Abstract
A botnet is a collection of bots, each generally running on a compromised system and responding to commands over a "command-and-control" overlay network. We investigate observable differences in the behavior of bots and benign programs, focusing on the way that bots respond to data received over the network. Our experimental platform monitors execution of an arbitrary Win32 binary, considering data received over the network to be tainted, applying library-call-level taint propagation, and checking for tainted arguments to selected system calls. As a way of further distinguishing locally-initiated from remotely-initiated actions, we capture and propagate "cleanliness" of local user input (as received via the keyboard or mouse). Testing indicates behavioral separation of major bot families (agobot, DSNXbot, evilbot, G-SySbot, sdbot, Spybot) from benign programs with low error rate. © Springer-Verlag Berlin Heidelberg 2007.
Cite
CITATION STYLE
Stinson, E., & Mitchell, J. C. (2007). Characterizing bots’ remote control behavior. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4579 LNCS, pp. 89–108). Springer Verlag. https://doi.org/10.1007/978-3-540-73614-1_6
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
