Titan: A Tool for Safe and Faithful Capture of Network Fingerprints of a Bot

Abstract

Botnets are an evolutionary form of malware, unique in requiring network connectivity, for herding by a botmaster, that allows coordinated attacks as well as dynamic evasion from detection. Thus, the most interesting features of a bot relate to its rapidly evolving network behavior. The few academic and commercial malware observation systems that ex- ist, however, do not safely and faithfully capture ngerprints of a bot. More- over, these systems are either proprietary or have large cost and management overhead. We observe that the network behavior of bots is largely depen- dent upon the containment policy and changes considerably under di erent operational contexts. We rst propose an iterative and semi automated way to contain harmful activity generated by bots and then identify these various contexts that can impact its ngerprint. We also present Titan: a system that generates faithful network ngerprints by recreating all these contexts and stressing the bot with di erent network settings and host interactions. This e ort includes a semi-automated and tunable containment policy to prevent bot proliferation. Most importantly, Titan has low cost overhead as a minimal setup requires just two machines, while the provision of a user-friendly web interface reduces the setup and management overhead. We then show a ngerprint of Kanav F bot to demonstrate the bootstrap capturing feature of Titan. We also show a fingerprint of the Cryptolocker bot to demonstrate automatic detection of its domain generation algorithm (DGA) and its evolution over the period of six months. Finally, we demon- strate the effective identi fication of context-speci c behavior with a controlled deployment of Zeus botnet.