Research On Botnets Control Commands’ Extracting And Their Application

An increasing number of computers have been compromised by Botnets, which use Bots to propagate, infect and control the terminals. The botnets could retrieve a wealth of sensitive information and get plenty of computational resources to run large-scale distributed attacks. So they are becoming one of the most effective and powerful attack platforms for the attackers.A unique property of a botnet that separates it from other malware families, is the Command-and-Control (C&C) infrastructure. Typically, a bot receives commands from the BotMaster (controller), performs tasks and reports back on the execution results through the C&C channel. The C&C mechanisms provide the botnets’ controllability, flexibility and confidentiality. Therefore, understanding the botnets’ commands and C&C mechanisms has direct and immediate implications for creation of methods and systems to analyze and disrupt botnets.Although the method using constraint solving techniques to extract botnets’ control commands is available, yet it is complex, time-consuming, subject to the path-explosion problem, and difficult to handle obfuscated bots. Based on previous researches, this paper makes research on how to extract control commands information of botnets from bot executables. In this paper, we present how to identify the command and control logic in the bots from the execution traces, by using the taint propagation information and code coverage feature. And then, we propose a new method to extract the botnet’s control commands, with the command and control logic information. Compared with existing methods, this method has lower time overhead, does not rely on API, and requires less priori knowledge. Furthermore, it can effectively avoid the interference of packers and code obfuscation techniques. We evaluated this approach on 6 famous botnets, and the results show that this approach can accurately extract botnets’ control commands.In addition, this paper also explored the application of these extracted control commands, and proposed a new scheme for analyzing the behavior of bots; that is, we could run the bot executables, use their control commands to trigger bots’ execution and observe their actions. We discussed its practicability, steps for implementation, and problems to be solved of this scheme. Likewise, we discussed the application of botnet commands in active probing for bot detection in the network.