Measuring Botnets in the Wild: Some New Trends


Wentao Chang1 Aziz Mohaisen2 An Wang1 Songqing Chen1
1 2
George Mason University Verisign Labs
{wchang7, awang10, sqchen}@gmu.edu amohaisen@verisign.com

ABSTRACT machines [14, 16, 17] . While the passive analysis approach does
Today, botnets are still responsible for most large scale attacks on reveal much valuable information about particular botnet-related
the Internet. Botnets are versatile, they remain the most power- behaviors, some of the insight on longitudinal activities is absent
ful attack platform by constantly and continuously adopting new since the approach only considers a small portion of bots at a given
techniques and strategies in the arms race against various detec- time [28, 8]. Infiltration is another technique adopted in recent
tion schemes, . Thus, it is essential to understand the latest of the studies [4, 1, 10], where an actual malware sample or a client is
botnets in a timely manner so that the insights can be utilized in to simulate a bot. However, attackers have unfortunately learned to
developing more efficient defenses. In this work, we conduct a adapt, and most current botnets use stripped-down IRC or HTTP
measurement study on some of the most active botnets on the In- servers as their centralized command and control channels. It is
ternet based on a public dataset collected over a period of seven unlikely to obtain a lot of information about other bots by simply
months by a monitoring entity. We first examine and compare the joining the botnet. An effective effort to understand botnets would
attacking capabilities of different families of today’s active botnets. require reverse engineering, passive and active measurements.
Our analysis clearly shows that different botnets start to collaborate On the defense front, a lot of efforts have been made to detect
when launching DDoS attacks. bots and botnets. While many detection schemes have been de-
veloped [25, 16, 22], attackers have been constantly adopting new
technologies and improving their attacking schemes. For example,
1. INTRODUCTION various generations of botnets have been shown to use HTTP and
Botnets are one of today’s most challenging cybersecurity threats, P2P technologies, instead of IRC, for their operations [11, 15, 27].
and promise to remain a serious threat for many years to come. A The arms race between malware developers and defenders is
botnet is typically comprised of a network of infected machines endless. Thus, it is essential to continuously track and understand
called bots, which are often under the control of a malicious entity, the latest strategies of attackers in manipulating botnets for attacks.
called the botmaster. Botnets are notoriously known as one of the A timely understanding can provide important insights to guide the
primary attack platforms that cybercriminals use to carry out ma- building of effective defenses. To this end, in this study we perform
licious and harmful actions, such as distributed denial of service an in-depth analysis of botnet strategies based on recent botnet traf-
(DDoS) attacks, spam distribution, phishing, scanning and network fic, resources enumeration and activities profiling. Data used in this
exploration, against pieces of infrastructures and services. Reports study is obtained by utilizing active and passive monitoring, and us-
have highlighted the devastating operational impact, size, and con- ing state-of-the-art reverse-engineering and protocol analysis tech-
sequences that a botnet attack can bring to Internet services. For ex- niques for 23 different botnet families. The data obtained in this
ample, it was recently reported that a collection of just 3,000 open study is enriched by traffic observed at a large number of Internet
Domain Name System (DNS) resolvers were capable of generating vantage points on the Internet in about seven months of monitoring.
300 Gbps DDoS attack traffic [19], and taking down Spamhaus, a Our study reveals several interesting new trends of botnet man-
popular spam tracking service. agement. In this paper, our contributions include the following:
On the botnet analysis front, significant research efforts have
been made to gain a better understanding of the botnet phenomenon • We conduct a large-scale measurement study to investigate
and landscape. A common approach to study botnets is to perform botnet characteristics and describe botnet behaviors. The
passive analysis of abnormal behaviors produced by bot-infected analysis results help make better comprehension of the wide
variety of existent botnet families in the wild.
