phatbot

a time predetermined by the botmaster and in two different modes: interactive and non-interactive. In the first one, the bot issues a query and the botmaster or C&C server replies most likely in real time, this is the case in normal http request and get. In the second one, commands are put into place independently of any query. Commands may be stored in a variety of ways, including web pages (Facebook, LinkedIn,etc.), files on FTP servers or on peer-to-peer networks, and even through mechanisms that are not normally thought of as storage, such as ports that are open on a given host[10]. Session: Talking about two different methods for communication initiation leads to two different models for communication direction, as defined by Jackobson and Ramzan in their book about crimewares[10]. a- Inbound-only: When the botmaster pushes commands to the bot, the communication channel could potentially be inbound only and there is no need for the bot to send a message back to the botmaster or for the bot to initiate a communication by sending a request. b- Bidirectional: When the bot initiates a check for commands, the communication channel used must be bidirectional. Having bidirectional communications is clearly convenient to botmasters, as they can learn about the status of their bots. C. Botnet Applications Botnets can serve both legitimate and illegitimate purposes. One of the original uses of computer bots was to assist the IRC management. Eggdrop was written in 1993 to assist channel operators. The possibility to use botnets for illegally motivated or for destructive goals can be categorized as follows: DDoS Attacks: These are attacks in which the target server is attacked by several computers simultaneously. The use of zombie machines in a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack while remaining anonymous. There are many types of DDoS attacks and they were well classified in the study done by Specht and Lee[11] and others. Spamming and spreading malware and Advertisements: Like viruses, spam has become a scourge on the internet as more than 190 billion spam messages are generated by day[12]. Spammers like to use bot-infected machines because it allows them to change the IP address from which their spam is sent. In many cases, the bot-infected machine might just act as an open relay or proxy to transmit whatever traffic it receives. Espionage: Because some bots may sniff not only the traffic passing by the compromised machines but also the command data within the victims, perpetrators can retrieve sensitive information like usernames, passwords, emails and other personal data. Hosting malicious applications and activities: With the

help of botnet, perpetrators are able to install advertisement add-ons and browser helper objects (BHOs) for business purposes[13]. They also use these bot-infected machines for hosting phishing, fraud sites, malicious codes and other malicious domains. D. Resilience Techniques As new technologies arise, criminals look for ways to adopt or abuse them, whether to facilitate the generation of profit, to increase their scalability and flexibility or to provide more effective camouflage. These resilience techniques exist on the three separate phases of the botnet life cycle. In this section we detail them and separate the spreading from injection as this latter is out of our scope. 1) Injection Level: Using trusted process: After installation, the bot can load its malicious payload as a DLL, as a threat, or simply as executable code that runs within a trusted operating system process. In some cases, the bot payload may jump from one process to another periodically to remain undetected. Trivial name-based obfuscation: Most bots, like many other malware instances, choose names for themselves that either resemble or are identical to those of legitimate system components, For example svchost.exe, scvhost.exe, taskmgr.exe or service.exe. Rootkit Techniques: A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access, usually via hacking into the box manually or by getting the user to execute a Trojan or Worm which will install a backdoor for them to slither onto the system in the first place. A rootkit generally contains network sniffers, log-cleaning scripts, trojaned replacements of core system utilities. And other rootkits subvert the system by attaching themselves to, or by otherwise modifying the kernel of the targeted operating system. Reduce security rules: On firewalls and antivirus, and preventing clean-up efforts on the compromised hosts. Many bots upon successfully installing themselves try to disable or interfere with antivirus and security software running on the compromised machine. They search for them in the list of active applications and try to block them, damage their antivirus databases and block their update processes, etc. Reduce system capability: Other bots when installed try to actively block or terminate the use of certain tools and commands in the operating system. For example stopping the command shell and task manager. Installing antivirus software: The premise is that once an attacker has compromised and gotten control of a machine he might install any operating system patches to further protect the system and not detect its presence. Along the same lines, if other malicious software is already present on that machine, such as backdoor trojan, the attacker might wish to delete it. Incorporating antidebugging and antivirtualization tech-

