BOTWATCHER: Transparent and generic botnet tracking

Abstract

Botnets are one of the most serious threats to Internet security today. Modern botnets have complex infrastructures consisting of multiple components, which can be dynamically installed, updated, and removed at any time during the botnet operation. Tracking botnets is essential for understanding the current threat landscape. However, state- of-the-art analysis approaches have several limitations. Many malware analysis systems like sandboxes have a very limited analysis time-out, and thus only allow limited insights into the long-time behavior of a botnet. In contrast, customized tracking systems are botnet-specific and need to be adopted to each malware family, which requires tedious manual reverse engineering. In this paper, we present BotWatcher, a novel approach for transparent and generic botnet tracking. To this end, we leverage dynamic analysis and memory forensics techniques to execute the initial malware sample and later installed modules in a controlled environment and regularly obtain insights into the state of the analysis system. The key idea behind BotWatcher is that by reasoning about the evolution of system state over time, we can reconstruct a high-level overview of the botnet lifecycle, i.e., the sequence of botnet actions that caused this evolution. Our approach is generic since it relies neither on previous knowledge of the botnet nor on OS-specific features. Transparency is achieved by performing outside-OS monitoring and not installing any analysis tools in the analysis environment. We implemented BotWatcher for Microsoft Windows and Mac OS X (both 32- and 64-bit architectures), and applied it to monitor four botnets targeting Microsoft Windows. To the best of our knowledge, we are the first to present a generic, transparent, and fully automated botnet tracking system.