Moheeb Abu Rajab scite author profile

The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic-27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

show abstract

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Thomas

Bursztein

Grier

et al. 2015

View full text Add to dashboard Cite

Today, web injection manifests in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them. We develop a multi-staged pipeline that identifies ad injection in the wild and captures its distribution and revenue chains. We find that ad injection has entrenched itself as a cross-browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google-tens of millions of users around the globe. Injected ads arrive on a client's machine through multiple vectors: our measurements identify 50,870 Chrome extensions and 34,407 Windows binaries, 38% and 17% of which are explicitly malicious. A small number of software developers support the vast majority of these injectors who in turn syndicate from the larger ad ecosystem. We have contacted the Chrome Web Store and the advertisers targeted by ad injectors to alert each of the deceptive practices involved.

show abstract

Worm evolution tracking via timing analysis

Rajab

Monrose

Terzis

2005

View full text Add to dashboard Cite

We present a technique to infer a worm's infection sequence from traffic traces collected at a network telescope. We analyze the fidelity of the infection evolution as inferred by our technique, and explore its effectiveness under varying constraints including the scanning rate of the worm, the size of the vulnerable population, and the size of the telescope itself. Moreover, we provide guidance regarding the point at which our method's accuracy diminishes beyond practical value. As we show empirically, this point is reached well after a few hundred initial infected hosts (possibly including "patient zero") has been reliably identified with more than 80% accuracy. We generalize our mechanism by exploiting the change in the pattern of inter-arrival times exhibited during the early stages of such an outbreak to detect the presence and approximate size of the hit-list. Our mechanism is resilient to varying parameters like the worm scanning rate and the size of the vulnerable population, and can provide significant insights into the characteristics of the hit-list even under spreading dynamics that exceed that of currently known worms. Lastly, to illustrate the practicality of our solution, we apply our approach to real-world traces of the Witty worm and provide a refined estimate on the previously suspected hit-list size.

show abstract

Cybercrime 2.0: When the Cloud Turns Dark

Provos

Rajab

Mavrommatis

2009

Queue

View full text Add to dashboard Cite

show abstract

Requirements on Worm Mitigation Technologies in MANETS

Cole

Phamdo

Rajab

et al.

View full text Add to dashboard Cite

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Moheeb Abu Rajab

A multifaceted approach to understanding the botnet phenomenon

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Worm evolution tracking via timing analysis

Cybercrime 2.0: When the Cloud Turns Dark

Requirements on Worm Mitigation Technologies in MANETS

Contact Info

Product

Resources

About