∗The views and opinions expressed in this paper are the views of
the author, and do not necessarily represent the policy or position • Some bots are dedicated and heavily re-used by different bot-
of VeriSign, Inc. net families. Similar collaborations are also found within
various generations of the same botnet family.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
To the best of our knowledge, some of the insights and opera-
for profit or commercial advantage and that copies bear this notice and the full cita- tion aspects of botnets in this paper are not reported before. We
tion on the first page. Copyrights for components of this work owned by others than expect these results can help improve our understanding of botnet
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- operations and devise new defense schemes.
publish, to post on servers or to redistribute to lists, requires prior specific permission The remainder of the paper is organized as follows. Section 2 de-
and/or a fee. Request permissions from permissions@acm.org.
scribes our dataset and section 3 presents characterization of botnet
ASIA CCS’15, April 14–17, 2015, Singapore..
Copyright c 2015 ACM 978-1-4503-3245-3/15/04 ...$15.00. families. In Section 4, we discuss the possibility of collaborations
http://dx.doi.org/10.1145/2714576.2714637. among the botnets by identifying reused bots, while Section 5 dis-

Table 1: Summary statistics of 16 Botnet Families Family Name Active Period Botnet Size 2. elasticity and activeness. find out those spikes can be attributed to some ongoing campaigns In our analysis. The small group owns less than 10 thousands bots. to have zero traffic within our col. DATASET Aldibot 11/01/12-03/24/13 12. such as Illusion.925 the taxonomy and classification of botnets by analyzing botnet be. Hosts par. Based on the botnet size.cusses related work. There are 24 hourly reports per day for each bot. Nitol and about 7 months. Redgirl.1 Botnet Size. we also examine the number of bots that are ILIES simultaneously online. to weigh the significance of different botnet families in regards to As previously mentioned. The medium group includes ilies in the wild. For active measurements and attribution. only a few spikes. Blackenergy. of their size. we techniques and standards available to estimate the size of botnets. stability. Darkshell. ing order. The left sub-figures show the number of live bots hourly. and 2) 100 K bots with unique IP addresses. 90% of bots found in our dataset are employed by these By tracking temporal activities of 23 different known botnet fam. Traces of traffic associated their lifetime by the specific botnet. Note the y-axis is in dataset. we can classify them of traffic is guided by two general principles: 1) that the source of into different groups. malware families Torpig 08/29/12-03/24/13 1. we simply count the number of unique IP addresses started during that time period. we exclude them from our analysis below. we examine the botnet families included in our number of simultaneous live bots over time. Thus. 20]. termed as “live bots”. of the potential attack capability because those bots may not be online simultaneously. Different from these approaches. via the cooperation of many ISPs all over the world. we observe a transient burst of live bots that are derived from two .418 niques. These efforts have mainly been done via passive Darkshell 08/29/12-03/24/13 4. the com- mand and control) are then enumerated and monitored over time.886 measurement or infiltration. we can use it sophisticated strategies being used by botnets. cumulative over past 24 hours. it 3. Optima and Zeus in descend- eavesdropping on C&C of the campaign using a live sample. and la. including Dirtjumper. While the monitor. Myloader. Stability. Pandora. botnet size is as large as 837 thousand for Dirtjumper or as small and analyzed to attribute and characterize attacks. we define the botnet size as As each botnet evolves over time.075 Armageddon 08/29/12-03/24/13 171 Some research efforts on botnet measurements have focused on Blackenergy 08/29/12-03/24/13 