Download - All your bots are belong to us

Document Sample
Download - All your bots are belong to us Powered By Docstoc
					University of Bristol
Computer Science Department
Merchant Venturers Building, Woodland Road
BS8 1UB, Bristol, UK

                             Information Security Project

               All your bots are belong to us1

                                         Ben Organ – bo3161,
                                       Jonathan Isbell – ji3987,
                                    and Thomas Lyttelton – tl4803

                                                IS – Group 1


1“All your bots are belong to us” is a play on words from the text of a cut scene from the Sega Mega Drive
version of Zero Wing [57]. The phrase in the game is “All your base are belong to us” and has achieved iconic
status due to its poor translation into English.
                         All your bots are belong to us
                                          W HA T T HE F U TUR E HO L D S

                                  Ben Organ, Jonathan Isbell, Thomas Lyttelton

                                                December 15, 2007

Abstract                                                         addition, botnet owners frequently try to steal each
                                                                 other's bots to use them for their own criminal activity.
Botnets should be regarded as one of the single biggest
threats to security on the Internet today. These                 In recent years the scale of the problem has increased
networks of compromised computers are more powerful              dramatically. It is difficult to estimate the total number
than any of the world's supercomputers. They have been           of bots worldwide; MessageLabs, a company that counts
instrumental in the changing motivation of attacks from          spam, recently stopped counting bot-infected computers
pride to profit. The bot process can be likened to a             when the figure passed about 10 million because it could
                                                                 not keep up [2]. Vint Cerf estimates the number of
parasite; leaching resources from the infected host. The
                                                                 infected computers to be a staggering 100-150 million
flexibility and diversity of botnet uses should be serious
                                                                 [3]. This makes botnets more powerful than the top 500
cause for concern. Botnets are not being used to their
                                                                 supercomputers in the world [4]; perhaps not with
full potential; the recent attack on Estonia's Internet
                                                                 respect to available processing power, but certainly with
infrastructure merely hints at the capabilities of these         respect to bandwidth and memory.
massively distributed but hidden systems.
                                                                 Botnets have the potential to cause disruption on a
1       Introduction                                             massive scale, potentially undermining the trust people
                                                                 place in the Internet. Current estimates indicate some of
This paper examines how current botnets work and                 the biggest botnets are only being used at 10% of their
highlights possible methods for both their detection and         potential capacity [4].
prevention. Uses of botnets have been investigated to
give insight into how the technology may evolve in the           1.2     Relevance
future. Academic and commercial research in the area
has been reviewed for the technical details.                     Attacks are increasingly motivated by financial gain and
Contemporary news articles, from both the public                 are now serious criminal activities. This profit driven
domain and within the security community, are used to            model has bought about a whole culture of people who
show how the media portrays the subject matter.                  are involved [1]. Botnets are appealing to criminals
Several specific botnets were focused on to provide              because they are multipurpose. Their distributed, hidden
individual examples and give context.                            nature makes it easy to avoid getting caught. Money can
                                                                 be obtained through stolen details, spam or extortion.
1.1     What is a botnet?                                        Botnets can also be used for politically motivated
                                                                 attacks. In addition, large botnets are now being broken
A botnet is a distributed collection of bots controlled by       up into smaller ones and sold off to other criminal
a malicious party. The bots are computers which have             groups.
been compromised without the knowledge of the user,
usually through a security exploit. These zombie                 Botnets have previously not been seen as a big problem
computers can be controlled by the botmaster issuing             but this is slowly changing. Left unabated, botnets have
orders through a command and control network.                    the potential to cause massive damage, not only to their
Botnets can be used for a variety of illegitimate                targets, but to society as a whole as banks, Governments
purposes. They are commodities which can be traded on            and individuals become victims of crime which is very
the black market; recently this market has grown in size         hard to detect, let alone prevent.
and become more organised. Franklin et al. [1] give a
good overview of the scale and nature of the market. In

