DOCSLIB.ORG

A Timeline of Mobile Botnets

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A Timeline Of Mobile Botnets Ruchna Nigam FortiGuard Labs, Fortinet Email: [email protected] Abstract—The explosion of smartphones and their increasing will be discussed. adaptation by the masses, is a trend that hasn’t gone unnoticed by malware authors. In keeping with this trend, malware authors • Platform of operation : The platforms on which have also focussed their attention on mobile devices, leading to a botmasters and slaves run is a fundamental difference steep rise in mobile malware over the past couple of years. This between mobile and PC botnets. In the case of PC paper focusses particularly on mobile malware variants called malware, both the botmaster and slave run on the same bots, that can be controlled remotely by an attacker. platform i.e. a PC, whereas in the case of mobile The paper begins with a comparison between mobile and botnets, the bot slave is on a mobile phone, while PC botnets, discussing fundamental, conceptual and implemen- the botmaster runs on a PC, or on a phone manually tational differences between them. Next, some precursors to fully operated by an attacker. Botmasters haven’t yet been functional mobile bots are discussed, along with some Proofs of observed running autonomously on phones. One could Concept mobile botnets that have been published for research speculate this is due to constraints on resources in purposes. mobile phones such as battery life and computational The crux of the paper lies in an Inventory detailing known power. mobile bot variants in the wild, ordered chronologically based on their date of discovery, accompanied by features like the • Connectivity : Mobile botnets are subject to the Command and Control (C&C) channel used, C&C commands, connectivity of a mobile phone to a cellular network the bot’s abilities, the main motivation(s) behind it and the for communication with a C&C server, whereas PC number of known samples. Following the inventory, some vari- botnets are subject to the internet access of the PC ants are described further in detail, selected based on criteria which is mostly affected only by network glitches or like Unusual Functionalities, Anti-Debugging Tricks used, Code technical faults in the device itself. The field could be Obfuscation and Traffic Encryption, and whether they are served considered as leveled for both kinds of botnets in this using unusual Attack Vectors. case. The paper ends in Statistics based upon the analysis of the bot variants listed in the inventory and a Conclusion, including • Lucrativeness : Mobile devices fundamentally pro- inferences that can be drawn from these statistics. My motivation vide a more lucrative attack surface owing to the fact for this paper ultimately stems from the possibility of this that they are almost always carried around by the user, information helping in the design of mobile security systems in providing a greater probability of grabbing relevant the future. information from audio and video recordings, and camera captures, as opposed to PC botnets that depend I. INTRODUCTION upon the device’s uptime and a user’s availability 2014 saw mobile malware completing 10 years of its at the device. A particularly interesting motivation existence[1] beginning with the discovery of Cabir, the first for mobile botnets that their PC counterparts don’t mobile worm in 2004. Since then, mobile malware has broadly provide, is the ability to track the location of a victim followed the same evolution as PC malware, albeit at a much in real time. faster pace. This evolution included the evident emergence • Detection : Possibilities of detection using signs of of bots for mobile phones, pieces of malware that can be infection exist for both mobile and PC botnets. In controlled by a remote entity, called a Command and Control addition to that, mobile botnets also face the unique (C&C) server or botmaster, to perform various functions. risk of detection from phone bills i.e. either by The concept of this paper came about with the idea to unexpectedly high bills due to internet connection create an inventory of sorts of known mobile bot variants and/or SMS messages in fixed amount plans, or by and, more importantly, to study differences and commonalities unusual/unrecognized numbers in the call/SMS history between them. By means of this paper, the author analyzes and on bills. examines 60 odd mobile bot variants, starting with variants as • Takedown : Fortunately for security enforcers, mobile early as 2010, up until the recently discovered version of the botnets are still fairly easy to take down since all Cryptolocker ransomware targeting the Android platform that cases seen in the wild so far have a single point listens for deactivation commands from its botmaster. of takedown i.e. either a phone number, a server or an email address. However, with the emergence A. Botnets : PC vs Mobile of new variants with remotely upgradeable C&Cs, In this first section, some fundamental, conceptual and mobile botnets might be headed towards the level of implementational differences between PC and mobile botnets complexity of takedown seen in PC botnets. B. The Early Stages of Mobile Botnets because of the difficulty in monitoring and disrupting it. This section will introduce the infamous Yxes malware for the Symbian platform that was pitted as the first step towards • In 2011, the PoC for an advanced (at the time of mobile botnets, and some other Proofs of Concept mobile writing) Android botnet was introduced. The botnet, botnets. called Andbot[5], used a novel C&C strategy named URL Flux. The authors used a Username Generation In 2009, a Symbian malware named Yxes was discovered algorithm (UGA) to generate the username of a social that made the headlines particularly for being the foretaste of media account that served as the C&C. The account a mobile botnet[2]. There were mainly two reasons for this would generate encrypted tweets that would serve as speculation : commands after decryption by the bot. They found 1) Internet access : The malware collected information Andbot to be stealthy, resilient, and low cost. from the infected phone such as the serial number and • In the same year, another PoC was presented that subscription number and forwarded them to a remote made use of a mechanism for proxying the application server, fulfilling one requirement for qualification as layer and modem on the phone[6]. The concept was a bot client i.e. reporting to a remote server. based on previous work that used the same mechanism 2) SMS propagation : The malware, in effect, sent out for SMS fuzzing[7]. The botnet architecture presented SMS messages to the phone’s contacts containing a placed the bot functionality between the application download link. The link pointed to a copy of the layer and modem, which would then listen for received malware itself, qualifying it as a self-propagating SMS messages, decode them and check for a Bot key. worm. This further fueled doubts of it being part of a If the key was found, the payload functionality would botnet since the remote copy of the malware could be be performed. Else, the SMS message would be passed upgraded up by the attacker(s) to include the ability onto the application layer as is done by default. to listen for commands. • In 2012, the authors of [8] presented the detailed However, Yxes isn’t classified as a bot since it lacks this design of PoC mobile botnet. They also include attack fundamental bot functionality - the ability to take commands vectors for spreading the bot code to smartphones from a remote location. that wasn’t covered in previous works. They also used In the same year, another malware known as Eeki.B on SMS messages as the C&C channel. They compared the iOS was discovered. The variant posessed abilities to steal structured and unstructured P2P architectures and con- information from the infected phone such as its SMS database, cluded that the structured architecture (a modified iPhoneOS version and SQL version to a remote server in tar- Kademlia) was a better option. gzipped format. It also scanned fixed IP ranges and the phone’s local IP range for other Jailbroken iPhones and sent a copy of itself to them. This variant was not included in the Inventory for the following two reasons : 1) JailBroken Devices : The malware worked only on JailBroken devices, and in addition, only on ones that had an SSH-enabled application and used the default ssh password ’alpine’. 2) C&C Down : As with the previous case, the malware would need to be able to be commanded by a remote location in order to qualify as a bot. In this case, there were no confirmed cases of the exact response received from the C&C. It appears the C&C was taken down fairly soon. However, it is considered as a precursor due to the fact that it posessed the ability to receive and execute shell scripts from a remote server[3]. 1) Proofs of Concept (PoCs): This section lists out some PoCs of mobile botnets that have been released over the years. • In 2010, a PoC for a cellular botnet architecture was presented[4]. The authors evaluated a P2P-based C&C mechanism for mobile phone botnets and implemented it on Jailbroken iPhones. Finally, they compared multi- ple approaches for C&C communication - P2P, SMS, SMS-HTTP and concluded that an SMS-HTTP hy- brid approach was optimal for C&C communication C. The Inventory TABLE I: Known mobile bot variants, in chronological order Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default 2010 Send location using GPS + Google maps
Recommended publications
  • Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications

    Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications

    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 35-42 www.iosrjournals.org Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications Anthony Luvanda1,*Dr Stephen Kimani1 Dr Micheal Kimwele1 1. School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, PO Box 62000-00200 Nairobi Kenya Abstract: Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications.

  • 100169 V2 BCG Mobile Malware Infographic

    KNOW THY With mobile usage at an all time high, malware specifically designed for smartphones has become more prevalent and sophisticated. MOBILE ENEMY. We’re here to help. Mobile malware can take on many different forms: POTENTIALLY UNWANTED SOFTWARE (PUS) The Basics How PUS Starts Signs of a PUS Attack • Often poses as • Users allow permission • Sudden increase in junk antivirus software because attack poses as SMS texts antivirus software • Similar to adware • Data stolen from your or spyware contacts list and shared with third parties • Millions of variations already exist RANSOMWARE The Basics Complete Anonymity Ransomware & Fear • Advanced cryptographic • Assailants demand • Most aren’t likely to report Accept threats that hold untraceable ransom ransomware acquired from les hostage payment (Bitcoin) embarrassing sources (ie. porn) • Ransom is due within • Attackers use Tor network a strict time limit to hide destination • Often payment doesn’t mean before les become of payment the bad guys uphold their permanently inaccessible end of the bargain • .onion addresses often used in ransom demands How Ransomware Starts • Installing risky mobile apps from insecure websites INFORMATION LEAKAGE Every Move is Monitored IMEI Identifier Broadcast Personal Privacy Threats Within Mobile Network • Often results from app • Can lead to cloned • Utilize GPS satellite designers who don’t phones where service systems to create digital encrypt or do it wrong is hijacked “breadcrumbs” showing activity • Reveal where people live, work, socialize, etc. using social networking options TOP TWO INFECTION VECTORS MIXING BUSINESS WITH PLEASURE Users now have one device for everything— #1 Porn #2Suspicious chances of personal use impacting business networks at 36% WebAd networks/large networks are higher than ever.
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • Mobile Malware

