Measuring Botnets in the Wild: Some New Trends ∗ Wentao Chang1 Aziz Mohaisen2 An Wang1 Songqing Chen1 1George Mason University 2Verisign Labs {wchang7, awang10, sqchen}@gmu.edu [email protected] ABSTRACT machines [14, 16, 17] . While the passive analysis approach does Today, botnets are still responsible for most large scale attacks on reveal much valuable information about particular botnet-related the Internet. Botnets are versatile, they remain the most power- behaviors, some of the insight on longitudinal activities is absent ful attack platform by constantly and continuously adopting new since the approach only considers a small portion of bots at a given techniques and strategies in the arms race against various detec- time [28,8]. Infiltration is another technique adopted in recent tion schemes, . Thus, it is essential to understand the latest of the studies [4,1, 10], where an actual malware sample or a client is botnets in a timely manner so that the insights can be utilized in to simulate a bot. However, attackers have unfortunately learned to developing more efficient defenses. In this work, we conduct a adapt, and most current botnets use stripped-down IRC or HTTP measurement study on some of the most active botnets on the In- servers as their centralized command and control channels. It is ternet based on a public dataset collected over a period of seven unlikely to obtain a lot of information about other bots by simply months by a monitoring entity. We first examine and compare the joining the botnet. An effective effort to understand botnets would attacking capabilities of different families of today’s active botnets. require reverse engineering, passive and active measurements. Our analysis clearly shows that different botnets start to collaborate On the defense front, a lot of efforts have been made to detect when launching DDoS attacks. bots and botnets. While many detection schemes have been de- veloped [25, 16, 22], attackers have been constantly adopting new technologies and improving their attacking schemes. For example, 1. INTRODUCTION various generations of botnets have been shown to use HTTP and Botnets are one of today’s most challenging cybersecurity threats, P2P technologies, instead of IRC, for their operations [11, 15, 27]. and promise to remain a serious threat for many years to come. A The arms race between malware developers and defenders is botnet is typically comprised of a network of infected machines endless. Thus, it is essential to continuously track and understand called bots, which are often under the control of a malicious entity, the latest strategies of attackers in manipulating botnets for attacks. called the botmaster. Botnets are notoriously known as one of the A timely understanding can provide important insights to guide the primary attack platforms that cybercriminals use to carry out ma- building of effective defenses. To this end, in this study we perform licious and harmful actions, such as distributed denial of service an in-depth analysis of botnet strategies based on recent botnet traf- (DDoS) attacks, spam distribution, phishing, scanning and network fic, resources enumeration and activities profiling. Data used in this exploration, against pieces of infrastructures and services. Reports study is obtained by utilizing active and passive monitoring, and us- have highlighted the devastating operational impact, size, and con- ing state-of-the-art reverse-engineering and protocol analysis tech- sequences that a botnet attack can bring to Internet services. For ex- niques for 23 different botnet families. The data obtained in this ample, it was recently reported that a collection of just 3,000 open study is enriched by traffic observed at a large number of Internet Domain Name System (DNS) resolvers were capable of generating vantage points on the Internet in about seven months of monitoring. 300 Gbps DDoS attack traffic [19], and taking down Spamhaus, a Our study reveals several interesting new trends of botnet man- popular spam tracking service. agement. In this paper, our contributions include the following: On the botnet analysis front, significant research efforts have been made to gain a better understanding of the botnet phenomenon • We conduct a large-scale measurement study to investigate and landscape. A common approach to study botnets is to perform botnet characteristics and describe botnet behaviors. The passive analysis of abnormal behaviors produced by bot-infected analysis results help make better comprehension of the wide variety of existent botnet families in the wild. ∗The views and opinions expressed in this paper are the views of the author, and do not necessarily represent the policy or position • Some bots are dedicated and heavily re-used by different bot- of VeriSign, Inc. net families. Similar collaborations are also found within various generations of the same botnet family. