Post on 19-Dec-2015
Understanding Botnets: How Massive Internet Break-Ins Fuel an
Underground Economy
Jason Franklin and Vern Paxson
Abstract
• We study how the creation of massive networks of compromised machines fuel an underground economy.
• The underground market being studied is a central point for miscreant activity including identity theft, phishing, sale of compromised machines, and credit card fraud.
• Through extensive passive monitoring and analysis of this underground marketplace, we hope to establish connections between various facets of illegal online activities.
Measurement Methodology• Passive monitoring and archival of
Internet Relay Chat (IRC) channels– 50+ monitored servers– Over 7 months of data– Over 12 million individual messages from
as many as 50k individuals
• Limitations and Complexities– No private IRC messages– Complex underground dialect (slang)– Difficult to establish reputation
S
SS
C
CC
M
C
IRC
S
C
erver
lient
Key
M onitor
Botnet Definition
• A botnet is a network of compromised machines (bots) remotely controlled by an attacker.
B ot
Key
U ncompromised Host
B
Attacker
B
B
B
U
UCommands
CommandsAttacks
Attacks
Underground Market Breakdown
Item Times Mentioned Offered for sale Wanted
Potential Bots (hacked hosts, roots, shells)
760,000 500,000 300,000
Exploits 44,000 24,000 10,000
Spam Related Items 750,000 450,000 250,000
Credit Cards & Identities
800,000 340,000 370,000
Compromised
E-merchant Accounts
300,000 170,000 160,000
Scam Websites 310,000 200,000 130,000
Observed Relationships and Causality
Stolen Credit cards
Botnets
Exploits
Spam
Phishing &Identity Theft
Scam Websites Compromised E-Merchants
Credit Card Fraud
Hacked Databases
Identities
UndergroundCurrency
Credit Cards
Market at a Glance
Number of Days Monitored
Per
cent
age
of M
onito
red
Mes
sage
s
Market at a Glance
Number of Days Monitored
Per
cent
age
of M
onito
red
Mes
sage
s
Vulnerability Alerts, Exploits, and Potential Bots
• Vertical lines represent releases of major vulnerability alert.
Per
cent
age
of M
onito
red
Mes
sage
s
Number of Days Monitored
Vulnerability Alerts, Exploits, and Potential Bots
• Vertical lines represent releases of major vulnerability alert.
Per
cent
age
of M
onito
red
Mes
sage
s
Number of Days Monitored
Complex Social Network
• Future work includes leveraging social network analysis techniques to map connections between players.
“Carders”
Buyers
Identity Thieves
Crackers
Sellers
Insiders
Market
Traders
Conclusion
• Preliminary results show that underground markets aggregate information which is otherwise difficult to observe.
• Monitoring underground markets may be useful as a predictor of future widespread malicious activities on the Internet. We may be able to use the market as an oracle.
• Future analysis of the complex relationships between market players is required.
Acknowledgements• We would like to thank Rob Thomas of team Cymru for
providing access to the IRC logs.• We would also like to thank Stefan Savage, Robin Sommers,
and Nick Weaver for their comments and suggestions.• This research was performed while on appointment as a U.S.
Department of Homeland Security (DHS) Fellow under the DHS Scholarship and Fellowship Program, a program administered by the Oak Ridge Institute for Science and education (ORISE) for DHS through an interagency agreement with the U.S Department of Energy (DOE). ORISE is managed by Oak Ridge Associated Universities under DOE contract number DE-AC05-00OR22750. All opinions expressed in this paper are the author's and do not necessarily reflect the policies and views of DHS, DOE, or ORISE.
• The research described here was performed at the Lawrence Berkeley National Laboratory and supported by the Director, Office of Science, Office of Workforce Development for Teachers and Scientists, of the U.S. Department of Energy under Contract No. DE-AC02-05CH11231.