    Mobile Malware

    CS 155 Spring 2016 Mobile Malware John Mitchell Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches Malware Trends W Based on FairPlay vulnerability • Requires malware on user PC, installation of malicious app in App Store • Continues to work after app removed from store • Silently installs app on phone Android malware 2015 Current Android Malware Description AccuTrack This application turns an Android smartphone into a GPS tracker. Ackposts This Trojan steals contact information from the compromised device and uploads them to a remote server. Acnetdoor This Trojan opens a backdoor on the infected device and sends the IP address to a remote server. Adsms This is a Trojan which is allowed to send SMS messages. The distribution channel ... is through a SMS message containing the download link. Airpush/StopSMS Airpush is a very aggresive Ad-Network. … BankBot This malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices. http://forensics.spreitzenbarth.de/android-malware/ Trends 2014-15 Android free antivirus apps … 1. Comodo Security & Antivirus 2. CM Security Antivirus AppLock 3. 360 Security - Antivirus Boost 4. Sophos Free Antivirus and Security 5. Malwarebytes Anti- Malware 6. Bitdefender Antivirus
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Mobile Malware Security Challenges and Cloud-Based Detection

    Mobile Malware Security Challenges and Cloud-Based Detection

    Mobile Malware Security Challeges and Cloud-Based Detection Nicholas Penning, Michael Hoffman, Jason Nikolai, Yong Wang College of Business and Information Systems Dakota State University Madison, SD 57042 {nfpenning, mjhoffman13054, janikolai}@pluto.dsu.edu, [email protected] Abstract— Mobile malware has gained significant ground since the techniques, privilege escalation, remote control, financial dawning of smartphones and handheld devices. TrendLabs charge, and information collection, etc. The previous stated estimated that there were 718,000 malicious and high risk Android techniques provide a malicious attacker with a variety of options apps in the second quarter of 2013. Mobile malware malicious to utilize a compromised mobile device. infections arise through various techniques such as installing repackaged legitimate apps with malware, updating current apps Many mobile malware prevention techniques are ported from that piggy back malicious variants, or even a drive-by download. desktop or laptop computers. However, due to the uniqueness of The infections themselves will perform at least one or multiple of smartphones [6], such as multiple-entrance open system, the following techniques, privilege escalation, remote control, platform-oriented, central data management, vulnerability to financial charge, and information collection, etc. This paper theft and lost, etc., challenges are also encountered when porting summarizes mobile malware threats and attacks, cybercriminal existing anti-malware techniques to mobile devices. These motivations behind malware, existing prevention methods and challenges include, inefficient security solutions, limitations of their limitations, and challenges encountered when preventing signature-based mobile malware detection, lax control of third malware on mobile devices. The paper further proposes a cloud- party app stores, and uneducated or careless users, etc.
  • Mobile Malware Network View Kevin Mcnamee : Alcatel-Lucent Agenda

    Mobile Malware Network View Kevin Mcnamee : Alcatel-Lucent Agenda

    Mobile Malware Network View Kevin McNamee : Alcatel-Lucent Agenda • Introduction • How the data is collected • Lies, Damn Lies and Statistics • Windows PC Malware • Android Malware • Network Impact • Examples of malware • DDOS Monitoring the Mobile Network • Monitor GTP-C traffic MOBILE NETWORK SECURITY ANALYTICS - Maps IMSI, APN & EMEI to IP address - Associates infection with a specific device or user Forensic Analysis • Monitor GTP-U traffic Alert - Malware C&C Aggregation & Analysis - Exploits Malware - DDOS Detection Sensor - Hacking 10GE or GE NodeB SGSN RAN Alternate Tap Recommended Alternate tap RNC (Iu-PS and S1-u) Tap (Gn and choice (Gi and Internet S5/8) SGi) GGSN/PGW eNodeB SGW 3 Monitoring the Mobile Network • Analytics Provides MOBILE NETWORK SECURITY ANALYTICS - Raw security alerts - Trigger packets - Infection history by device Forensic Analysis - Infection history by malware Alert • Reports Aggregation & Analysis - Most active malware Malware Detection - Network impact Sensor - Infection rates 10GE or GE NodeB SGSN RAN Alternate Tap Recommended Alternate tap RNC (Iu-PS and S1-u) Tap (Gn and choice (Gi and Internet S5/8) SGi) GGSN/PGW eNodeB SGW 4 Detection Rules Development Process MALWARE TRAFFIC SAMPLES POLICY MALWARE ZERO DAY RULES TRAFFIC BEHAVIORAL VIRUS VAULT SANDBOX DEVELOPMENT LIBRARY RULES LIBRARY RULES • 120K+ ANALYZED PER DAY • 30M+ Active samples RULE ACTIVATION RULES REPOSITORY DEPLOYMENT-SPECIFIC RULE SETS FEEDBACK FROM FIELD QUALITY TESTS TESTING FIELD TESTING IN LIVE NETWORKS 5 Infection Rate • C&C detection measures actual infections as seen from the network • Problem is growing (by 25% in 2014) • LTE device 5 times more likely to be infected 6 Estimates of Mobile Malware infection However… rates vary wildly - ALU, Lookout & Google report 0.4% to 0.6% - Verizon Breach Report quoted 0.03% - Damballa quoted 0.0064% at RSA.
  • Generation of an Iot Botnet Dataset in a Medium-Sized Iot Network