niques: By including features in malware to detect when it is being run in either a debugger or a virtual machine[10]. Once this is detected the malware will behave differently, leading to much more difficult analyze and therefore counteract. Applying the same tactic may affect the method adopted by the well know Honeynet project6 . 2) Spreading Level: Variant Spreading techniques: Most recent malwares are actually a combination of different families, hence have multiple ways to propagate(section 2.1). This multiplicity of propagation agents that spread by all possible protocols and methods makes malware a very high risk factor, even without Internet. Polymorphism and Metamorphism: Techniques corresponding on changing the form of each instance of malware in order to evade ‘pattern matching’ during the detection and investigation process. In the polymorphism method, the malware changes appearance by data encryption, and appending/ pre-pending. In the metamorphism the malware automatically recodes itself each time it propagates or is distributed. Continuous Bot upgrade: Usually creators of botnet generate new versions of the bot with new exploits because the previous exploits will be obsolete upon the security researchers and most of computers will be patched against the related vulnerability. 3) C&C level: DNS techniques: DNS is used in two different forms. In the first one, the botnet operators use the DNS messages to communicate with its bots. In the second one, the operators use DNS to make the central server more secure and the C&C more resilient. The solution has been found in the ingenious use of DNS protocol by adopting the domains fast-flux , which comes in different flavours. The most simple variant employs regularly changing address records in DNS responses for botnet domain. The econd variant modifies the NS-records in DNS responses, thereby changing the authoritative nameservers for the malicious domain. The third one is when bots often compute the domain to be contacted as a function of the time of day, using so-called Domain Generation Algorithms(DGAs). In addition to these methods, comes the IP fast-flux which is a round robin method where infected bots serve as proxies or hosts malicious websites and are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. Multiple URLs: The attacker disposes many domain names for the centralized based attack. He constantly buys new ones using the credit card numbers stolen or other techniques. In this way many domain names are pointing to the same IP address. Encryption techniques: These techniques are mandatory for the evasion during the control phase. 6 Research organization dedicated to improving the security of the Internet http://www.honeynet.org

Botnet life cycle Phases

Instances

Injection & Spreading

Model & Topology

Command & Control

Application & Protocol Communication initiation Communication direction

Botnet application

Resilience techniques

-Distribution of malicious emails -Software vulnerabilities -Instant Messaging -P2P File sharing Network -Other Botnets

-Centralized »Single Star »Multiserver Star »Hierarchical -Distributed »Random -IRC -HTTP -IM -P2P -Push Method -Pull Method -Inbound -Bidirectional -DDoS attacks -Spamming & Spreading malwares -Espionage -Hosting malicious applications & activities

-Using trusted process -Trivial name-based obfuscation -Rootkit Techniques -Reduce Security rules -Reduce system capability -Installing antivirus software -Incorporated antidebugging & antivirtualization -Variant Spreading Techniques -Polymorphism & Metamorphism -Continuous bot upgrade

-DNS techniques -Multiple URLs -Encryption Techniques -Dead drop -Variant C&C

-Exposure limitation -Retaliation techniques -Camouflaged messages - Anonymization techniques