498. the live bots distribution over time can indicate them. The dataset is based Illusion 08/29/12-03/24/13 47.230 tructure to aid intelligence gathering concerning the state of the art Optima 08/29/12-03/24/13 362.343 ticipating in the given botnet.523 and control channels. and their activities are logged and analyzed. Figure 1 also shows a few steep spikes their impact on network security. Similar to the metrics used in [1]. Pandora 10/11/12-03/24/13 17. We conclude in Section 6 with a discussion about future work. they usually focused on specific Ddoser 11/13/12-03/07/13 35 botnets. besides the difference on the absolute numbers. Thus. new generations are marked by the total number of unique IP addresses that were once recruited in their unique (MD5 and SHA-1) hashes. The large botnet families own more than the traffic is an infected host participating in a botnet attack.859 havior and common characteristics. Zeus 08/29/12-03/24/13 175.157 of attack posture. Figure 1 shows the In this section. In net family.019 niques [12. Nitol 08/29/12-03/24/13 15. communication protocols and evasion tech. or to 100 thousands. While this is to be expected. Thus. the figure. large botnet families at least once. we found 7 of To some extent. doser. The 24-hour time span is counted Darkcomet. There are more than one counting for botnets in large groups. and Waledac. As the last column of Table 1 with various botnets are then collected at various anchor points on shows. such as architecture. command Conficker 08/29/12-03/24/13 667. Note that we ignore the case with and without certain live bots. our dataset is provided Dirtjumper 08/29/12-03/24/13 837. focusing on their attacking capacities from the perspective log scale. Armageddon and D- from time stamp of last known bot activity and time of log dump. The top figure depicts the sta- that multiple infected machines might hide behind the NAT and bility curve with all live bots from Blackenergy.937 beled to a known malware family using best practices. Since the botnet size does not give us a very accurate estimate 3. they are Yzf. Tdss. by either communicating with pieces of infrastructure infected by that malware family (e. By further looking into the data. Colddeath 08/29/12-12/19/12 1. and Elasticity raises a new question whether the relative stability in large botnets A first and very important metric to evaluate different botnets is is due to the same sets of bots being active all the time or more the number of bots that a botnet can utilize. Torpig. a total of 207 days. while there are more fluctuations in botnets in the medium and small groups. the botnet size of different families varies significantly. The the Internet. The collection as 35 for Ddoser. Aldibot. as concluded from Conficker. Darkcomet 12/02/12-03/24/13 4. while the right sub-figures show the corresponding results daily. the destination of the traffic is a targeted client. CHARACTERIZATION OF BOTNET FAM. Take Blackenergy as an exam- when estimating the size of botnets and the maximum number of ple.g. Yzf 08/29/12-02/11/13 7. the monitors of the company generate a log dump botnet families with the number of bots ranging from 10 thousands every hour from 08/29/2012 to 03/24/2013. using both active and passive measurement tech. the stability of the corresponding botnet family. As shown in Storm. from which treat them as one single IP in counting. namely Asprox.887 on Team Cymru’s constant monitoring of Internet critical infras. hourly and daily results indicate that the botnets in large group Table 1 summarizes some information of the 16 remaining botnet have maintained a relatively stable army of active bots by showing families. The set of bots or controllers listed in each report are descending order of their botnet size.260 used in launching various attacks are reverse engineered. ing unit targets the 23 most prevalent botnet families. both the lection window. Figure 2 compares the botnet stability curves for Blackenergy simultaneous online bots of a botnet.297 by the Team Cymru Community Service [26]. Gumblar. Colddeath.

