The Analysis, Modeling and Detection of Botnet-based Hosting Services and Emerging Threats.

Abstract

Botnets—vast collections of compromised computers (i.e., bots) under the control of botmasters—have become one of the greater threats facing the Internet community due to their versatility and financial appeal. Much of their success, financial and otherwise, can be attributed to 4 properties/strategies: stealth—first and foremost, bots want to remain stealthy in their infection and occupation, keeping botnet resources high; modularity, granting bots new functionality by allowing already infected machines to update their bot malware; Command and Control, permitting coordination and post-deployment modification of the botnet functionality and behavior as needed for various scams or to evade detection; and content-delivery mechanisms, such as botnet-based hosting services and FF DNS-advertisement strategies, permit botmasters to serve scams and malicious content to victims for profit or the purpose or swelling their botnet ranks.

The dissertation addresses this stealthy aspect of botnets and its imposed limitations, exploring botnets’ primary content delivery mechanism—botnet-based hosting services utilizing FF DNS-advertisement strategies—and the future mobile botnet threatscape emerging with the increase in mobile devices and wireless connectivity. It introduces and evaluates an automated enterprise solution, called RB-Seeker, for accurately detecting domains and bots involved in botnet-based hosting services. It grants insight into the global DNS-advertisement strategies and limitations FF botnets by deploying DIGGER—a distributed DNS-monitoring system comprising hundreds of nodes spanning multiple continents—for an extended period of time, identifying intrinsic behavioral-detection features and evaluating if current botnet resources are sufficient to mimic benign domains and evade detection. Finally, using real-world WiFi network locations, mobility traces and bus routes for the city of San Francisco, it simulates highly mobile botnets utilizing only open WiFi networks, demonstrating that they can pose a serious threat and provide an ideal mechanism for botmasters transitioning to the mobile landscape. This dissertation demonstrates that the powerful distributed systems granted by botnets can support numerous stealthy evasion tactics, requiring a more intimate knowledge of botnet resources and capabilities so that properties intrinsic to their functionality can be more effectively targeted and exploited. It gives valuable insight into these intrinsic properties and resource limitations of both current and future botnets, providing more resilient detection and disruption approaches.