2       Technical details                                          an advert used a vulnerability in Adobe Flash to infect
                                                                   computers [13]. This could similarly apply to other
2.1     Overview                                                   widgets embedded into websites from an external
                                                                   source, such as web counters [11].
At a high level a botnet can be considered to function
like an ant colony. The colony (or botnet) consists of             2.3     Installation
many worker ants (or bots) that make no decisions of
their own but work in unison to fulfil the tasks assigned          Microsoft Windows has the largest user base so
to them. The queen ant (or botmaster) gives these                  understandably the majority of infected machines run
instructions.                                                      Windows. There are bots which target Linux, such as
                                                                   AgoBot, but only Windows will be considered here.
As with the life cycle of an ant there are several stages in
the life of a bot. These are infection, installation,              The initial file which infects the host is often just a small
command & control and finally their end use.                       downloader which connects to another server to get the
                                                                   actual bot. On infection the bot normally copies itself to
2.2     Infection                                                  the system directory and will try to disguise itself with a
                                                                   randomly generated name (e.g. SDBot) or one that
For a botnet to be effective, it requires a large number           appears to be authentic (e.g. Storm uses wincom.exe).
of infected hosts. Botmasters typically use many vectors           More advanced bots use undocumented features of the
to acquire them. The general approach is to present the            Windows API to hide their name from the process list in
user with a malicious binary in a disguised form and fool          the Windows Task Manager. They use several methods
them into executing it.                                            to ensure that they are run on startup, such as inserting
                                                                   values into the Windows Registry. They may also disable
Traditionally this has been an e-mail containing a URI or
                                                                   the firewall and anti-virus software [14] to prevent
attachment. The e-mail purports to be from a friend who
                                                                   detection and removal.
has sent an e-card or a trusted company, such as
Microsoft, with an update to a critical flaw. This has led         More recently, bot software has begun installing
to the improvement of spam filters, anti-virus and                 additional software onto infected computers to prevent
organisations blocking executable files in e-mails. Now            further infection by another bot. Examples include
bot writers are employing new methods, for example;                patching the vulnerability used to infect the machine
random generation of e-mail by taking snippets of news             and installing anti-virus software customised to run
articles [5] and using traditionally safe attachments              invisibly [14].
which exploit vulnerabilities in software such as Adobe
Reader [6], Windows Media Player and Outlook.                      2.4     Command and control
More advanced methods of infection include the use of              Once the host is infected and the bot has installed itself,
existing botnets to scan for remote vulnerabilities [7].           it will establish communication with the botnet and
Each bot is instructed to scan a different subnet for              await commands from the botmaster. Historically
vulnerabilities; their combined power allows large                 botnets have connected to an IRC server [15] and joined
segments of the Internet to be covered. This gives the             a secret channel. The botmaster is then free to issue
potential for exponential infection as newly infected              commands by sending messages to the channel.
bots join the scanning process. Examples of                        Examples of bots using IRC include SDBot and early
vulnerabilities include LSASS (MS04-011) [8], Microsoft            versions of AgoBot [7].
Server Service [9], unprotected NetBios, Microsoft ISS
and Microsoft SQL Server [10].                                     The centralised nature of IRC and the plaintext protocol
                                                                   make it possible to take down entire botnets by
Botmasters can also set up websites which exploit                  targeting the server. Many developers of bots have
vulnerabilities in the user's browser or trick the user into       begun adding peer-to-peer functionality to combat this.
believing they need a plug-in to view part of the website          One of the first known instances of a peer-to-peer
[11] [12]. Online advertising networks have been used by           botnet was a modified version of AgoBot called PhatBot
botmasters to get malware onto popular websites by                 [16], which used the WASTE protocol developed by
inserting malicious Javascript or an iframe in the page.           Nullsoft.
Of particular note is the case involving MySpace, where

