What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Botnets Timeline

Table 1 presents a timeline of some important bots and some of their main features.

YearNameArchitecture/protocolEstimated sizeCommentsRefs.
1993EggDropCentralized/IRC-Recognized as one of the first popular IRC bots[38]
1998GTbotCentralized-IRC-based bot that uses mIRC scripts[7,21,40]
2002SDbotCentralized/IRC-Uses its own IRC client for better efficiency. Can also use instant-messaging programs and has reached more than 4000 variants [7,20,40,41]
AgobotCentralized/IRC-Robust, modular, flexible and uses a persistent C&C channel [7,19,42]
2003SpybotCentralized-Derived from Agobot with more features[7,16,18]
SinitP2P-Use random scanning to find others peers [41,43]
2004BagleCentralized230,000 [41,44]
ForbotCentralized-Derived from Agobot[45]
PhatbotP2P-Based on the WASTE P2P network[7,41]
2006SpamThruP2P12,000 SpamThru uses a custom P2P protocol to share information with other peers[46]
NugacheP2P160,000 Connect to a predefined list of peers[47,48]
JrbotCentralized-IRC-Based bot with a persistent channel[7]
RxbotCentralized/IRC-IRC-Based bot with a persistent channel[49]
Rustock Centralized/HTTP150,000Bot responsible for 30 billion messages per day, the largest botnet observed in 2010. Was deactivated in 2011.[46,50,51]
2007StormCentralized160,000Was considered one of most powerful botnets, with high processing power, capable of disconnecting entire countries[46,48,52,53]
PeacommP2P160,000Storm variant based on Kademlia network[48,52,53]
PushdoCentralized/HTTP175,000 Encrypts C&C messages and capable of sending 4.500 messages in an hour per bot[50,54]
SrizbiCentralized/HTTP400,000In 2008, it was one of the main botnets responsible for sending spam, approximately 50% of all traffic, approximately 80 to 60 billion messages per day[46,55]
Zeus/ZbotCentralized/HTTP3,6 millionsAllows the creation of new bots, with more than 3000 variants[56–58]
Mega-DP2P500,000Became responsible for 1/3 of all spam traffic, was shut down in 2008[50,59]
2008LethicCentralized260,000Initially discovered in 2008, mainly involved in pharmaceutical and replica spam, was responsible for 8–10% of all the spam sent worldwide.[44]
AsproxCentralized/HTTP15,000In addition to sending spam, it is able to perform SQL Injection on legitimate websites[60]
BobaxCentralized/HTTP/UDP185,000Employs dynamic DNS and an algorithm for generating domains[41,46]
KrakenCentralized400,000A variant of Bobax[61,62]
TorpigCentralized180,000Typically targets bank account, credit-card data and also steals a variety ofother personal information[63]
ConfickerP2P10,5 millionsIn 2009, a coalition of security researchers was created to study Conficker, although some researchers do not consider it a bot/botnet[64,65]
2009WaledacP2P80,000Successor of the Storm bot, was used for sending spam (7000 posts per day), shut off in 2010[50,66,67]
DonbotCentralized/TCP125,000It uses a specific protocol for the C&C server using TCP ports above 2200[50]
2010FestiCentralized/HTTP-Sends an HTTP request message to the C&C, which responds with encrypted templates of spam and/or a list of addresses[44]
2011TDL-4P2P4,5 millionsHas infected up to 4.5 million PCs in 2011, identified as one of the most sophisticated threats today. "It is virtually indestructible", according to security researchers[68]

