A Multifaceted Approach to Understanding the Botnet Phenomenon

This paper is written by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis from the Computer Science Department of Johns Hopkins University. The authors attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months , they used the infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts.

The paper makes the two key contributions, namely:

1. the development of an infrastructure to capture and concurrently track multiple botnets, and

2. a comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets.

The second section of the paper provides background information on botnets and highlights the challenges associated with botnet detection and tracking.

TheThe approach the authors have developed to infiltrate large numbers of botnets has been described in seciton 3, and an approach for extracting binaries collected using our distributed infrastructure.

Section 4 provides with an analysis of the collected data.

To conclude, the following results are provided by the paper:

1. Traffic traces captured at the local darknet over a period of more than three months.

2. IRC logs gathered over the span of three months - covering data from more than 100 botnet channels either visited by the IRC tracker or observed on the honeypot

3. results of DNS cache hits from tracking 65 IRC servers for more than 45 days.