Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 2012 A Historical evaluation of C&C complexity Conzetti Finocchiaro Follow this and additional works at: http://scholarworks.rit.edu/theses Recommended Citation Finocchiaro, Conzetti, "A Historical evaluation of C&C complexity" (2012). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by the Thesis/Dissertation Collections at RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. A Historical Evaluation of C&C Complexity By Conzetti N. Finocchiaro Committee Members Dr. Peter Lutz Dr. Jim Leone Dr. Bo Yuan Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Networking and System Administration Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences August 20, 2012 Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Master of Science in Networking and System Administration Thesis Approval Form Student Name: Conzetti Finocchiaro Thesis Title: A Historical Evaluation of C&C Complexity Thesis Committee Name Signature Date Peter Lutz Chair Jim Leone Committee Member Bo Yuan Committee Member Table of Contents Abstract .................................................................................................................................................................... 1 1. Introduction ........................................................................................................................................................ 1 2. Related Work &Background .............................................................................................................................. 4 2.1 Related Work ............................................................................................................................................... 4 2.1.1 Botnet Detection ................................................................................................................................... 4 2.1.2 Botnet Evaluation ................................................................................................................................. 5 2.2 Botnet C&C Architecture ............................................................................................................................. 5 2.2.1 Centralized Architecture ........................................................................................................................ 6 2.2.2 Decentralized Architecture ..................................................................................................................... 7 2.3 Botnet Selections & Overview ..................................................................................................................... 9 2.3.1 Agobot .................................................................................................................................................. 9 2.3.2 Asprox .................................................................................................................................................. 9 2.3.3 Bagle .................................................................................................................................................. 10 2.3.4 Bobax ................................................................................................................................................. 10 2.3.5 Conficker ............................................................................................................................................ 10 2.3.6 iKee .................................................................................................................................................... 10 2.3.7 GTbot ................................................................................................................................................. 10 2.3.8 Nugache.............................................................................................................................................. 11 2.3.9 Peacomm ............................................................................................................................................ 11 2.3.10 Phatbot ............................................................................................................................................. 11 2.3.11 SDbot ............................................................................................................................................... 11 2.3.12 Sinit .................................................................................................................................................. 11 2.3.13 Waledac ............................................................................................................................................ 11 2.3.14 Zeus .................................................................................................................................................. 12 3. Evaluation Methodology .................................................................................................................................. 12 3.1 Manual C&C Evaluation Tools & Processes ............................................................................................. 12 3.1.1 Infection Point .................................................................................................................................... 12 3.1.2 Imaging .............................................................................................................................................. 13 3.1.3 Packet Analysis .................................................................................................................................. 13 3.1.4 Evaluation Criteria ............................................................................................................................. 13 3.2 Lab Topology ............................................................................................................................................. 14 3.3 Botnet C&C Evaluation ............................................................................................................................. 14 i 3.3.1 Agobot ................................................................................................................................................ 15 3.3.2 Asprox ................................................................................................................................................ 16 3.3.3 Bagle .................................................................................................................................................. 18 3.3.4 Bobax ................................................................................................................................................. 19 3.3.5 Conficker ............................................................................................................................................ 20 3.3.6 iKee .................................................................................................................................................... 21 3.3.7 GTbot ................................................................................................................................................. 22 3.3.8 Nugache.............................................................................................................................................. 23 3.3.9 Peacomm ............................................................................................................................................ 24 3.3.10 Phatbot ............................................................................................................................................. 25 3.3.11 SDbot ............................................................................................................................................... 26 3.3.12 Sinit .................................................................................................................................................. 27 3.3.13 Waledac ............................................................................................................................................ 28 3.3.14 Zeus .................................................................................................................................................. 29 3.4 Complexity Matrix ..................................................................................................................................... 31 3.4.1 C&C Characteristic Definitions ......................................................................................................... 32 4. Historical Data ................................................................................................................................................. 34 4.1 Complexity Score ....................................................................................................................................... 34 5. Limitations & Future Work.............................................................................................................................. 35 6. Conclusion ......................................................................................................................................................