WASTE [17] is an encrypted public-key peer-to-peer               infected host acts as a proxy by receiving HTTP requests
protocol designed for use by a small group of trusted            and returning a response obtained from the
users. To save distributing keys among the bots, the bot         “mothership”, a central computer controlled by the
writers choose to remove the encryption functionality            botmaster. In double fast flux the NS (name server) and
from WASTE. As a WASTE network has no centralised                A records are updated to point to an infected host so, in
server, the bots use public Gnutella cache servers to            the same manner, DNS requests are proxied to and from
register their existence. These are CGI scripts hosted on        the “mothership”. This makes it hard to shut down as an
webservers which Gnutella clients and bots can connect           infected host only responds to requests on the domain
to. Bots can be identified and connect to hosts from the         for a few minutes before it is replaced, meaning shutting
botnet since they use a non-standard port. As with IRC           down a single host is pointless. It also hides the
based bots, Phatbot joins a channel on the WASTE                 “mothership” serving the infected hosts, which makes it
network and listens for commands. However, WASTE                 difficult to locate and shut down.
was originally designed for networks containing a
maximum of 50 nodes and performance of the network               2.5     End use
drops when used to the scale of a typical botnet.
                                                                 The power of botnets, and what sets them apart from
More recent bots, such as Storm (a.k.a. Peacomm) [18],           their predecessors, is that they are not designed to carry
use modern more scalable peer-to-peer algorithms such            out one specific task – rather they are general purpose
as Kademlia. Storm specifically uses Overnet's                   and easy to update. This means that the botnet owner
implementation, which the eDonkey file sharing client            can use them for whatever they desire at the time; from
connects to (another notable implementation is                   sending spam e-mails or stealing credit card information
BitTorrent's trackerless protocol). Kademlia uses a              to launching distributed denial of service attacks.
distributed hash table to look up peers on the network.          Botnets have become one of the most important and
A specification can be read in [19].                             versatile tools for hackers, spammers and organised
The Storm binary is distributed with a list of
approximately 150 peers, which are nodes on Overnet.             Spam e-mail has been a problem for as long as e-mail
Overnet contains hashes for each file on the network.            has existed and, whilst a number of strategies have been
Once connected the bot searches for a hash, calculated           suggested to combat spam [22], it is still a problem.
from the current date and a random integer between 0             Botnets have made the problem of reducing spam
and 31 [20]. The search response contains a result hash          harder since they allow a spammer to use each bot in a
and an encrypted URI. The decryption key is hard-coded           botnet to send a few e-mails, resulting in thousands of IP
into the bot's binary and is used with the result hash to        addresses from which the spam originates. This makes
decode the URI. The URI points to a binary, which the            blocking the source IP address extremely difficult and
bot downloads and runs. This is used to perform tasks            time consuming [23]. It has been estimated that up to 60
and reschedules connection to the network.                       billion spam e-mails are sent every day [24], with over
                                                                 80% originating from botnets [2] [25]. The type of spam
Storm has many advantages over its predecessors. Using           sent out can be anything from phishing and
a peer-to-peer network removes the load on a central             pharmaceutical sales through to stock market pump and
IRC server, making it less detectable and more resilient.        dump scams. Pump and dump scams can be especially
Using Overnet means that the traffic is more difficult to        lucrative; spammers send out e-mails persuading people
block as it appears “legitimate”. Encrypting the URIs            to invest in a company, in which they own stocks [2].
makes it hard for people other than the botmaster to             Naïve recipients buy stocks, thus pushing up the value,
issue tasks.                                                     and the spammer cashes out their stocks. It is not
                                                                 uncommon for an attacker to earn thousands of pounds
Fast flux [21] is a method of mapping multiple IP                in a few days using this attack [26].
addresses to a single hostname. It is used to serve the
binaries which perform tasks on the Storm botnet as              Identity theft is another use of botnets. Keyloggers can
well as to host websites for phishing, spam and other            easily be installed on the bot computer and told to
end uses discussed in Section 2.5. In single fast flux the       snoop for certain account details; from World of
domain's A record, the DNS entry specifying the server IP        Warcraft logins [26] and trading accounts [2] through to
address, is updated to point to the IP address of a              Internet banking [27] and Paypal details. These details
different infected computer every few minutes. The

