Your botnet is my botnet

Stone-Gross, Brett; Cova, Marco; Cavallaro, Lorenzo; Gilbert, Bob; Szydlowski, Martin; Kemmerer, Richard A.; Kruegel, Christopher; Vigna, Giovanni

doi:10.1145/1653662.1653738

Cited by 384 publications

(33 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although, a significant effort to contain BredoLab's threats by security community and lawenforcement is spent, recent researches showed that BredoLab and its variants are still widely spread. Moreover, complex infection and spreading techniques that are found only in BredoLab malware samples are, unfortunately, now employed in other major malware families [13][14].…”

Section: Conclusion and Discussionmentioning

confidence: 99%

“…Furthermore, the paper illustrated the law enforcement procedures to forensically acquire and investigate BredoLab, and to develop required knowledge and control to support prosecution using proposed model. Most take-downs take months or even years of research to attempt a take-down [14,15]. In the case of the Bredolab investigation a wiretap on the VPN server from the main suspect proved to be enough to get the data needed to take-down the botnet and start prosecution.…”

Section: Conclusion and Discussionmentioning

confidence: 99%

See 1 more Smart Citation

BREDOLAB: Shopping in the Cybercrime Underworld

Graaf¹,

Shosha

Gladyshev

2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract.A recent emerging trend in the underground economy is malware dissemination as a service. Complex botnet infrastructures are developed to spread and install malware for third-party customers. In this research work, a botnet forensic investigation model is proposed to investigate and analyze large-scale botnets. The proposed investigation model is applied to a real-world law-enforcement investigation case that involves investigation of a large-scale malware dissemination botnet called BredoLab. The results of the forensic investigation show the effectiveness of the proposed model in assisting lawenforcement to conduct a successful forensic analysis of BredoLab botnet and its related resources.

show abstract

Section: Conclusion and Discussionmentioning

confidence: 99%

Section: Conclusion and Discussionmentioning

confidence: 99%

BREDOLAB: Shopping in the Cybercrime Underworld

Graaf¹,

Shosha

Gladyshev

2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…However, botnets are constantly evolving with new cloaking and obfuscation mechanisms being developed constantly. For instance, Torpig [17] and Conficker [18] are recent botnets that make heavy use of domain name fluxing. Here, the botnets generate a very large number of domain names (typically based on a generating algorithm) to which connections are attempted.…”

Section: Discussionmentioning

confidence: 99%

Exploiting Temporal Persistence to Detect Covert Botnet Channels

Giroire

Chandrashekar

Taft

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We describe a method to detect botnet command and control traffic and individual end-hosts. We introduce the notion of "destination traffic atoms" which aggregate the destinations and services that are communicated with. We then compute the "persistence", which is a measure of temporal regularity and that we propose in this paper, for individual destination atoms. Very persistent destination atoms are added to a host's whitelist during a training period. Subsequently, we track the persistence of new destination atoms not already whitelisted in order to identify suspicious C&C destinations. A particularly novel aspect is that we track persistence at multiple timescales concurrently. Importantly, our method does not require any a-priori information about destinations, ports, or protocols used by the C&C communication, nor do we require payload inspection. We evaluate our system using extensive user traffic traces collected from an enterprise network, along with collected botnet traces.We demonstrate that our method correctly identifies a botnet's C&C traffic, even when it is very stealthy. We also show that filtering outgoing traffic with the constructed whitelists dramatically improves the performance of traditional anomaly detectors. Finally, we show that the C&C detection can be achieved with a very low false positive rate.

show abstract

“…The goal of these efforts has been to characterize botnet activities [24], analyze C&C communication methods [8], and estimate the respective botnet size and geographical properties [27]. Their observations have been used to fine tune network defences [14] and tailor novel detection mechanisms [16].…”

Section: Related Workmentioning

confidence: 99%