Description:
- Elsevier - Computer Networks
- 2012 - Botnets: A survey
- SéRgio S. C. Silva, Rodrigo M. P. Silva, Raquel C. G. Pinto, and Ronaldo M. Salles
- http://dl.acm.org/citation.cfm?id=2450798
| Year | Name | Architecture/protocol | Estimated size | Comments | Refs. |
|---|---|---|---|---|---|
| 1993 | EggDrop | Centralized/IRC | - | Recognized as one of the first popular IRC bots | [38] |
| 1998 | GTbot | Centralized | - | IRC-based bot that uses mIRC scripts | [7,21,40] |
| 2002 | SDbot | Centralized/IRC | - | Uses its own IRC client for better efficiency. Can also use instant-messaging programs and has reached more than 4000 variants | [7,20,40,41] |
| Agobot | Centralized/IRC | - | Robust, modular, flexible and uses a persistent C&C channel | [7,19,42] | |
| 2003 | Spybot | Centralized | - | Derived from Agobot with more features | [7,16,18] |
| Sinit | P2P | - | Use random scanning to find others peers | [41,43] | |
| 2004 | Bagle | Centralized | 230,000 | [41,44] | |
| Forbot | Centralized | - | Derived from Agobot | [45] | |
| Phatbot | P2P | - | Based on the WASTE P2P network | [7,41] | |
| 2006 | SpamThru | P2P | 12,000 | SpamThru uses a custom P2P protocol to share information with other peers | [46] |
| Nugache | P2P | 160,000 | Connect to a predefined list of peers | [47,48] | |
| Jrbot | Centralized | - | IRC-Based bot with a persistent channel | [7] | |
| Rxbot | Centralized/IRC | - | IRC-Based bot with a persistent channel | [49] | |
| Rustock | Centralized/HTTP | 150,000 | Bot responsible for 30 billion messages per day, the largest botnet observed in 2010. Was deactivated in 2011. | [46,50,51] | |
| 2007 | Storm | Centralized | 160,000 | Was considered one of most powerful botnets, with high processing power, capable of disconnecting entire countries | [46,48,52,53] |
| Peacomm | P2P | 160,000 | Storm variant based on Kademlia network | [48,52,53] | |
| Pushdo | Centralized/HTTP | 175,000 | Encrypts C&C messages and capable of sending 4.500 messages in an hour per bot | [50,54] | |
| Srizbi | Centralized/HTTP | 400,000 | In 2008, it was one of the main botnets responsible for sending spam, approximately 50% of all traffic, approximately 80 to 60 billion messages per day | [46,55] | |
| Zeus/Zbot | Centralized/HTTP | 3,6 millions | Allows the creation of new bots, with more than 3000 variants | [56–58] | |
| Mega-D | P2P | 500,000 | Became responsible for 1/3 of all spam traffic, was shut down in 2008 | [50,59] | |
| 2008 | Lethic | Centralized | 260,000 | Initially discovered in 2008, mainly involved in pharmaceutical and replica spam, was responsible for 8–10% of all the spam sent worldwide. | [44] |
| Asprox | Centralized/HTTP | 15,000 | In addition to sending spam, it is able to perform SQL Injection on legitimate websites | [60] | |
| Bobax | Centralized/HTTP/UDP | 185,000 | Employs dynamic DNS and an algorithm for generating domains | [41,46] | |
| Kraken | Centralized | 400,000 | A variant of Bobax | [61,62] | |
| Torpig | Centralized | 180,000 | Typically targets bank account, credit-card data and also steals a variety ofother personal information | [63] | |
| Conficker | P2P | 10,5 millions | In 2009, a coalition of security researchers was created to study Conficker, although some researchers do not consider it a bot/botnet | [64,65] | |
| 2009 | Waledac | P2P | 80,000 | Successor of the Storm bot, was used for sending spam (7000 posts per day), shut off in 2010 | [50,66,67] |
| Donbot | Centralized/TCP | 125,000 | It uses a specific protocol for the C&C server using TCP ports above 2200 | [50] | |
| 2010 | Festi | Centralized/HTTP | - | Sends an HTTP request message to the C&C, which responds with encrypted templates of spam and/or a list of addresses | [44] |
| 2011 | TDL-4 | P2P | 4,5 millions | Has infected up to 4.5 million PCs in 2011, identified as one of the most sophisticated threats today. "It is virtually indestructible", according to security researchers | [68] |
References:
[7] P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy: Tracking Botnets (using honeynets to learn more about bots), Technical Report, The Honeynet Project, 2008.
[16] C. Li, W. Jiang, X. Zou, Botnet: survey and case study, in: Fourth International Conference on Innovative Computing, Information and Control (ICICIC), 2009, pp. 1184–1187.
