Issue No. 05 - Sept.-Oct. (2017 vol. 14)
Yacin Nadji , Department of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA
Roberto Perdisci , Department of Computer Science, University of Georgia, Athens, GA
Manos Antonakakis , Department of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA
Devices infected with malicious software typically form botnet armies under the influence of one or more command and control (C&C) servers. The botnet problem reached such levels where federal law enforcement agencies have to step in and take actions against botnets by disrupting (or “taking down”) their C&Cs, and thus their illicit operations. Lately, more and more private companies have started to independently take action against botnet armies, primarily focusing on their DNS-based C&Cs. While well-intentioned, their C&C takedown methodology is in most cases ad-hoc, and limited by the breadth of knowledge available around the malware that facilitates the botnet. With this paper, we aim to bring order, measure, and reason to the botnet takedown problem. We improve an existing takedown analysis system called
rza. Specifically, we examine additional botnet takedowns, enhance the risk calculation to use botnet population counts, and include a detailed discussion of policy improvements that can be made to improve takedowns. As part of our system evaluation, we perform a postmortem analysis of the recent 3322.org, Citadel, and No-IP takedowns.
Malware, IP networks, Databases, Peer-to-peer computing, Law enforcement, Servers
Y. Nadji, R. Perdisci and M. Antonakakis, "Still Beheading Hydras: Botnet Takedowns Then and Now," in IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 5, pp. 535-549, 2017.