are harvested by the botnet owners and used for pure               (home of the popular blogging website TypePad) offline,
financial gain or for other illegitimate use.                      along with Tucows (a DNS provider). It also attacked
                                                                   Prolexic (a company who offer services to prevent DDoS
Although botnets are formed from home computers, the               attacks) via its DNS provider, UltraDNS [32]. Ultimately
sheer number of them makes them very powerful                      Blue Security was forced out of business and the sheer
together. This makes them ideal for computationally                scale of the attack was astonishing.
intensive tasks such as cracking cryptographic keys and
distributed brute force attacks [28], as well as for storing       A final use worth mentioning is using bots to click on
parts of illegal files, for use with BitTorrent for example.       paid advertising links such as Google AdWords or to
                                                                   install certain software [40], which earns attackers a
By far the most concerning use of botnets is distributed           small amount of revenue for each click or installation.
denial of service (DDoS) attacks. DDoS attacks can be              Using thousands of bots the criminal can quickly earn a
used to take revenge; to prevent a website being                   lot of money illegitimately. Google were recently sued
accessible; or to bribe the website owners and extort              for US$90 million for failing to guard against such abuses
money [29]. Typically DDoS attacks send TCP SYN, UDP               [32].
[30] or ICMP floods [31] to a specified address, which
overwhelms the server or firewall and prevents                     3       Countering
legitimate access. Some botnets of over a million nodes
could be capable of sending up to 24Gbps of traffic [32].          3.1     Detection

The attacks on Estonia in early 2007, supposedly as a              The nature of botnets makes it very difficult to establish
result of Estonia moving a war memorial [33], received a           accurate numbers of networks and infected machines
lot of media attention and bought the country to its               [2]. Botnets use a host of techniques to hide their
knees, as much of its infrastructure depends on the                presence and, unlike most malware, do not cause
Internet [34]. However, this attack was relatively small in        noticeable damage to the infected machine or generate
terms of power, with the largest attacks measuring                 a lot of traffic. Botnets are an international problem. A
around 90Mbps for over 10 hours [35]. The problem was              botmaster in one country will almost certainly be
that Estonia’s systems weren’t designed to cope with               controlling machines around the world. This can present
that kind of load [31]. There has been speculation as to           a host of legal problems.
who orchestrated the attack on Estonia; however, it is
unlikely to have been the Russian Government [36] since            If a researcher manages to count the number of
a serious attack by them would have been far more                  computers currently connected to an individual botnet
powerful [37].                                                     this number will probably not be accurate as many
                                                                   computers, in different time zones for example, will not
Other recent attacks have been many times the                      be online. There is also a growing trend to make botnets
magnitude of the Estonian attack. In February 2007                 much smaller, meaning if an entire botnet is removed
some of the root DNS servers came under attack [38]                then the botmaster is still in control of many other
and, although there was no drastic failure, it could be            machines. This also allows the botmaster to sell or rent
that attackers were testing out their botnets in                   individual botnets to other parties.
preparation for a much larger future attack. Some of the
most aggressive DDoS attacks to date have been against             Gathering information about botnets is an ongoing task
websites which try to prevent spam or botnets. Early in            and there are many parties doing it. Governments,
2007 the CastleCops website, a community of anti-spam              companies and several open source projects record
activists, came under attack by bots, with traffic peaking         information. Two of the main projects are The Honeypot
at almost 1Gbps [26]. The website was inaccessible for             Project [41] and ShadowServer [42].
several days. SpamHaus, another anti-spam website,
                                                                   Honeynets are often used to study botnets. A honeynet
also came under attack from the Storm worm, although
                                                                   is a network of honeypots, unsecured computers
it was perhaps an unintended target [18]. The security
                                                                   normally running a variety of different operating
firm Blue Security was forced out of business after a
                                                                   systems. These will be behind a computer monitoring
DDoS attack. The firm produced anti-spam software
                                                                   the traffic, called a honeywall, to ensure the computers
called Blue Frog, which lashes back at spammers by
                                                                   are not being used for spamming or a DDoS attack.
sending them messages [39]. In addition to Blue Security
                                                                   Several honeypot machines can be emulated by a single
itself, the DDoS attack also temporarily took Six Apart