[18] Symantec, Spybot worm, 2003 <http://www.symantec.com/securityresponse/writeup.jsp?docid=2003-053013-5943-99>.
[19] T. Micro, Worm AgoBot, 2004 <http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORMAGOBOT.XE>.
[20] T. Micro, Worm SDBot, 2003 <http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORMSDBOT.AZ>.
[21] G. Macesanu, T. Codas, C. Suliman, B. Tarnauca, Development of GTBoT, a high performance and modular indoor robot, in: IEEE International Conference on Automation Quality and Testing Robotics (AQTR), vol. 1, 2010, pp. 1–6.
[38] EggHeads, EggHeads.org-eggdrop development, 1993 <http://eggheads.org/>.
[40] Dumbledore, Well Known Bot Families, 2001 <http://dumbledore.hubpages.com>.
[41] T. Yen, M.K Reiter, Traffic aggregation for malware detection, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’08, Springer-Verlag, Berlin, Heidelberg, 2008, pp. 207-227.
[42] Symantec, W32.Gaobot.CEZ, 2002 <http://www.symantec.com>.
[43] R. Schoof, R. Koning, Detecting Peer-to-Peer Botnets, Technical
Report 1, University of Amsterdam, 2007.
[44] Symantec, Messagelabs Intelligence, in: Security Response, Symantec, 2010.
[45] L. Liu, S. Chen, G. Yan, Z. Zhang, BotTracer: Execution-Based Bot-Like Malware Detection, in: T. Wu, C. Lei, V. Rijmen, D. Lee (Eds.), Information Security, Lecture Notes in Computer Science, vol. 5222, Springer, Berlin/Heidelberg, 2008, pp. 97–113. 10.1007/978-3-540-85886-7 7.
[46] G. Keizer, Top botnets control 1 m hijacked computers, 2008 <http://www.computerworld.com>.
[47] T. Wilson, Competition may be driving surge in botnets, spam, 2008 <http://www.darkreading.com>.
[48] S. Stover, D. Dittrich, J. Hernandez, S. Dietrich, Analysis of the storm and nugache: P2p is here, in: Proceedings of the 4th USENIX Workshop on Cyber Security Experimentation and Test (CSET’11), USENIX Association, 2007.
[49] G. Gu, J. Zhang, W. Lee, BotSniffer – detecting botnet command and control channels in network traffic, in: 15th Annual Network & Distributed System Security Symposium, The Internet Society (ISOC), San Diego, 2008.
[50] Spam botnets to watch in 2009, 2001 <http://www.secureworks.com>.
[51] C. Miller, The Rustock Botnet Spams Again, 2008.
[52] T. Holz, M. Steiner, F. Dahl, E. Biersack, F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, in: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, USENIX Association, Berkeley, CA, USA, 2008.
[53] C. Davis, J. Fernandez, S. Neville, J. McHugh, Sybil attacks as a mitigation strategy against the storm botnet, in: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, 2008, pp. 32–40.
[54] S. Works, Pushdo – Analysis of a Modern Malware Distribution System, 2008 <http://www.secureworks.com>.
[55] J. Kirk, Spammers Regaining Control Over Srizbi Botnet, 2008 <http://www.pcworld.com>.
[56] E. Messmer, America’s 10 Most Wanted Botnets, 2009 <http://www.networkworld.com>.
[58] K. Stevens, D. Jackson, Zeus Banking Trojan Report, 2010 <http://www.secureworks.com>.
[59] J. Hruska, New Mega-d Menace Muscles Storm Worm Aside, 2008 <http://arstechnica.com>.
[60] R. Borgaonkar, An analysis of the asprox botnet, in: Fourth International Conference on Emerging Security Information Systems and Technologies (SECURWARE), 2010, pp. 148–153.
[61] K.J. Higgins, New Massive Botnet Twice the Size of Storm, 2008 <http://www.darkreading.com>.
[62] A. Moscaritolo, Kraken botnet re-emerges 318,000 nodes strong, 2010 <http://www.scmagazineus.com>.
[63] B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, G. Vigna, Analysis of a botnet takeover, Security Privacy, IEEE 9 (2011) 64–72.
[64] Experts bicker over conficker numbers, 2001 <http://news.techworld.com>.
[65] Symantec, The downaduo codex, in: Security Response, Symantec, 2009.
[66] D.-I. Jang, M. Kim, H.-C. Jung, B. Noh, Analysis of HTTP2P botnet: case study waledac, in: IEEE 9th Malaysia International Conference on Communications (MICC), 2009, pp. 409–412.
[67] G. Sinclair, C. Nunnery, B. Kang, The waledac protocol: the how and why, in: 4th International Conference on Malicious and Unwanted Software (MALWARE), 2009, pp. 69–77.
[68] Tdl-4 top bot, 2011 <http://www.securelist.com>.
No comments:
Post a Comment