TABLE I: Taxonomy

Using encryption makes detection through traffic content analysis difficult at the best. But we should highlight here that even with the encryption some traffic analysis can be done and as an exemplar determining a packet’s destination and using some network mapping techniques could be useful in bot detection. Dead Drop: This approach provides a significant degree of separation between the botmaster and the bots, especially if the storage mechanism is chosen carefully. An example of a dead drop might involve a bot scanning the comments or track back section of a third-party blog for a message placed by the botmaster. The message could be encoded to look benign and even normal. This approach is a modernday equivalent of cover communication through newspaper classified ads, and other social networks. A variation of this technique is for the botmaster to place a unique (or unusual) string (or combination of words) together with commands to the bot on the arbitrarily chosen web site. The bot does a web search (using a search engine) for this prearranged signal to locate the command to be executed [14]. Variant C&C : Botnets adopting these techniques are still quite rare. Mayday botnet adopted a Double P2P communication (ICMP, TCP) as a back-up measure in case the central channel, using HTTP, is disconnected. There is a big possibility that most future botnets will be adopting this tactic in order to prolong their lifetime and increase their evasion potential. 4) Activity level: Exposure limitation: this technique consists of engaging bots in just enough activity to carry out their purpose and remain otherwise silent. As an example, in case of DDoS attack, the attacker can compute the necessary amount of traffic to carry out the purpose of the attack, and then send exactly that amount of traffic. In a similar technique, and due to the effective new infection and propagation techniques of botnet which contribute to a

large number of infected machines, the botmaster might create special-purpose botnets ‘sub-botnets’ for carrying out their attacks. Retaliation techniques: Scanning certain worm-infected machines with a security vulnerability scanner by security researchers or companies can result in a DDoS against the scanning originator. Some botnet operators take the view that retaliation is an effective technique for resilience. Camouflaged messages: It’s a class of messages that the known filters are unable to correctly classify. These messages called camouflaged messages contain spam content as well as legitimate content, encoded text and other techniques, and as a result, they are able to confuse the filters and lead to negative and positive junk mails. Anonymization techniques: Criminals who conduct their nefarious activities on networks and computers employ tactics of masking their true identity. IP spoofing is one of the most common forms of on-line camouflage. They spoof source IP addresses of the compromised machines to make tracing and stopping the DDoS as difficult as possible. The same can be adopted when the Attacker wants to hide the C&C server in one direction method. E. Summary The previously shown taxonomy can be summarized in table I. III. Taxonomy usage Botnet milestones:A recent study done by TrendMicro[15] examines where the first botnets came from and how they have evolved over the past 10 years to become some of the biggest cybercrime perpetrators on the Web at present. In this section we will summarize this evolution according to our taxonomy in table II.

We conclude from it that botnets are increasingly using multiple techniques to propagate and infect the machines.

Botnet

Date

Infection& Propagation

Milestones & Examples C&C Botnet applications Mod App

Stacheldraht

1999

-Manual Distribution

Cent

ICMP

-DDoS

Sub7 & PrettyPark GTbot

1999

-Trojan sites

Cent

IRC

2000

Cent

IRC

SDbot

2002

Cent

IRC

-Remote usage of PCs

-Variant malwares

Agobot

2002

Cent

IRC

-Downloading files -Sending the CD keys

-Registry Modification -Block access to security -websites

Rbot

2003

-Runs Custom scripts -Scanning for Sub7 infected machines and update them -Exploiting Vulnerabilities -TCP opened ports -Infection in stages with many payloads -Local Networks -Updating itself via the web -Local Networks -Mapped Network drivers

-Information Leakge -Identity fraud -DDoS attacks

Cent

IRC

-DDoS functionality -Data stealing tools

Sinit

2003

Decent

P2P

-DDoS Attack

Polybot

2003

Cent

IRC

-Downloading files -Sending the CD keys

-Block access to security websites -Registry Modification -Polymorphism

Bobax

2003

Cent

HTTP

-Sending spam mails -Obtain sensitive system information

-update the trojan -Modifies the system registry

Bagle

2004

-P2P technology to spread itself -Infection in stages with many payloads -Updating itself via the web -Local network -Sends Shell codes over TCP port 445 -Microsoft Windows LSASS security hole buffer overrun -Via Spam

-Compression and encryption -algorithm -Reduce security rules -P2P connection

Cent

HTTP

-proxy to relay spam messages

Zeus (Zbot) (Kneber) Storm

2007

-Spam campaigns -Drive-by downloads

Cent

HTTP

-Steal confidential information

2007

-Spam(Social engineering)