The new curve unveils that when the Blackenergy size in a descending order. time frame. which reflect the potential attacking capability of botnets are moving to “botnets-as-a-service” [9]. bottom we draw the stability curve again excluding bots from those Figure 3 shows the elasticity result for all families—sorted by two botnets. which is the ratio of participate in a potential campaign.g.g. Therefore. In the comparison figure at the the maximum number over the minimum number of live bots. the number of live bots elasticity decreases with the decreasing botnet size. to engage in certain attacks. the is not instructed to participate in campaigns. A plausible explanation would be Conficker. From the defense perspective. when the botnet is instructed the more elastic a botnet. As indicated by the figure. compared to other large botnets.. usually a couple of days. particularly as today and the stability. Number of Unique IPs (log) 15 15 (a) (b) Dirtjumper 10 Conficker 10 Blackenergy Optima 5 5 Zeus 0 0 2012−08−29 2012−10−19 2012−12−10 2013−01−31 2013−03−24 2012−08−29 2012−10−20 2012−12−11 2013−02−01 2013−03−24 Time (hours) Time (days) 10 10 Number of Unique IPs (log) (c) (d) Illusion Pandora 5 5 Nitol Aldibot 0 0 2012−08−29 2012−10−19 2012−12−10 2013−01−31 2013−03−24 2012−08−29 2012−10−20 2012−12−11 2013−02−01 2013−03−24 Time (hours) Time (days) 6 8 Number of Unique IPs (log) (e) Yzf (f) Darkshell 6 4 Darkcomet Colddeath 4 2 Torpig Armageddon 2 Ddoser 0 0 2012−08−29 2012−10−19 2012−12−10 2013−01−31 2013−03−24 2012−08−29 2012−10−20 2012−12−11 2013−02−01 2013−03−24 Time (hours) Time (days) Figure 1: Botnet stability of three groups (based on botnet size) Include all bots 10 Number of Unique IPs (log) 10 (a) Botnet Elasticity (log) 8 5 6 0 2012−08−29 2012−09−27 2012−10−27 2012−11−25 2012−12−25 2013−01−23 2013−02−22 2013−03−24 4 Exclude bots from known active campaigns Number of Unique IPs (log) 8 (b) 6 2 4 0 l r r y a s n a t f ll t h g n r pe cke erg tim Zeu sio dor Nito ibo Yz she me eat rpi do ose 2 t j um nfi ken Op I llu Pan A ld a o o rk rkc ldd T ge Dd d 0 r C o D Da Co a 2012−08−29 2012−09−27 2012−10−27 2012−11−25 2012−12−25 2013−01−23 2013−02−22 2013−03−24 Di ac m Time (days) Bl Ar Figure 2: Simultaneous live bots of Blackenergy Figure 3: Botnet Elasticity specific botnets.. the more capable a channels). The number of live bots can surge within a very short botnet is upon a demand for attacks. for business) or the communication (e. a well managed botnet could rapidly recruit new bots in the order of hundreds of 3. An exception is keeps at a relatively stable level. we de. Another important aspect to examine botnets’ activity is to . In our observation.2 Botnet Activeness thousands. C&C vice perspective. botnets. overall. that the botnet requires a minimum number of live bots to preserve Conficker maintains a very stable army of bots. From the ser- its presence (e. This is another important perspective when we evalu. the harder to shut it down. The size of a botnet is one aspect of botnet activity: the scale ate the potential of a botnet’s attacking power. the larger the elasticity value. As Figure 1 shows. We speculate those two botnets are very likely to fine another metric elasticity of a botnet.

thus the total number of reused bots might 50 contain some false positives. are very slim if we assume those 256 IPs are assigned to normal and net families over time. we consider the bot as a reused bot. Torpig and Yzf Even within the same family. First. a second aim is to understand the status of those families present a mix of continuous and periodical patterns. the NAT Illusion. Nitol. or 320. While the top 5 botnet families in botnet innocent machines of Internet users. Colddeath nets identified by the unique botnet ID in our dataset). to maintain a what botnet family employs them. we group Dirtjumper IP addresses into /24 subnet.. the mixture of continuous and periodical patterns is likely The top 6 active families we identified in Section 3 are our candi- to be the outcome of arms race between defenses and attacks. thus reducing the total number of IPs 2012−08−29 2012−09−28 2012−10−28 2012−11−27 2012−12−27 2013−01−26 2013−02−25 2013−03−24 Time (days) to 78. some subsets of bots are also reused stay active over 50% of time. In other words. one interesting observation we have is the presence ported in our dataset for more than 200 days out of 207 days. After performing a cross- 16 families are extremely active and their activities are re. family analysis. Conficker. are classified imply a possible inter-family and intra-family botnet collaboration. hosts in our data collection to detect the existence of hidden rela- They are listed in the descending order of botnet size. i. Dirtjumper. pay-per-install) [7].e.000 (about 85% Conficker reduction). They of a fair amount of reused