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed To the best of our knowledge, some of the insights and opera- for profit or commercial advantage and that copies bear this notice and the full cita- tion aspects of botnets in this paper are not reported before. We tion on the first page. Copyrights for components of this work owned by others than expect these results can help improve our understanding of botnet ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- operations and devise new defense schemes. publish, to post on servers or to redistribute to lists, requires prior specific permission The remainder of the paper is organized as follows. Section 2 de- and/or a fee. Request permissions from [email protected]. scribes our dataset and section 3 presents characterization of botnet ASIA CCS’15, April 14–17, 2015, Singapore.. Copyright c 2015 ACM 978-1-4503-3245-3/15/04 ...$15.00. families. In Section 4, we discuss the possibility of collaborations http://dx.doi.org/10.1145/2714576.2714637. among the botnets by identifying reused bots, while Section 5 dis- cusses related work. We conclude in Section 6 with a discussion about future work. Table 1: Summary statistics of 16 Botnet Families Family Name Active Period Botnet Size 2. DATASET Aldibot 11/01/12-03/24/13 12,075 Armageddon 08/29/12-03/24/13 171 Some research efforts on botnet measurements have focused on Blackenergy 08/29/12-03/24/13 498,925 the taxonomy and classification of botnets by analyzing botnet be- Colddeath 08/29/12-12/19/12 1,859 havior and common characteristics, such as architecture, command Conficker 08/29/12-03/24/13 667,523 and control channels, communication protocols and evasion tech- Darkcomet 12/02/12-03/24/13 4,019 niques [12, 20]. These efforts have mainly been done via passive Darkshell 08/29/12-03/24/13 4,886 measurement or infiltration. Thus, they usually focused on specific Ddoser 11/13/12-03/07/13 35 botnets. Different from these approaches, our dataset is provided Dirtjumper 08/29/12-03/24/13 837,297 by the Team Cymru Community Service [26]. The dataset is based Illusion 08/29/12-03/24/13 47,887 on Team Cymru’s constant monitoring of Internet critical infras- Nitol 08/29/12-03/24/13 15,230 tructure to aid intelligence gathering concerning the state of the art Optima 08/29/12-03/24/13 362,157 of attack posture, using both active and passive measurement tech- Pandora 10/11/12-03/24/13 17,418 niques. For active measurements and attribution, malware families Torpig 08/29/12-03/24/13 1,260 used in launching various attacks are reverse engineered, and la- Yzf 08/29/12-02/11/13 7,937 beled to a known malware family using best practices. Hosts par- Zeus 08/29/12-03/24/13 175,343 ticipating in the given botnet, by either communicating with pieces of infrastructure infected by that malware family (e.g. the com- mand and control) are then enumerated and monitored over time, and their activities are logged and analyzed. Similar to the metrics used in [1], we define the botnet size as As each botnet evolves over time, new generations are marked by the total number of unique IP addresses that were once recruited in their unique (MD5 and SHA-1) hashes. Traces of traffic associated their lifetime by the specific botnet. As the last column of Table1 with various botnets are then collected at various anchor points on shows, the botnet size of different families varies significantly. The the Internet, via the cooperation of many ISPs all over the world, botnet size is as large as 837 thousand for Dirtjumper or as small and analyzed to attribute and characterize attacks. The collection as 35 for Ddoser. Based on the botnet size, we can classify them of traffic is guided by two general principles: 1) that the source of into different groups. The large botnet families own more than the traffic is an infected host participating in a botnet attack, and 2) 100 K bots with unique IP addresses, including Dirtjumper, the destination of the traffic is a targeted client, as concluded from Conficker, Blackenergy, Optima and Zeus in descend- eavesdropping on C&C of the campaign using a live sample. ing order. 90% of bots found in our dataset are employed by these By tracking temporal activities of 23 different known botnet fam- large botnet families at least once. The medium group includes ilies in the wild, the monitors of the company generate a log dump botnet families with the number of bots ranging from 10 thousands every hour from 08/29/2012 to 03/24/2013, a total of 207 days, or to 100 thousands, such as Illusion, Pandora, Nitol and about 7 months.