machine using virtualisation technology. This has to be            3.2     Prevention
done carefully as the emulation software can be
detected by the bot process.                                       To counter botnets the individual infected computers
                                                                   can be cleaned. Unfortunately anti-virus software is
The idea of a honeynet is to act as a petridish, a target          often not enough; there is such a diversity of bot virus
for a variety of attacks allowing the researchers to study         code that the individual viruses may not be widely seen.
active bots; from infection, command and control and               The source code for many botnets is available on the
ultimately the attacks. Log files from individual                  Internet and it is very easy for botmasters to download
computers and the honeywall are gathered, making it                this and modify it to suit their needs. Surprisingly bots
easier to bring botmasters to court at a later date.               occasionally install anti-virus software and patch
                                                                   infected computers; it is not in the botmaster’s interest
There are several different types of honeypots, each               to have the computer infected by another bot [14].
with various levels of interaction. Low interaction
honeypots are totally emulated services that are unable            It can be difficult to determine if a computer is infected.
to become infected but can still be used to examine                A good indication of infection is the running speed of the
attacks. High interaction honeypots allow themselves to            computer; a large slowdown could indicate something is
be compromised and can gather far more information,                wrong [45].
but need to be watched carefully.
                                                                   Traffic can be used to determine if a computer is a bot
For a honeynet to be of any use it needs to be                     [45]. IRC traffic is not terribly common among average
introduced to infections; leaving unsecured processes              users and if a computer is part of a DDoS or spam
and an unpatched operating system is often sufficient.             operation there will be a large amount of requests or
Dummy e-mail accounts can pick up malicious e-mail                 SMTP traffic respectively.
attachments and links to websites. Browsing of the
Internet with an unpatched version of a browser can                Any bot process needs to have a startup mechanism.
also provide infections [11].                                      Checking system files and registry keys associated with
                                                                   the startup is an effective way of determining if a
After infection the honeynet can be used to learn                  computer has been infected. Unfortunately it is possible
patterns in the botnet traffic, the command and control            that the kernel, the lowest level of the operating system,
servers and information about the attacks in progress.             has been modified; if so it is much harder to determine if
Botnet processes are not static and botmasters can send            a root kit, a bot process, has been installed [46]. Once a
out updates for the bots to install. Since several                 computer is known to be clean it is important that anti-
honeypots are on the botnet, they will receive the latest          virus, with regular updates, and a firewall are installed.
                                                                   In a company or any environment with multiple
Honeynets are an extremely useful tool for learning                machines on a local network there are several
about botnets but they are by no means the only way.               precautions that can be taken [46]. Once again, traffic
Internet service providers and Governments are able to             analysis can be used to determine if any machines are
run large scale traffic analysis to discover trends. Viruses       acting suspiciously [45] or at strange times. Policy can be
used can be disassembled and analysed, often yielding              implemented ensuring that anti-virus is current and that
the command and control servers and infection vectors.             certain services are turned off.
Machine learning techniques can also be used to analyse
traffic and detect botnets [43].                                   Internet service providers can do much in the fight
                                                                   against botnets. They can monitor traffic on a large scale
Many botnets still use IRC [15] to communicate. This               and several use this to block botnet command and
means that humans are able to join the channel and                 control servers. They can also remove or notify
read the orders that the bots have been given [44], find           computers that they think have been compromised.
information about the user issuing the commands and                Unfortunately this can annoy users, who are unaware
perhaps even issue commands of their own. More                     their computer is a bot, and just see their Internet
advanced botnets have solved this problem by running a             connection disconnected. There is no clear incentive for
stripped down version of an IRC server, which does not             Internet service providers to remove infected users.
allow human users to join.

