Botzilla: Detecting the "phoning home" of malicious software

Proceedings of the ACM Symposium on Applied Computing

Volumn , Issue , 2010, Pages 1978-1984

  Rieck, Konrad ^a   Schwenk, Guido ^b   Limmer, Tobias ^c   Holz, Thorsten ^d,f   Laskov, Pavel ^b,e  

^a TECHNISCHE UNIVERSITÄT BERLIN   (Germany)

^b FRAUNHOFER FIRST   (Germany)

^c UNIVERSITY OF ERLANGEN NUREMBERG   (Germany)

^d VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^e UNIVERSITY OF TÜBINGEN   (Germany)

^f UNIVERSITY OF MANNHEIM   (Germany)

Author keywords

malicious software; network intrusion detection

Indexed keywords

CONTROLLED ENVIRONMENT; IN-NETWORK; MALICIOUS CODES; MALICIOUS SOFTWARE; MALWARES; NETWORK TRAFFIC; SOFTWARE VULNERABILITIES;

COMPUTER SOFTWARE; INTRUSION DETECTION;

COMPUTER CRIME;

EID: 77954740531     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1774088.1774506     Document Type: Conference Paper

References (28)

1. P. Bächer, M. Kötter, T. Holz, M. Dornseif, and F. C. Freiling. The nepenthes platform: An efficient approach to collect malware. In Recent Adances in Intrusion Detection (RAID), pages 165-184, 2006.
2. J. Franklin, V. Paxson, A. Perrig, and S. Savage. An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants. In Proc. of Conference on Computer and Communications Security (CCS), pages 375-388, 2007.
3. J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In Workshop on Hot Topics in Understanding Botnets, 2007.
4. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of USENIX Security Symposium, 2008.
5. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In Proc. of USENIX Security Symposium, 2007.
6. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008.
7. D. Gusfield. Algorithms on strings, trees, and sequences. Cambridge University Press, 1997.
8. T. Holz, M. Engelberth, and F. Freiling. Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Technical Report TR-2008-006, University of Mannheim, Dec. 2008.
9. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm worm. In Proc. of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
10. H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proc. of USENIX Security Symposium, 2004.
11. C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proc. of Workshop on Hot Topics in Networks, 2003.
12. Z. Li, M. Sandhi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proc. of IEEE Symposium on Security and Privacy, pages 32-47, 2006.
13. T. Limmer and F. Dressler. Seamless Dynamic Reconfiguration of Flow Meters: Requirements and Solutions. In 16. GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2009), pages 179-190, Kassel, Germany, March 2009. Springer.
14. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford-Chen, and N. Weaver. Inside the slammer worm. IEEE Security & Privacy, 1(4):33-39, 2003.
15. D. Moore and C. Shannon. Code-Red: A case study on the spread and victims of an Internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment, pages 273-284, 2002.
16. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proc. of IEEE Symposium on Security and Privacy, pages 120-132, 2005.
17. J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Recent Adances in Intrusion Detection (RAID), pages 81-105, 2006.
18. V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Elsevier Computer Networks, 31(23-24):2435-2463, December 1999.
19. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proc. of IEEE Symposium on Security and Privacy, pages 17-31, 2006.
20. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proc. of USENIX Security Symposium, 2008.
21. M. Reiter and T. Yen. Traffic aggregation for malware detection. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2008.
22. M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. of USENIX Large Installation System Administration Conference LISA, pages 229-238, 1999.
23. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proc. of USENIX Symposium on Operating Systems Design and Implementation (OSDI), Dec. 2004.
24. S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich. Analysis of the Storm and Nugache Trojans: P2P is here. USENIX ;login:, 32(6):18-27, 2007.
25. Symantec. Global Internet Security Threat Report, April 2008. Trends for July - December 07.
26. G. Vasiliadis, S. Antonatos, M. Polychronakis, E. Markatos, and S. Ioannidis. Gnort: High performance network intrusion detection using graphics processors. In Recent Adances in Intrusion Detection (RAID), 2008.
27. Y.-M. Wang, D. Beck, C. Verbowski, S. Chen, S. King, X. Jiang, and R. Roussev. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of Network and Distributed System Security Symposium (NDSS), 2006.
28. V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In Proc. of USENIX Security Symposium, pages 7-17, 2005.