bots – bots used by multiple botnet fami- are Blackenergy. effect. including Dirtjumper. whose activity is less than 104 days.369). Table 1 shows the activity periods of observed botnets in One of the most challenging facets of the botnet behavior prob- our dataset. We cross-compare specific botnet families to highlight a set of Ddoser reused bots and monitor their participation in the botnet activities. lem lies in discerning the relationship among (seemingly) different To further characterize botnet activeness. and Zeus. Second. bots over time to reveal possible inter-family collaboration behav- sidering that many effective detection and defense tools are already iors. the defender could blacklist grouping based on botnet size. Conficker. in use. we closely track is because bots are taken down in random pace. we perform two data pre- Pandora Illusion processing steps. are almost constantly active in our observa. we aim to identify Optima. large. The other 3 families. lies. This dates for inter-family collaboration. which could be potentially due to multiple infections. we aim to identify bots that are reused across different families. size. which pe cke erg tim Zeu sio dor Nito ibo Yz she me eat rpi do ose t j um nfi ken Op I llu Pan A ld a o o rk rkc ldd T ge Dd d will also increase false positive rates of our classification. as marginally active families. The rest of botnet sets of bots exist. Blackenergy. Optima Blackenergy thus reducing the total number of bots to about 320.and medium-sized botnets also tend to be more active than the small-sized botnets. they are recruited and are operated concurrently by guide the process of bots recruitment. and botnets keep every subnets in our dataset to record the time of their activity and recruiting new ones to compensate. Aggregation of IPs into /24 subnets might inevitably in- troduce some false positives when two or more different IPs within Figure 5: Botnet family activeness pattern the subnet are infected by different botnet families. BOTNET COLLABORATION activity. Accordingly. 4.837 subnets that are reused tion period.. the duration of their 4. one-to-one mapping. we examine the infected total number of days for each family those live bots remain active. To this end. However. there’s a slim chance that the same IP might be randomly assigned later to 0 r r y a s n a l t f ll t h g n r another bot that happens to be infected by a different family. But the chances Figure 5 further shows the activeness pattern of different bot. Aldibot. those families. whether there exists a subset of the 78. Also if such ity pattern over the entire observation period.1 Inter-family collaboration 200 As a first step analysis. Darkcomet. we try to reduce the number of candidate bots that Aldibot Nitol we need to closely track. In our inter-family collaboration analysis. as the first step of inter-family collabora- Yzf tion analysis. To make the figure more informative and to ac- . r C o D Da Co a Di ac m the analysis shows that the percentage of reused bots over all bots Bl Ar is relatively significant (14%. we filter out all bots that have not been Zeus shown to be used by more than two families over their life-cycle.see whether or not a botnet is always live. 6 families (including Armage. there’s a pos- sibility that those machines are plagued by more than one botnet family over 7 months. Moreover due to DHCP. Armageddon Torpig Since the total number of unique bots identified in our dataset is Colddeath over 2. We consider them moderately by different botnets (a family often contains multiple different bot- active families. To highlight this issue. we plot in Figure 4 the botnet families. by various combinations of different botnet families. or due to using paid infrastructure (i. Pandora. We assume that if the same simple continuous or periodic pattern is a non-trivial task. 7 out of tionships among the families we tracked. because bot is recorded active in the past 24 hours by two or more differ- it would require some defense-aware strategies from the botnet to ent families. much Figure 4: Botnet Activeness higher than what would result from coincidence.837.280. ddon.e. The findings and Ddoser. Con. using the outcome of the first step. Note that we are aware that multiple infected physical 100 machines (bots) might operate behind a single NAT. In our analysis. we assume each IP ad- Number of Days Active dress serves as the unique identifier of a bot and if the same IP 150 is ever used by different botnet families. In conjunction with family By identifying the set of reused bots. Optima and Zeus. Darkshell.2 million and the majority of them have been employed by Darkcomet Darkshell only one botnet family.340 out of 2. Aldibot and Ddoser show clear intermittent activ. we notice that although there is no attacking machines in cost-effective ways.