In an actual DDoS attack, for example the attack on               4.2     What needs to be done?
Estonia [47] in April 2007, Governments are able to
inform service providers and have computers removed               Botnets impact almost all aspects of the Internet; from
from the Internet.                                                users and businesses through to ISPs and Governments.
                                                                  Owners of botnets have even boasted that they could
Entire botnets can be broken up by targeting the                  compromise Google [32]. If the threat is not mitigated,
command and control server. White-hat hackers,                    the risk of a massive attack will remain and people may
individuals who use possibly illegal techniques for the           lose trust in the Internet, resulting in massive economic
benefit of others, have been known to distribute                  damage. Action needs to be taken carefully in order to
software to break up the botnet through the same                  avoid a potential large scale “cyberwar” between
channel that the botmaster uses to update the bots [48].          botnets and legitimate users, as this could cause a
With more sophisticated botnets this can be difficult, as         significant amount of collateral damage. Goth [55]
the commands are encrypted to ensure only the                     discusses some of the political discussions instigated by
botmaster, who has the encryption key, can issue them.            the Estonian attacks.

Botmasters can be brought to court if there is enough             Monitoring efforts need to be improved in order to get
evidence against them. Recently there have been several           better figures of the number of bots and to improve
high profile arrests of botmasters [49] [50] [51]. This has       detection. The security community also needs to keep
mostly been as a result of two large US Government                abreast of bot developments, including any new tactics.
initiatives; Operation BotRoast I and II [52]. So far             The recent high-profile Operation BotRoast has been
Operation BotRoast has identified one million infected            successful and has demonstrated that botmasters are
computers [53].                                                   not untouchable. Policy changes, such as a regular
                                                                  “home PC M.O.T.” proposed by Edwards [56], would be
4       Conclusion                                                valuable in the fight against botnets. As long as botnets
                                                                  remain profitable, they will exist. This can be addressed
The final section analyses where botnet technology
                                                                  by improved banking practices. Improving traceability
might be going next. We also highlight what needs to be
                                                                  will impede illegitimate funds changing hands. Education
done to raise awareness and ultimately stop botnets.
                                                                  of the problem is vital in the prevention of infection and
4.1     The future                                                increasing awareness of the threat. Preventing machines
                                                                  being infected in the first place will be a far better long
Increasing financial incentives have driven the                   term solution than curing infected computers and
development of botnets and their technology. This has             attempting to treat the symptoms.
led to robust, scalable and secure technologies being
used; such as name resolution services, for example               4.3     Summary
Storm uses Overnet, and caching as used by fast flux.
                                                                  We have introduced botnets and outlined how they
There has been a lot of progress in the field of peer-to-
                                                                  work, including how they can be used for financially and
peer networks; this has led to similar changes in botnet
                                                                  politically motivated attacks. We have covered methods
                                                                  to detect and counter them. Botnets will undoubtedly
An example of a next generation botnet is proposed by             develop and grow, and methods to counter them need
Wang et al. [54]. Distributed command and control                 to follow suit. It is vital that Governments, businesses
servers mean there is no single point of failure and the          and individuals pay attention and all work together to
actual scale of the botnet is masked. This system also            tackle the threat. One reason botnets have become so
uses public-key encryption to prevent hijacking.                  powerful is no-one is willing to take responsibility.

Recently, botnets have been split up and sold as                  Ultimately Government policy is needed to pursue and
commercial items to the highest bidder. Anyone with               prosecute the perpetrators. Banks and businesses need
sufficient money can rent out botnets for their own               to take action to combat botnets through educating
purposes, possibly resulting in new and unseen attacks.           their staff and implementing processes to make it harder
We believe that distributed attacks, such as cracking             for botmasters. The security community must keep up
cryptographic keys and denial of service attacks, will            with, and prepare for, future botnet developments. A
remain the most threatening use of botnets in the                 multifaceted approach needs to be taken if the problem
foreseeable future.                                               is going to be eradicated any time soon.

