Abstract:
Botnets are an evolutionary form of malware, unique in requiring network
connectivity, for herding by a botmaster, that allows coordinated attacks as
well as dynamic evasion from detection. Thus, the most interesting features
of a bot relate to its rapidly evolving network behavior.
The few academic and commercial malware observation systems that ex-
ist, however, do not safely and faithfully capture ngerprints of a bot. More-
over, these systems are either proprietary or have large cost and management
overhead. We observe that the network behavior of bots is largely depen-
dent upon the containment policy and changes considerably under di erent
operational contexts.
We rst propose an iterative and semi automated way to contain harmful
activity generated by bots and then identify these various contexts that can
impact its ngerprint. We also present Titan: a system that generates faithful
network ngerprints by recreating all these contexts and stressing the bot
with di erent network settings and host interactions. This e ort includes a
semi-automated and tunable containment policy to prevent bot proliferation.
Most importantly, Titan has low cost overhead as a minimal setup requires
just two machines, while the provision of a user-friendly web interface reduces
the setup and management overhead.
We then show a ngerprint of Kanav F bot to demonstrate the bootstrap
capturing feature of Titan. We also show a fingerprint of the Cryptolocker
bot to demonstrate automatic detection of its domain generation algorithm
(DGA) and its evolution over the period of six months. Finally, we demon-
strate the effective identi fication of context-speci c behavior with a controlled
deployment of Zeus botnet.
