| Botnets, large networks of compromised computers, are responsible many malicious activities on the Internet today, such as spam, denial-of-service attacks, and click fraud. A thorough understanding of botnets is necessary to effectively combat this threat. However, there is a dearth of information about botnet structure and behavior, partly because of a lack of monitoring infrastructure, and partly because of the use of increasingly sophisticated techniques by botnets to evade detection.;Current techniques to identify and combat botnets involve manual analysis and reverse-engineering; such analysis is slow and does not scale as more malicious software (malware) is produced. For this dissertation, I designed, built, and deployed a comprehensive botnet-monitoring system to provide detailed information regarding botnets and their activities. It provides accurate, real-time information about botnet activities and also monitors the propagation of botnets and the techniques used to infect new hosts. The system is also mostly automated, requiring little human interaction, allowing it to quickly identify problems before they become widespread.;The system consists of four components: Botlab, SearchAudit, Heat-seeking honeypots, and deSEO. These components measure different parts of the botnet life-cycle and combine to provide a more complete understanding of botnets. Botlab monitors botnet activity and communication by executing malicious binaries and studying their behavior. It provides up-to-date information on the various activities that botnets are involved in, and also identifies the control infrastructure used to co-ordinate the botnet. SearchAudit analyzes search engine logs to identify suspicious queries that are issued by attackers to find vulnerable web servers. Attackers then compromise these servers and use them to serve malware. SearchAudit provides valuable information about which servers are being targeted by attackers even before the servers are actually attacked. Heat-seeking honeypots pretend to be web servers running vulnerable applications in order to induce attacks and observe attack traffic. The information from the honeypots can be used to characterize common attacks against web servers and to develop mechanisms to detect attack traffic. Finally, deSEO allows search engines to identify malicious sites that game search ranking algorithms in order to appear at the top of the search results.;The information gathered by the botnet-monitoring system was used to develop defenses to combat botnets at various stages in their life-cycle. Overall, I believe my work has improved the community's collective understanding of botnets, and has demonstrated new techniques to defend against the botnet threat. |
