Using honeynets to learn more about Bots
The Honeynet Project & Research Alliance
http://www.honeynet.org
Last Modified: 13 March 2005
Honeypots are a well known technique for discovering the tools,
tactics, and motives of attackers. In this paper we look at a special
kind of threat: the individuals and organizations who run botnets. A
botnet is a network of compromised machines that can be remotely
controlled by an attacker. Due to their immense size (tens of
thousands of systems can be linked together), they pose a severe
threat to the community. With the help of honeynets we can observe
the people who run botnets -- a task that is difficult using other
techniques. Due to the wealth of data logged, it is possible to
reconstruct the actions of attackers, the tools they use, and study
them in detail. In this paper we take a closer look at botnets,
common attack techniques, and the individuals involved.
We start with an introduction to botnets and how they work, with
examples of their uses. We then briefly analyze the three most common
bot variants used. Next we discuss a technique to observe botnets,
allowing us to monitor the botnet and observe all commands issued by
the attacker. We present common behavior we captured, as well as
statistics on the quantitative information learned through monitoring
more than one hundred botnets during the last few months. We conclude
with an overview of lessons learned and point out further research
topics in the area of botnet-tracking, including a tool called
mwcollect2 that focuses on collecting malware in an automated fashion.
http://www.honeynet.org/papers/bots/
Monty Solomon (monty@roscom.com)