Figure 8: Intra-family collaboration for Zeus 4.229.57. we find significantly more /24 subnets are detected as reused ferent colors shows which botnet the subnet is involved in.190. we cross-compare the set of active bots 7 from different botnet identifiers over time. the x- and aaa. We suspect 0 0 that they could be an immediate reaction to a bot take-down event 2012−09−142012−10−032012−10−202012−11−062012−11−232012−12−102012−12−272013−01−132013−01−302013−03−022013−03−19 Time or a proactive detection evasion measure. each dot with dif- ilies.68. the subset aaa. it is evident that activities of both bot- the grouping of reused subnets more visually impressive. while some other botnet identifiers show a clear temporal pattern. different campaign. Although these two botnet identifiers own tified by a unique botnet identifier) within the same family collab. Figure 7 shows the collaborations of two botnets with different sis of all top 6 families. if the reused subnets do not engage in collaboration operations more Figure 7: Intra-family collaboration for Blackenergy than 25% of our observation period. Figure 8 describes the collaborations of two botnet identifiers tion. The x-axis shows the time (207 days) while both botnets. and all traffic to participate in another. and the y-axis on the right represents the count of bots investigating inter-family collaboration between the other four fam.xxx) are active more than 95% of time and they are botnet1 collaboration count botnet2 collaboration count the backbone of inter-family collaboration between those 4 fam. For each family. Another interesting finding from the figure is the shift of 196 1463 activity from one or many subsets to another set of subsets. nets are synchronized. Another finding is that a dedicated group of cent 2000 subnets are painted in the same color. We plotted two more curves for each botnet involved the y-axis represents the corresponding subnet index in our subnet in collaborations: the number of live bots for each botnet and the set. involved in the collaboration. In this figure. In this section.xxx∗ ) that are 75% of the time employed by those axis represents daily timestamps when collaboration happened.232. For the scatter plot. we do not include them or show them in the figure. Families Armageddon and Torpig re. This evident successor 56 418 relationship suggests that the shift was not just a random incident 28 209 but a deliberate action premeditated by a botmaster. We suspect the root cause is that the same set of bots are instructed port botnet activity from only one botnet generation. y) point in the scatter plot. the adja.xxx) that were 112 836 never reused before become reused in collaboration and served as 84 627 the replacement of those 2 ceased subnets.36. y-axis on the left represents the index of subnet involved in the col- When excluding Conficker and Zeus from our analysis and only laborations. 4 families more than 75% of time. 4 x 10 in inter-family analysis. We can observe bots that are reused by both botnets are responsible for the spikes from Figure 6 that a significant number of subnets are reused by all in the curve. In our inter-family collaboration analy. conduct our trace analysis on 13 out of the 16 most active botnet and suddenly nearly all of those bots are transferred to botnet 2. We depict concurrently reused /24 subnets and their status black color means that those subnets are employed concurrently by over time in Figure 6. pattern suggests that botnet 1 and botnet 2 are likely to be managed we have a list of botnet identifiers derived from different malware by the same botmaster. 10. This evident temporal for Conficker targets a DNS sinkhole server. and the ones. To make curve and the live bots curve.38. In comparison of the collaboration given time x. the 6 families. That is. For 168 1254 example. we mark the (x.216. from the family Zeus. . signature. 2013.xxx 252 1881 and aaa. we rently. Similar to the methodology we used net. The measurement re- sults show that some botnet identifiers have extremely high concur- 6 rent usage rate over the same set of bots. 224 botnet1 total count 1672 botnet2 total count ilies.xxx identifiers within the Blackenergy family. and aim to understand how different botnet generations (iden.57. with a difference in their code base that resulted in a different ∗ The first 8-bit segment of IP address is hidden for anonymization. those bots are rarely used concur- orate closely by reusing the same set of bots. Subnet Index 5 4 3537 351 botnet1 collaboration count botnet2 collaboration count 3 3144 312 botnet1 total count botnet2 total count 2751 273 2 2358 234 1 Subnet Index Bot Count 1965 195 0 2012−08−29 2012−09−21 2012−10−14 2012−11−06 2012−11−29 2012−12−22 2013−01−14 2013−02−06 2013−03−01 2013−03−24 1572 156 Time 1179 117 Figure 6: Activity of reused bots over four families 786 78 curately pinpoint subnets that are constantly reused or dedicated 393 39 as collaboration resources. When the subnet y is concurrently reused by all 4 families at a number of collaborating bots. they are essentially the same bot- signatures from the dataset. we focus on intra-family collabora.0. there are only two subnets (aaa.107. Thus.xxx was heavily reused to engage Subnet Index Bot Count 140 1045 in botnet activity until approximately day 79.2 Intra-family collaboration In our second step analysis. 0 2012−08−27 2012−09−06 2012−09−16 2012−09−26 2012−10−06 2012−10−16 2012−10−26 2012−11−05 2012−11−15 2012−11−25 0 Time old to rule out less contributing resources (/24 subnets). They were solely used by botnet 1 before Feb. Two subnets (aaa.215.36. and suddenly two ad- jacent /24 subnets (aaa. families in our dataset. a large number of the same bots.xxx and aaa. we set a minimum occurrence thresh.215.