[7] P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy: Tracking Botnets (using honeynets to learn more about bots), Technical Report, The Honeynet Project, 2008.
[16] C. Li, W. Jiang, X. Zou, Botnet: survey and case study, in: Fourth International Conference on Innovative Computing, Information and Control (ICICIC), 2009, pp. 1184–1187.
[18] Symantec, Spybot worm, 2003 <http://www.symantec.com/securityresponse/writeup.jsp?docid=2003-053013-5943-99>.
[19] T. Micro, Worm AgoBot, 2004 <http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORMAGOBOT.XE>.
[20] T. Micro, Worm SDBot, 2003 <http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORMSDBOT.AZ>.
[21] G. Macesanu, T. Codas, C. Suliman, B. Tarnauca, Development of GTBoT, a high performance and modular indoor robot, in: IEEE International Conference on Automation Quality and Testing Robotics (AQTR), vol. 1, 2010, pp. 1–6.
[38] EggHeads, EggHeads.org-eggdrop development, 1993 <http://eggheads.org/>.
[40] Dumbledore, Well Known Bot Families, 2001 <http://dumbledore.hubpages.com>.
[41] T. Yen, M.K Reiter, Traffic aggregation for malware detection, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’08, Springer-Verlag, Berlin, Heidelberg, 2008, pp. 207-227.
[42] Symantec, W32.Gaobot.CEZ, 2002 <http://www.symantec.com>.
[43] R. Schoof, R. Koning, Detecting Peer-to-Peer Botnets, Technical
Report 1, University of Amsterdam, 2007.
[44] Symantec, Messagelabs Intelligence, in: Security Response, Symantec, 2010.
[45] L. Liu, S. Chen, G. Yan, Z. Zhang, BotTracer: Execution-Based Bot-Like Malware Detection, in: T. Wu, C. Lei, V. Rijmen, D. Lee (Eds.), Information Security, Lecture Notes in Computer Science, vol. 5222, Springer, Berlin/Heidelberg, 2008, pp. 97–113. 10.1007/978-3-540-85886-7 7.
[46] G. Keizer, Top botnets control 1 m hijacked computers, 2008 <http://www.computerworld.com>.
[47] T. Wilson, Competition may be driving surge in botnets, spam, 2008 <http://www.darkreading.com>.
[48] S. Stover, D. Dittrich, J. Hernandez, S. Dietrich, Analysis of the storm and nugache: P2p is here, in: Proceedings of the 4th USENIX Workshop on Cyber Security Experimentation and Test (CSET’11), USENIX Association, 2007.
[49] G. Gu, J. Zhang, W. Lee, BotSniffer – detecting botnet command and control channels in network traffic, in: 15th Annual Network & Distributed System Security Symposium, The Internet Society (ISOC), San Diego, 2008.
[50] Spam botnets to watch in 2009, 2001 <http://www.secureworks.com>.
[51] C. Miller, The Rustock Botnet Spams Again, 2008.
[52] T. Holz, M. Steiner, F. Dahl, E. Biersack, F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, in: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, USENIX Association, Berkeley, CA, USA, 2008.
[53] C. Davis, J. Fernandez, S. Neville, J. McHugh, Sybil attacks as a mitigation strategy against the storm botnet, in: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, 2008, pp. 32–40.
[54] S. Works, Pushdo – Analysis of a Modern Malware Distribution System, 2008 <http://www.secureworks.com>.
[55] J. Kirk, Spammers Regaining Control Over Srizbi Botnet, 2008 <http://www.pcworld.com>.
[56] E. Messmer, America’s 10 Most Wanted Botnets, 2009 <http://www.networkworld.com>.
[58] K. Stevens, D. Jackson, Zeus Banking Trojan Report, 2010 <http://www.secureworks.com>.
[59] J. Hruska, New Mega-d Menace Muscles Storm Worm Aside, 2008 <http://arstechnica.com>.
[60] R. Borgaonkar, An analysis of the asprox botnet, in: Fourth International Conference on Emerging Security Information Systems and Technologies (SECURWARE), 2010, pp. 148–153.
[61] K.J. Higgins, New Massive Botnet Twice the Size of Storm, 2008 <http://www.darkreading.com>.
[62] A. Moscaritolo, Kraken botnet re-emerges 318,000 nodes strong, 2010 <http://www.scmagazineus.com>.
[63] B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, G. Vigna, Analysis of a botnet takeover, Security Privacy, IEEE 9 (2011) 64–72.
[64] Experts bicker over conficker numbers, 2001 <http://news.techworld.com>.
[65] Symantec, The downaduo codex, in: Security Response, Symantec, 2009.
[66] D.-I. Jang, M. Kim, H.-C. Jung, B. Noh, Analysis of HTTP2P botnet: case study waledac, in: IEEE 9th Malaysia International Conference on Communications (MICC), 2009, pp. 409–412.
[67] G. Sinclair, C. Nunnery, B. Kang, The waledac protocol: the how and why, in: 4th International Conference on Malicious and Unwanted Software (MALWARE), 2009, pp. 69–77.
[68] Tdl-4 top bot, 2011 <http://www.securelist.com>.

No comments:

Post a Comment