Bibliography                                                    [14] Stewart, Joe. SpamThru Trojan Analysis. 2006.
[1] Franklin, Jason, Paxson, Vern, Perrig, Adrian and           ru/
Savage, Stefan. An Inquiry into the Nature and Causes of
                                                                [15] Oikarinen, J and Reed, D. Internet Relay Chat
the Wealth of Internet Miscreants. 2007.
                                                                Protocol. IETF - Network Working Group. [Online] May
[2] Sullivan, Bob. Is Your Computer a Criminal? The Red         1993.
Tape Chronicles - [Online] 27 March 2007.
                                                                [16] Stewart, Joe. Phatbot Trojan Analysis. SecureWorks.
                                                                [Online] 15 March 2004.
[3] Weber, Tim. Criminals 'may overwhelm the web'.    
BBC News. [Online] 25 January 2007.
                                                                [17] Nullsoft. WASTE. [Online]
[4] Gaudin, Sharon. Storm Worm Botnet More Powerful
                                                                [18] Stewart, Joe. Storm Worm DDoS Attack.
Than Top Supercomputers. InformationWeek. [Online] 6
                                                                SecureWorks. [Online] 8 February 2007.
September 2007.
                                                                [19] Maymounkov, Petar and Mazières, David.
[5] Hidalgo, Amado. Trojan.Peacomm: Building a Peer-
                                                                Kademlia: A Peer-to-peer Information System Based on
to-Peer Botnet. Symantec. [Online] 19 January 2007.
                                                                the XOR Metric. Cambridge, USA, 2002. 1st International
                                                                Workshop on Peer-to-Peer Systems.
ml                                                              [20] Grizzard, Julian, Sharma, Vikram, Nunnery, Chris,
                                                                and Kang, Brent ByungHoon. Peer-to-Peer Botnets:
[6] Vaas, Lisa. Russian Crooks Spreading Gozi Trojan with
                                                                Overview and Case Study. 2007. In Proceedings of
PDFs. eWeek. [Online] 25 October 2007.
                                                                USENIX/HotBots 2007.,1895,2207447,00.asp
                                                                [21] The Honeynet Project & Research Alliance. Know
[7] Bächer, Paul, Holz, Thorsten, Kötter, Markus and
                                                                Your Enemy: Fast-Flux Service Networks. [Online] 13 July
Wicherski, Georg. Know your Enemy: Tracking Botnets.
Honeynet Project & Research Alliance. [Online] 13 March
2005.                      [22] Judge, Paul, Alperovitch, Dmitri and Yang, Weilai.
                                                                Understanding and Reversing the Profit Model of Spam.
[8] Germain, Jack. Sasser Worm Poses New Security
Threats. Tech News World. [Online] 4 May 2004.                   [23] Leyden, John. ISPs urged to throttle spam zombies.
                                                                The Register. [Online] 24 May 2005.
[9] Naraine, Ryan. Botnet Herders Attack MS06-040
Worm Hole. eWeek. [Online] 13 August 2006.
                                                                [24] Lee, Andrew. The new gangland? Oxford University
[10] Shannon, Heather. W32.HLLW.Gaobot.gen.
                                                                Press, March 2007, ITNOW, Vol. 49, pp. 8-9.
Symantec. [Online] 13 February 2007.             [25] Maywyshyn, Andrea. Penetrating the Zombie
sp?docid=2003-112112-1102-99                                    Collective: Spam as an International Security Issue. 4,
                                                                December 2006, SCRIPT-ed, Vol. 3.
[11] Provos, Neils, McNamee, Dean, Mavrommatis,
Panayiotis, Wang, Ke and Modadugu, Nagendra. The                [26] Zeltser, Lenny. So Long Script Kiddies. May 2007.
Ghost In The Browser Analysis of Web-based Malware.             Information Security.
2007. In Proceedings of USENIX/HotBots 2007.                    [27] Geer, David. Malicious bots threaten network
[12] Prolexic. Prolexic Zombie Report 2007. 2007.               security. 1, January 2005, Computer, Vol. 38, pp. 18-20.