and K. To facilitate the botnet detection and provide effective [9] W. and C. Youssef. S. Bothunter: Detecting malware infection through ids-driven 6. [6] H. Bacher. and reveal several new trends [16] G. the Google Click Quality. The trend that the state-of-art botnets have become more and Cambridge. Spamhaus suffers largest ddos observations and insights of today’s botnets. A. pages 171–191. Gu. In USENIX LEET. P. malware. Kotter. C. Botnets have been widely used for various Internet attacks. 2012. Team cymru community services. Y. and activity patterns of botnets. Teams. a taxonomy study of botnet structure based on their utility to the [10] C. and D. toring [1]. P. 24]. zeus botnet crimeware toolkit. M. Song. B. F. J. ACM. Characterizing the remote The nepenthes platform: An efficient approach to collect control behavior of bots. Steiner. M. Hoeflin. detection. [12] conducted 2014. In USENIX Security. R. Wide-scale [1] M. In CCS. Lu. Peer-to-peer botnets: Overview and case study.5. Some other security re. better than yours): why size estimates ever. to evade from being detected. and D. pages 151–160. Rexroad. Conficker and beyond: a large-scale http://www. and leverage the more stable P2P based communication architec. Daswani. On the analysis of the peer-to-peer botnet. G. and V. B. [3] P. Botnet: classification. . IEEE. 15] to avoid single point of failure. In PST. cial monitoring unit for about seven months. Z. [26] Team Cymru. Caballero. botmaster in 2007. 2005. Zou. Jingyuan. phenomenon. today botnets are very versatile and command and control channels in network traffic. V. In USENIX Security. Dornseif. In of top level ISPs. Lee. 2010. REFERENCES preventive measures. Levy. and H. and W. M. In USENIX LEET. In NDSS. In USENIX HotBots. it is crucial to Characterizing botnets-as-a-service. TDSC. Springer. Dagon et al. also offer timely help for botnet detection and defenses. than yours (maybe. M. Mitchell. Lee. Cambridge. and F. and A. Holz. research survey. 2. A botnet detection and characterization. page 12. 2006. [25] E. further complicates the detection and defense mecha. empirical study. 2007. pages 165–184. Barford and V. [4] P. M. enemy: Tracking botnets. Kreibich. and also ranked botnets based on key measure. Lee. Y. and 7. and putting one specific botnet family under the microscope [6. A. [2] M. Zarfoss. searchers endeavor to conduct an in-depth case study of botnet by [11] N. [28] Z. Holz. V. 2010. J. Andrade and N. T. Yegneswaran. Such results not only attack in history – entire internet affected. multiple well-known botnet families. pages 585–586. March 2013. Caballero. Know your [23] J. Holz. we have performed an [18] T. 23. [27] P. Sinha. with the assistance D. L. T. [22] A. Grier. Poosankam. C. Monrose. MA. Fabian and M. In USENIX HotBots. adaptive by constantly and continuously adopting new techniques 2008. Fong. develop methods for revealing more properties of botnets. Some recent by irc nickname evaluation. Insights from the inside: A view of botnet management from ment metrics they proposed on botnets. 