HONEYPOT TRACES FORENSICS : THE OBSERVATION VIEW POINT MATTERS February 12 th ,

In this paper, we propose a method to identify and group toget her traces left on low interaction honeypots by machines belonging to t he same botnet(s) without having any a priori information at our dispos al regarding these botnets. In other terms, we offer a solution to detect new bot nets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwid e distributed Leurré.com system. To distinguish the relevant traces fro m the other ones, we group them according to either the platforms, i.e. target s hit or the countries of origin of the attackers. We show that the choice of on e f these two observations view points dramatically influences the resul ts obtained. Each one reveals unique botnets. We explain why. Last but not leas , we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time t o time.

[1]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[2]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[3]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[4]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[5]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[6]  Scott Shenker,et al.  Fighting Coordinated Attackers with Cross-Organizational Information Sharing , 2006, HotNets.

[7]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[8]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[9]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[10]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[11]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[12]  Neil Daswani,et al.  The Anatomy of Clickbot.A , 2007, HotBots.

[13]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[14]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[15]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[16]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[17]  Christopher Krügel,et al.  Overbot: a botnet protocol based on Kademlia , 2008, SecureComm.

[18]  Lorenzo Martignoni,et al.  FluXOR: Detecting and Monitoring Fast-Flux Service Networks , 2008, DIMVA.

[19]  Van-Hau Pham,et al.  The Quest for Multi-headed Worms , 2008, DIMVA.

[20]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[21]  M. Dacier,et al.  The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[22]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[23]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.