A bot is a computer controlled by malware without the consent and knowledge of the user - often called a zombie. A botnet is a network of bots controlled by a bot master. It is a key platform for for-profit fraud and other exploits.
A coordinated group of malware instances controlled via command-and-control (C&C) channels. C&C architectures: centralized (IRC, HTTP) or distributed (P2P).
Also: anonymized criminal/terrorist communication.
Traditional firewalls/NIDS identify obvious attack traffic (e.g. exploit payloads). Advanced monitoring is needed because: (1) botnet HTTP-based C&C looks like normal web traffic; (2) mobile devices compromised outside the perimeter bypass traditional defenses.
Bots use packers, rootkits, frequent updates. AV has no big picture; bots are long-term. Bots can detect honeypots.
Not scalable; mostly passive. Bots can discover and avoid honeynets.
Look at only specific aspects; exploit-based signatures.
Bot infection is multi-faceted, multi-phased. Bots are stealthy, dynamically evolving. C&C design is flexible. Static/signature approaches may fail.
Monitors two-way flows between internal network and Internet. Correlates inbound intrusion alarms with outbound patterns. Produces a bot infection profile. Vertical (dialog) correlation - infection lifecycle model.
A=Attacker, V=Victim, C=C&C. External stimulus alone cannot trigger alert; requires 2× internal bot behavior.
Statistical Scan Anomaly Detection Engine. Weighted scan detection: inbound (E1), outbound (E5). Bounded memory; failed connections to vulnerable ports = high weight.
Statistical payLoad Anomaly Detection Engine. Lossy n-gram (4-gram, 2048 vector). Detects suspicious payloads; lower FP than PAYL.
Snort/Bleeding Edge rules. e1–e5.rules: exploits, egg downloads, C&C, outbound scans.
Botnets can change C&C content (encryption), protocols (IRC, HTTP), structures (P2P), servers, infection models. BotMiner uses both vertical and horizontal correlation. Key insight: bots are for long-term use; communication and activities are coordinated/similar.
C&C link, IRC on specific ports, SMTP traffic - indicative. Simultaneous identical DNS requests (not plain DNS) are suspicious. Noticeable performance reduction is not typical bot behavior (bots are stealthy).
Botnets use DNS for C&C location, malware hosting. Recursive DNS monitoring at ISP - analyze traffic from internal hosts to recursive DNS; detect abnormal patterns.
Botnet authors reuse SLD with many 3LDs (traceable purchases, stealth). Cluster 3LDs by name similarity and resolved IP subnets. Sum look-ups per cluster.
Bots resolve C&C immediately after boot. Exponential/spike arrival (time zones, schedules). Normal users have smoother patterns.
Botnet domains often random-looking (e.g.
wbghid.1dumb.com). Long, random 3LDs. Train Bloom
filter + Markov model; "new and suspicious" = not in filter,
doesn't fit model.
Exploit-based: exponential. Email-based: exponential or linear. Drive-by: sublinear. Monitor popularity growth of suspicious names.
DynDNS CName can be updated to point to a sinkhole. Dnstop alerts on updates; redirects bots to researcher-controlled server for analysis.
Botnets can evade detection by manipulating patterns or using undetectable channels.
Manipulate communication patterns. Introduce random packets to reduce similarity between C&C flows.
Slow spamming. Use Gmail (HTTPS) for spam; download exe from HTTPS - encrypted, hard to inspect.