621–634. Guofei Gu and W. P. Dagon. Mohaisen. X. Nunnery. Abu Rajab. D. of the most active 16 botnet families. [20] L. Malware Detection. Grizzard. S. In USENIX HotBots. Grier. Chang. D. Song. In this study. The anatomy of clickbot. T. Chen. M. Arbor. pages common techniques: infiltration [3. EURASIP JWCN. C. V. but http://bit. in-depth analysis of botnet behavior patterns based on a large botnet Measurements and mitigation of peer-to-peer-based botnets: dataset collected from various Internet anchor points by a commer. April 2007. of botnet structures. Nazario. CONCLUSION dialog correlation. In our work. T. ACM. content. G. MA. To [17] G. S. 2007. infiltration. [14] J. Terzis. Rishi: Identify bot contaminated hosts ture [27. Wang. Chen. Jing. Porras. Kang. May 2013. In ACSAC. multifaceted approach to understanding the botnet volume 7. [24] S. Karasaridis. J. Terzis. Boukhtouta. Ormerod. such as [15] J. and L. 2009. Cho. Moshchuk. In USENIX Security. In RAID. nisms. add to the existing botnet literature for a better understanding. A. pages 8–8. 2007. 2007. pages 1–1. work focused on large scale measurements of network traffic to Cambridge. Wicherski. Vlajic. C. Paxson. Zhang. and W. In IMC. 2007. Caballero. Measuring pay-per-install: The commoditization of malware distribution.ly/1bfx3ZH. E.team-cymru. Paxson. In DIMVA.org/papers/bots. P. and D. Botnet 2010. A. Fu. Deville. Many existing botnet studies [21. Gu. numerous new botnets begin to use http-based C&C channels remain challenging. and S. M. Blackenergy ddos bot analysis. Shin and G. David Dagon. Kreibich. In ACSCA. P. Freiling. 18. 2006. 2011. 2007. 2007. In Proceedings of the have a good understanding of botnets in the wild including their 2014 ACM conference on SIGCOMM. 10] and passive traffic moni. J. Z. Springer. Dirt jumper: A key player in Spyproxy: Execution-based detection of malicious web today’s botnet-for-ddos market. more sophisticated and applied various evasion techniques to hide [12] C. and Z.a. An advanced hybrid A. ACM. C. 2007. Yang. B. Goebel and T. 5] are targeted at the most [13] M. Stinson and J.honeynet. RELATED WORK [8] J. and their size [13] and activeness [24]. we observed large-scale bot activity data from USENIX HotBots. M. Yegneswaran. A taxonomy their activity. In WorldCIS. In COMPSAC. F. To collect and analyze bots. Freiling. Wang. pages 31–38. Kaveh. C.org/Monitoring/. 2009. My botnet is bigger common IRC-based bots relying on a centralized control. Roberts. Koetter. and G. Wang. IEEE. tracing. C. B. [7] J. Dahl. Holz. Botsniffer: Detecting botnet remain active and profitable. Botnets pose one of the most severe threats to the health of the Dispatcher: Enabling active botnet infiltration using Internet. Sharma. Baecher. IEEE. 7(2):113–127. Gu. In USENIX HotBots. Binsalleeh. By analyzing the data pages 1–9. Biersack. researchers widely utilize two automatic protocol reverse-engineering. Bragin. 2007. Debbabi. Zhu. pages 967–972. volume 8. A case study on storm worm. Han. An inside look at botnets. countermeasures against malicious botnet activities. Stoppelman. [21] A. Sparks. C. and F. A. 2008. Hongmei. 2010. behaviors and coordination strategies. 2008. 2007. [5] P. we have reported some new [19] Info Security Magazine. Gribble. How. attacks. MA. In http://www.