    Generation of an Iot Botnet Dataset in a Medium-Sized Iot Network

    MedBIoT: Generation of an IoT Botnet Dataset in a Medium-sized IoT Network Alejandro Guerra-Manzanares a, Jorge Medina-Galindo, Hayretdin Bahsi b and Sven Nomm˜ c Department of Software Science, Tallinn University of Technology, Tallinn, Estonia falejandro.guerra, hayretdin.bahsi, [email protected], [email protected] Keywords: Botnet, Internet of Things, Dataset, Intrusion Detection, Anomaly Detection, IoT. Abstract: The exponential growth of the Internet of Things in conjunction with the traditional lack of security mecha- nisms and resource constraints associated with these devices have posed new risks and challenges to security in networks. IoT devices are compromised and used as amplification platforms by cyber-attackers, such as DDoS attacks. Machine learning-based intrusion detection systems aim to overcome network security lim- itations relying heavily on data quantity and quality. In the case of IoT networks these data are scarce and limited to small-sized networks. This research addresses this issue by providing a labelled behavioral IoT data set, which includes normal and actual botnet malicious network traffic, in a medium-sized IoT network infrastructure (83 IoT devices). Three prominent botnet malware are deployed and data from botnet infec- tion, propagation and communication with C&C stages are collected (Mirai, BashLite and Torii). Binary and multi-class machine learning classification models are run on the acquired data demonstrating the suitability and reliability of the generated data set for machine learning-based botnet detection IDS testing, design and deployment. The generated IoT behavioral data set is released publicly available as MedBIoT data set∗. 1 INTRODUCTION lam, 2017; Bosche et al., 2018; Pratt, 2019).
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
  • MOBILE MALWARE EVOLUTION 2016 Contents the Year in Figures

    MOBILE MALWARE EVOLUTION 2016 Contents the Year in Figures

    MOBILE MALWARE EVOLUTION 2016 Contents The year in figures ......................................................................................................................................... 2 Trends of the year .......................................................................................................................................... 2 Malicious programs using super-user rights ............................................................................................. 3 Cybercriminals continue their use of Google Play..................................................................................... 4 Bypassing Android’s protection mechanisms ............................................................................................ 6 Mobile ransomware................................................................................................................................... 7 A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for Innovation. ..................... 8 Marketplaces ................................................................................................................................................. 8 Vendor shops, forums and social media ....................................................................................................... 9 Statistics ....................................................................................................................................................... 10 Geography of mobile threats ..................................................................................................................
  • Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
  • Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks

    Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks

    International Journal of Computer Applications Technology and Research Volume 4– Issue 2, 103 - 107, 2015, ISSN:- 2319–8656 Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks R. Kannan A.V.Ramani Department of Computer Science Department of Computer Science Sri Ramakrishna Mission Vidyalaya Sri Ramakrishna Mission Vidyalaya College of Arts and Science College of Arts and Science Coimbatore ,Tamilnadu,India. Coimbatore ,Tamilnadu,India Abstract: Among the various forms of malware attacks such as Denial of service, Sniffer, Buffer overflows are the most dreaded threats to computer networks. These attacks are known as botnet attacks and self-propagating in nature and act as an agent or user interface to control the computers which they attack. In the process of controlling a malware, Bot header(s) use a program to control remote systems through internet with the help of zombie systems. Botnets are collection of compromised computers (Bots) which are remotely controlled by its originator (Bot-Master) under a common Command-and-Control (C&C) structure. A server commands to the bot and botnet and receives the reports from the bot. The bots use Trojan horses and subsequently communicate with a central server using IRC. Botnet employs different techniques like Honeypot, communication protocols (e.g. HTTP and DNS) to intrude in new systems in different stages of their lifecycle. Therefore, identifying the botnets has become very challenging; because the botnets are upgrading their methods periodically for affecting the networks. Here, the focus on addressing the botnet detection problem in an Enterprise Network This research introduces novel Solution to mitigate the malicious activities of Botnet attacks through the Principle of component analysis of each traffic data, measurement and countermeasure selection mechanism called Malware Hunter.