Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 621-634

  Caballero, Juan ^a   Poosankam, Pongsin ^a   Kreibich, Christian ^b   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b ICSI

Author keywords

Binary analysis; Botnet infiltration; Protocol reverse engineering

Indexed keywords

BINARY ANALYSIS; BOTNET INFILTRATION; BOTNETS; COMMAND-AND-CONTROL; CURRENT TECHNIQUES; MALICIOUS ACTIVITIES; MESSAGE FORMAT; PROTOCOL INFORMATION; PROTOCOL MESSAGE; PROTOCOL SPECIFICATIONS; SECURITY APPLICATION;

NETWORK PROTOCOLS; REENGINEERING; REVERSE ENGINEERING; SEEPAGE; SEMANTICS; SOIL MECHANICS;

NETWORK SECURITY;

EID: 74049095923     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653737     Document Type: Conference Paper

References (49)

1. AMD64 architecture tech docs. http://www.amd.com/us-en/Processors/ DevelopWithAMD/0,,30-2252-875-7044,00.html.
2. How Samba was written. http://samba.org/ftp/tridge/misc/french\-cafe.txt.
3. Icqlib: The ICQ library. http://kicq.sourceforge.net/icqlib.shtml.
4. Intel64 and IA-32 architectures software developer's manuals. http://www.intel.com/products/processor/manuals/.
5. The ISO/IEC 9899:1999 C programming language standard. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf.
6. Libyahoo2: A C library for Yahoo! Messenger. http://libyahoo2. sourceforge.net.
7. Marshal8e6 security threats: Email and web threats. http://www.marshal. com/newsimages/trace/Marshal8e6-TRACE-Report-Jan2009.pdf.
8. MSDN: Microsoft developer network. http://msdn.microsoft.com.
9. MSN Messenger protocol. http://www.hypothetic.org/docs/msn/index.php.
10. Spotlight on bots: The worldŠs most un-wanted bots. http://nortontoday.symantec.com/features/spotlight-on-bots.php.
11. The unofficial AIM/OSCAR protocol specification. http://www.oilcan.org/ oscar/.
12. Wireshark. http://www.wireshark.org/.
13. R. Bajcsy, T. Benzel, M. Bishop, B. Braden, C. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. Porras, C. Rosenberg, J. D. Tygar, S. Sastry, D. Sterne, and S. F. Wu. Cyber defense technology networking and evaluation. Communications of the ACM, 47(3), 2004.
14. M. A. Beddoe. Network protocol analysis using bioinformatics algorithms. http://www.baselineresearch.net/PI/.
15. N. Borisov, D. J. Brumley, H. J. Wang, and C. Guo. Generic application-level protocol analyzer and its language. In Network and Distributed System Security Symposium, San Diego, CA, February 2007.
16. J. Caballero and D. Song. Rosetta: Extracting protocol semantics using binary analysis with applications to protocol replay and NAT rewriting. Technical Report CMU-CyLab-07-014, Cylab, Carnegie Mellon University, October 2007.
17. J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum. FiG: Automatic fingerprint generation. In Network and Distributed System Security Symposium, San Diego, CA, February 2007.
18. J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In ACM Conference on Computer and Communications Security, Alexandria, VA, October 2007.
19. X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In International Conference on Dependable Systems and Networks, Anchorage, AK, June 2008.
20. K. Chiang and L. Lloyd. A case study of the Rustock rootkit and spam bot. In Workshop on Hot Topics in Understanding Botnets, April 2007.
21. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, San Diego, CA, August 2004.
22. P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.
23. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Symposium on Operating Systems Principles, Brighton, United Kingdom, October 2005.
24. D. Crocker and P. Overell. Augmented BNF for syntax specifications: ABNF. RFC 4234 (Draft Standard), October 2005. http://www.ietf.org/rfc/rfc4234.txt.
25. W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic protocol description generation from network traces. In USENIX Security Symposium, Boston, MA, August 2007.
26. W. Cui, V. Paxson, N. C. Weaver, and R. H. Katz. Protocol-independent adaptive replay of application dialog. In Network and Distributed System Security Symposium, San Diego, CA, February 2006.
27. W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic reverse engineering of input formats. In ACM Conference on Computer and Communications Security, Alexandria, VA, October 2008.
28. N. Daswani, M. Stoppelman, and the Google Click Quality and Security Teams. The anatomy of Clickbot.A. In Workshop on Hot Topics in Understanding Botnets, April 2007.
29. H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic application-layer protocol analysis for network intrusion detection. In USENIX Security Symposium, Vancouver, Canada, July 2006.
30. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999.
31. J. B. Grizzard, V. Sharma, C. Nunnery, and B. B. Kang. Peer-to-peer botnets: Overview and case study. In Workshop on Hot Topics in Understanding Botnets, April 2007.
32. J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying spamming botnets using Botlab. In Symposium on Networked System Design and Implementation, Boston, MA, April 2009.
33. C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In ACM Conference on Computer and Communications Security, Alexandria, VA, October 2008.
34. J. Kannan, J. Jung, V. Paxson, and C. E. Koksal. Semi-automated discovery of application session structure. In Internet Measurement Conference, Rio de Janeiro, Brazil, October 2006.
35. C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In International Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany, September 2006.
36. C. Leita, K. Mermoud, and M. Dacier. ScriptGen: An automated script generation tool for Honeyd. In Annual Computer Security Applications Conference, Tucson, AZ, December 2005.
37. J. Lim, T. Reps, and B. Liblit. Extracting output formats from executables. In Working Conference on Reverse Engineering, Benevento, Italy, October 2006.
38. Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.
39. N. Lutz. Towards revealing attacker's intent by automatically decrypting network traffic. Master's thesis, ETH, Zürich, Switzerland, July 2008.
40. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium, San Diego, CA, February 2005.
41. R. Pang, V. Paxson, R. Sommer, and L. Peterson. binpac: A yacc for writing application protocol parsers. In Internet Measurement Conference, Rio de Janeiro, Brazil, October 2006.
42. V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23-24), 1999.
43. P. Porras, H. Saidi, and V. Yegneswaran. A foray into Conficker's logic and rendezvous points. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, April 2009.
44. J. Postel and J. Reynolds. File transfer protocol. RFC 959 (Standard), October 1985. Updated by RFCs 2228, 2640, 2773, 3659.
45. P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In International Symposium on Software Testing and Analysis, Chicago, IL, July 2009.
46. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA, October 2004.
47. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Symposium on Operating Systems Principles, Brighton, United Kingdom, October 2005.
48. Z. Wang, X. Jiang, W. Cui, and X. Wang. ReFormat: Automatic reverse engineering of encrypted messages. In European Symposium on Research in Computer Security, Saint-Malo, France, September 2009.
49. G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. Automatic network protocol analysis. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.