[13] Vaas, Lisa. MySpace Worm Uses Fast-Flux to Dodge           [28] Keizer, Gregg. Custom-built botnet steals eBay
Detection. eWeek. [Online] 28 July 2007.                        accounts. Network World. [Online] 4 September 2007.,1759,2163609,00.asp   

[29] Stewart, Joe. This business of malware. 2,                  [44] Albright, Nicholas. Researching Botnets.
April/June 2004, Information Security Technical Report,          [45] Shadowserver. Botnet Detection. Shadowserver.
Vol. 9, pp. 35-41.                                               [Online]
[30] Freiling, Felix, Holz, Thorsten and Wicherski, Georg.
Botnet Tracking: Exploring a Root-Cause Methodology to           mation.BotnetDetection
Prevent Distributed Denial-of-Service Attacks. 2005.             [46] Dawada, Kumar. The Rootkit and Botnet menace.
[31] Lesk, Michael. The New Front Line: Estonia under            2006, Network Magazine.
Cyberassault. 4, July/August 2007, IEEE Security &               [47] Davis, Joshua. Hackers Take Down the Most Wired
Privacy, Vol. 5, pp. 76-79.                                      Country in Europe. Wired Magazine. [Online] 21 August
[32] Berinato, Scott. Attack of the Bots.             2007.
[Online] November 2006.                                               09/ff_estonia
ml                                                               [48] Sophos. Four years in a Chinese jail for virus writer
[33] BBC News. Estonia hit by 'Moscow cyber war'.                who created joss-stick worm. Sophos. [Online] 24
[Online] 17 May 2007.                                            September 2007.    
[34] BBC News. The cyber raiders hitting Estonia.                /09/fujacks-jail.html
[Online] 17 May 2007.                                            [49] BBC News. Arrests made in botnet crackdown. BBC              News. [Online] 30 November 2007.
[35] Nazario, Jose. Estonian DDoS Attacks - A summary  
to date. Arbor Networks. [Online] 17 May 2007.                   [50] Keizer, Gregg. Botnet Creator Pleads Guilty, Faces                 25 Years. TechWeb Technology News. [Online] 24
ddos-attacks-a-summary-to-date/                                  January 2006.
[36] Kerner, Sean Michael. Estonia Under Russian Cyber 
Attack? Internet News. [Online] 18 May 2007.                     [51] Keizer, Gregg. Dutch Botnet Suspects Ran 1.5             Million Machines. TechWeb Technology News. [Online]
8606                                                             21 October 2005.
[37] Rantanen, Miska. Virtual harassment, but for real.
Helsingin Sanomat, 2007.                                         [52] BBC News. FBI tries to fight zombie hordes. BBC
[38] BBC News. Hackers attack heart of the net. [Online]         News. [Online] 14 June 2007.
7 February 2007.                                                       [53] FBI. Over 1 Million Potential Victims of Botnet Cyber
[39] Spring, Tom. Spam Slayer: Bringing Spammers to              Crime. FBI. [Online] 13 June 2007.
Their Knees. PC World. [Online] 18 July 2005.          ,121841-                        tm
page,1/article.html                                              [54] Wang, Ping, Sparks, Sherri and Zou, Cliff. An
[40] Symantec. Botnets: not just for spamming anymore.           Advanced Hybrid Peer-to-Peer Botnet. 2007. In
[Online] September 2007.                                         Proceedings of USENIX/HotBots 2007.              [55] Goth, Greg. The Politics of DDoS Attacks. 8, 2007,
e/weblog/2007/09/                IEEE Distributed Systems Online, Vol. 8, pp. Art. no. 0708-
ml                                                               o8003.
[41] The Honeynet Project. [Online]                              [56] Edwards, Lilian. Dawn of the Death of Distributed                                         Denial of Service: How to Kill Zombies. 1, 2006, Cardozo
[42] Shadowserver Foundation. [Online]                           Arts and Entertainment Law Journal, Vol. 24, pp. 23-62.                                [57] Ashman, Alex. All Your Base Are Belong To Us. BBC
[43] Livasad, Carl, Walsh, Bob, Lapsley, David and               h2g2. [Online] February 2007.
Strayer, Tim. Using Machine Learning Techniques to     
Identify Botnet Traffic. 2006.


Shared By: