Abstract
Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Convert physical machines to virtual machines, http://www.vmware.com/products/converter/
Enhance netstat - the code project, http://www.codeproject.com/internet/enetstatasp.asp
Malware immunization through deterrence and diversion, http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0650386
One of the most prolific pieces of windows malware has expired, http://news.softpedia.com/news/One-of-the-Most-Prolific-Piece-of-Window%s-Malware-Has-Expired-51466.shtml
Honeyd security advisory 2004-001: Remonte detection via simple probe packet (2004), http://www.honeyd.org/adv.2004-01.asc
Taxonomy of botnet threats (November 2006) , http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibr%ary/botnettaxonomywhitepapernovember2006.pdf
Barford, P., Yagneswaran, V.: An inside look at botnets (2006)
Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA (November 2006)
Chen, Y.: High-performance network anomaly/intrusion detection and mitigation system (hpnaidm). In: ARO-DARPA-DHS Special Workshop on Botnets, Arlington, VA (June 2006)
Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Cui, W., Katz, R.H., Tan, W.: Binder: An extrusion-based break-in detector for personal computers. In: Proceedings of USENIX (2005)
Dagon, D.: The network is the infection (2005), http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
Dagon, D., Zhou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of The 13th Annual Network and Distributed System Security Symposium, San Diego, CA (Febuary 2006)
Daswani, N., Stoppelman, M.: The Google Click Quality, and Security Teams. The anatomy of clickbot.a. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS) (September 2005)
Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium, Santa Clara, CA (June 2007)
Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Kawamoto, D.: Bots slim down to get tough. CNET News.com (November 2005)
Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing web browsers as a distributed attack infrastructure. In: Proceedings of ACM CCS (2006)
Moshchuk, A., Bragin, T., Deville, D., Gribble, S., Levy, H.: Spyproxy: Execution-based detection of malicious web content. In: Proceedings of the 16th USENIX Security Symposium, Boston, MA (August 2007)
The Honeynet Project. Know your enemy: Tracking botnets (March 2005), http://www.honeynet.org/papers/bots
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)
Schoof, R., Koning, R.: Detecting peer-to-peer botnets (Feburary 2007), http://staff.science.uva.nl/~delaat/sne-2006-2007/p17/report.pdf
Stinson, E., Mitchell, J.C.: Characterizing the remote control behavior of bots. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg (2007)
Wang, P., Sparks, S., Zou, C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (April 2007)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, Alexandria, VA (October 2007)
Zou, C., Cunningham, R.: Honeybot-aware advanced botnet construction and maintenance. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN) (June 2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, L., Chen, S., Yan, G., Zhang, Z. (2008). BotTracer: Execution-Based Bot-Like Malware Detection. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-85886-7_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85884-3
Online ISBN: 978-3-540-85886-7
eBook Packages: Computer ScienceComputer Science (R0)