A Novel Search Engine-Based Method for Discovering Command and Control Server

To solve the problem of getting command and control (C&C) server address covertly for malware of Botnet or advanced persistent threats, we propose a novel C&C-server address discovery scheme via search engine. This scheme is com-posed of five modules. The botmaster uses publish module to issue C&C-server IPs in diaries of several free blogs on Internet firstly. Then these diaries could be indexed by search engine (SE). When the infected terminal becomes a bot, it uses keyword production module to produce search keyword and submits some or all these keywords to SEs to obtain the search engine result pages (SERPs). For items in SERPs, the bot uses filtering algorithm to remove noise items and leave valid items whose abstract contain C&C-server IPs. Lastly the bot utilizes extraction and conversion module to extract these C&C-server IPs and translates them into binary format. The experimental results show that our proposed scheme is fully able to discover and obtain C&C-server IPs via various search engines. Furthermore, if we set proper threshold value for SE, it can extract C&C-server IPs accurately and efficiently.

[1]  Eric Lo,et al.  Answering Why-Not Questions on Top-K Queries , 2014, IEEE Trans. Knowl. Data Eng..

[2]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[3]  Sven Dietrich,et al.  P2P as botnet command and control: A deeper insight , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[4]  Dong Zhou,et al.  Translation techniques in cross-language information retrieval , 2012, CSUR.

[5]  Sangjin Lee,et al.  Advanced evidence collection and analysis of web browser activity , 2011, Digit. Investig..

[6]  Christopher Krügel,et al.  Extracting probable command and control signatures for detecting botnets , 2014, SAC.

[7]  Gabriel Maciá-Fernández,et al.  Survey and taxonomy of botnet research through life-cycle , 2013, CSUR.

[8]  Jens Myrup Pedersen,et al.  An efficient flow-based botnet detection using supervised machine learning , 2014, 2014 International Conference on Computing, Networking and Communications (ICNC).

[9]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[10]  Sharath Chandra Guntuku,et al.  Big Data Analytics framework for Peer-to-Peer Botnet detection using Random Forests , 2014, Inf. Sci..

[11]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[12]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[13]  Sateesh Kumar Peddoju,et al.  Improved Detection of P2P Botnets through Network Behavior Analysis , 2014, SNDS.

[14]  Ross Brewer,et al.  Advanced persistent threats: minimising the damage , 2014, Netw. Secur..

[15]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[16]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[17]  Su Chang,et al.  P2P botnet detection using behavior clustering & statistical tests , 2009, AISec '09.

[18]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[19]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[20]  Ali A. Ghorbani,et al.  Peer to Peer Botnet Detection Based on Flow Intervals , 2012, SEC.

[21]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[22]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[23]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[24]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[25]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).