Towards Automated Botnet Detection And Mitigation presented at SyScan 2006

by Thorsten Holz,

Tags: Security Botnets

Summary : Botnets pose one of the most severe threats in the Internet today. With the help of honeypots
and specialized tools like nepenthes (http://nepenthes.mwcollect.org) it is possible to learn
more about them. In addition, these systems can also be used to mitigate this threat.This talk focuses on a special kind of threat: the individuals and organizations who run botnets.
A "botnet" is a network of compromised machines that can be remotely controlled by an attacker.
Due to their immense size (tens of thousands of systems can be linked together), they pose a severe
threat to the community. With the help of honeynets and some other tools we can observe the people
who run botnets - a task that is difficult using other techniques. In this talk we take a closer
look at botnets, common attack techniques, and the individuals involved.We start with an introduction to botnets and how they work, with examples of their uses. We then
briefly analyze the three most common bot variants used. Next we discuss a technique to automatically
collect bots with the help of the tool nepenthes. We present the architecture and give technical
details of the implementation. After some more words on the effectiveness of this approach we present
an automated way to analyze the collected binaries.All these steps can be automated to a high degree, allowing us to build a system that autonomously
collects information about existing botnets. This information can then be aggregated and correlated
to learn even more. As a result, we obtain information that can be used to mitigate the threat, e.g.,
as a warning-system within networks or as an information resource for CERTs. We conclude the talk with
an overview of lessons learned and point out further research topics in the area of botnet tracking.