Erik Wu Damballa
Gunter Ollmann Damballa
Botnets, with efficient built-in Control and Command (CnC) mechanisms, have become and will continue to be a major threat to Internet security. To date, botnets have been adopted as the standard platform for adversaries to conduct economic- and political-motivated cyber activities, ranging from simple Distributed Denial Service of Attack (DDoS) and identity theft, through to sophisticated information exfiltration and corporate espionage.
In this paper, we present an in-depth analysis and profiling of 600+ active botnets circulating in the wild. Over a three-month period we detected and monitored this large group of botnets, cataloguing a vast amount of data. These observations provide a solid foundation for a better understanding from many perspectives as to what real botnets are currently doing, how they are operating, and a clarification of some common misconceptions.
The 600+ botnets represent a diversified profile of the actual botnet threat landscape. We observed large botnets with a half million active participants and small ones comprised of less than hundred victims. It's worth noting that the majority of the botnets in play by cyber-criminals are in fact small ones. Further study indicates the existing methods, e.g. using malware infection distribution estimation, to measure the botnet size are not accurate since the actual botnet size can vary from one task mission to another. That is, the same botnet may select and activate different subnets for distinct missions. Another interesting observation is that some botnets can share common resources. For example, a compromised asset (endpoint host or server) can be recruited by more than one botnet around the same time. Several bots, owned and managed by different botmasters, can co-exist within the same compromised asset. In this case, it's required to differentiate the ownership of individual bots as "my bots are not yours"! On the other hand, some other botnet operators may claim exclusive use of hardware and software resource, trying to terminate and kick out other bots from their collection of victims.
To better describe the dynamic characteristics of real-world botnets and the severity level of malicious activities, we will also discuss a novel scoring model and leverage it for the 600+ botnets analysis. This scoring model offers a simple and intuitive way to measure real botnets' malicious destruction capability, detection and removal resilience, and can aid the prioritization of enterprise-level remediation processes.