Jose Nazario and Jeremy Linden
October 12, 2006
ABSTRACT: Botnets have quickly become one of the chief dangers to large-scale Internet security, threatening nearly every Internet user and even the very infrastructure itself. Unlike traditional malware such as viruses and worms, the structure of a botnet creates the opportunity to perform direct measurements and observation. The common tools to perform these measurements are usually written quickly and may or may not work for long periods of time, especially if the botnet owner is vigilant about checking for lurking hosts. Furthermore, most botnet studies published thus far have focused on studying captured malware samples outside of the network or have been carried out using honeypot hosts. Neither of these techniques provide a full picture of the botnet landscape.
To study larger amounts of information about the botnet community, we have developed simple tools and techniques to infiltrate large numbers of botnets for long periods of time. Our findings reveal how botnet operators manage their networks, what they are doing with the infected hosts, and the skill levels required to create such botnets. The results of this illustrate how lucrative the botnet community is, how easy it is to get started, and how dangerous it can be for the Internet community at large.
Presentation
[Hi-res - PDF]