Decent

P2P

-Variant attacks

Mayday

2008

-Via Spam mails

Cent/ Decent

HTTP/ -Variant attacks P2P

Conficker

2008

HTTP

2008

-Local Network -Checking for vulnerabilities -Execution of malwares -Via Social Networks

Cent

Koobface

Cent

HTTP

Maazben

2009

-By other malwares

Cent

HTTP

-Listens on varying ports and waits for connections -Autorun registry -Variant malwares -Evolving behaviour -Trivial name-based obfuscation -Variant Malwares -Reduce system capability -Registry modification -Target security vendors -Variant Propagation techniques -Reduce Security rules -Polymorphism -IP and Domain Fluxing -Evade leading antivirus products -Variant C&C -Multiple URL - Domain fastflux -Registry Modification -Proxy C&C -Fast flux -Encryption -Malware and Network architecture evolution -Create mutex and modify firewall policy -Template based and Proxy based Spamming

Resilience techniques -Encryption -System Hiding techniques -Variant malwares -Variant malwares -Rootkit

-Variant Attacks

-Sending Casino Spam

TABLE II: Examples of botnets

Distribution of malicious emails remains on the top of these techniques including the recent use of spam. They can also leverage previous infections. While the centralized model is the most used one by botnet, attackers are increasingly employing the distributed model using P2P. Botnets are using multiple techniques to stay resilient to detection and capture. IV. Conclusion Botnets remain a large-scale problem that affects the entire internet community and requires a significant level of cooperation among operators and providers. While the knowledge of botnet’s behaviour and tactics are still partial, by presenting this taxonomy including the instances and resilience techniques corresponding to each phase, we advance the understanding of this threat. The proposed taxonomy highlights the various aspects of a botnet, showing commonalities that can be leverage for detection and mitigation. The upcoming steps in our research focus on further analysing these commonalities, from a network provider perspective, to design and implement improved mitigation strategies.

Acknowledgment This work is sponsored by DEMONS, a research project supported by the European Commission under its 7th Framework Programme. References [1] E. Cooke, F. Jahanian, and D. Mcpherson, “The zombie roundup: Understanding, detecting, and disrupting botnets,” 2005, pp. 39–44. [2] P. Barford and V. Yegneswaran, “An inside look at botnets,” 2006. [3] R. Puri, “Bots and botnets: An overview,” 2003. [4] J. Liu, Y. Xiao, K. Ghaboosi, H. Deng, and J. Zhang, “Botnet: Classification, attacks, detection, tracing, and preventive measure,” 2009. [5] Sophos, “Security threat report: 2010,” 2010. [6] Damballa, “The botnet vs. malware relationship, the one-to-one botnet myth,” 2009, http://www.damballa.com. [7] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” 2006. [8] A. Trend and M. White, “» trend micro: Taxonomy of botnet threats table of contents,” 2006. [9] C. Kalt, “Internet relay chat: Client protocol. rfc 1459 and rfc 2813,” 2000. [10] M. Jakobsson and Z. Ramzan, “Crimeware: Understanding new attacks and defenses,” 2008.

[11] S. M. Specht, “Distributed denial of service: taxonomies of attacks, tools and countermeasures,” in Proceedings of the International Workshop on Security in Parallel and Distributed Systems, 2004, 2004, pp. 543–550. [12] Commtouch, “Internet threat report q3 2010,” 2010, http:// www.commtouch.com. [13] P. Bacher, T. Holz, M. Kotter, and G. Wicherski, “Know your enemy: Tracking botnets,” http://www.honeynet.org/papers/ bots. [14] A. Fucs, A. P. de Barros, and V. Pereira, “New botnet trends and threats,” 2007. [15] A. Trend and M. White, “The botnet chronicles, a journey to infamy,” 2010, http://www.trendmicro.com.