Team for Research in
Ubiquitous Secure Technology

Characterizing the Remote Control Behavior of Bots
Elizabeth Stinson

Citation
Elizabeth Stinson. "Characterizing the Remote Control Behavior of Bots". Talk or presentation, 11, October, 2007.

Abstract
A botnet is a collection of bots, each generally running on a compromised system and responding to commands over a “command-and-control” overlay network. We investigate observable differences in the behavior of bots and benign programs, focusing on the way that bots respond to data received over the network. Our experimental platform monitors execution of an arbitrary Win32 binary, considering data received over the network to be tainted, applying library-call-level taint propagation, and checking for tainted arguments to selected system calls. As a way of further distinguishing locally-initiated from remotely-initiated actions, we capture and propagate “cleanliness” of local user input (as received via the keyboard or mouse). Testing indicates behavioral separation of major bot families (agobot, DSNXbot, evilbot, G-SySbot, sdbot, Spybot) from benign programs with low error rate. rnrnBotnets have been instrumental in distributed denial of service attacks, click fraud, phishing, malware distribution, manipulation of online polls and games, and identity theft. As much as 70% of all spam may be transmitted through botnets and as many as 25% of all computers may be participants in a botnet. A bot master (or “botherder”) directs the activities of a botnet by issuing commands that are transmitted over a command-and-control (C&C) overlay network. Some previous network-based botnet detection efforts have attempted to exploit this ongoing C&C behavior or its side effects. Our work investigates the potential for host-based behavioral bot detection. In particular, we test the hypothesis that the behavior of installed bots can be characterized in a way that distinguishes malicious bots from innocuous processes. We are not aware of any prior studies of this topic.rnrnEach participating bot independently executes each command received over the C&C network. A bot command takes some number of parameters (possibly zero) – each of a particular type – in some fixed order. For example, many bots provide a web-download command, which commonly takes two parameters; the first is a URL that identifies a remote resource (typically a file) that should be downloaded, and the second is the file path on the host system at which to store the downloaded data. A botnet constitutes a remotely programmable platform with the set of commands it supports forming its API.rnrnMany parameterized bot commands are implemented by invoking operating system services on the host system. For example, the web-download command connects to a target over the network, requests some data from that target, and creates a file on the host system; all of these actions (connect, network send and receive, and file creation) are performed via execution of system calls. Typically, a command’s parameters provide information used in the system call invocation. For example, the connect system call takes an IP address argument, which identifies the target host with which a connection should be established. Implementations of the web-download command obtain that target host IP from the given URL parameter. Thus, execution of many parameterized commands causes system call invocations on arguments obtained from those parameters.rnrnIn this paper, we test the experimental hypothesis that the remote control of bots through parameterized commands separates bot behavior from normal execution of innocuous programs. We postulate that a process exhibits external or remote control when it uses data received from the network (an untrusted source) in a system call argument (a trusted sink). We test our hypothesis via a prototype implementation, BotSwat, designed for the environment in which the vast majority of bots operate: home users’ PCs running Windows XP or 2000. BotSwat can monitor execution of an arbitrary Win32 binary and interposes on the run-time library calls (including system calls) made by a process. We consider data received over the network to be tainted and track tainted data as it propagates via dynamic library calls to other memory regions. We identify execution of parameterized bot commands when tainted arguments are supplied to select gate functions, which are system calls used in malicious bot activity.rnrnOur experimental results suggest that the presence of network packet contents in selected system call arguments is an effective indicator for malicious Win32 bots, including tested variants of agobot, DSNXbot, evilbot, G-SySbot, sdbot, and Spybot. Bots from these families constitute 98.2% of malicious bots seen in the wild. While these bots may implement commands in significantly different ways, similarities in the way they respond to external control allow a single approach to identify them. Additionally, the thousands of variants of each such family generally differ in ways that will not affect our ability to detect them; this is in contrast to traditional anti-malware signature scanners which may require a distinct signature for each variant. Moreover, our generic approach does not rely on a particular command-and-control communication protocol (e.g., IRC) or botnet structure (e.g., centralized or peer-to-peer).

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML
    Elizabeth Stinson. <a
    href="http://www.truststc.org/pubs/306.html"
    ><i>Characterizing the Remote Control Behavior of
    Bots</i></a>, Talk or presentation,  11,
    October, 2007.
  • Plain text
    Elizabeth Stinson. "Characterizing the Remote Control
    Behavior of Bots". Talk or presentation,  11, October,
    2007.
  • BibTeX
    @presentation{Stinson07_CharacterizingRemoteControlBehaviorOfBots,
        author = {Elizabeth Stinson},
        title = {Characterizing the Remote Control Behavior of Bots},
        day = {11},
        month = {October},
        year = {2007},
        abstract = {A botnet is a collection of bots, each generally
                  running on a compromised system and responding to
                  commands over a âcommand-and-controlâ overlay
                  network. We investigate observable differences in
                  the behavior of bots and benign programs, focusing
                  on the way that bots respond to data received over
                  the network. Our experimental platform monitors
                  execution of an arbitrary Win32 binary,
                  considering data received over the network to be
                  tainted, applying library-call-level taint
                  propagation, and checking for tainted arguments to
                  selected system calls. As a way of further
                  distinguishing locally-initiated from
                  remotely-initiated actions, we capture and
                  propagate âcleanlinessâ of local user input
                  (as received via the keyboard or mouse). Testing
                  indicates behavioral separation of major bot
                  families (agobot, DSNXbot, evilbot, G-SySbot,
                  sdbot, Spybot) from benign programs with low error
                  rate. rnrnBotnets have been instrumental in
                  distributed denial of service attacks, click
                  fraud, phishing, malware distribution,
                  manipulation of online polls and games, and
                  identity theft. As much as 70% of all spam may be
                  transmitted through botnets and as many as 25% of
                  all computers may be participants in a botnet. A
                  bot master (or âbotherderâ) directs the
                  activities of a botnet by issuing commands that
                  are transmitted over a command-and-control (C\&C)
                  overlay network. Some previous network-based
                  botnet detection efforts have attempted to exploit
                  this ongoing C\&C behavior or its side effects. Our
                  work investigates the potential for host-based
                  behavioral bot detection. In particular, we test
                  the hypothesis that the behavior of installed bots
                  can be characterized in a way that distinguishes
                  malicious bots from innocuous processes. We are
                  not aware of any prior studies of this
                  topic.rnrnEach participating bot independently
                  executes each command received over the C\&C
                  network. A bot command takes some number of
                  parameters (possibly zero) â each of a
                  particular type â in some fixed order. For
                  example, many bots provide a web-download command,
                  which commonly takes two parameters; the first is
                  a URL that identifies a remote resource (typically
                  a file) that should be downloaded, and the second
                  is the file path on the host system at which to
                  store the downloaded data. A botnet constitutes a
                  remotely programmable platform with the set of
                  commands it supports forming its API.rnrnMany
                  parameterized bot commands are implemented by
                  invoking operating system services on the host
                  system. For example, the web-download command
                  connects to a target over the network, requests
                  some data from that target, and creates a file on
                  the host system; all of these actions (connect,
                  network send and receive, and file creation) are
                  performed via execution of system calls.
                  Typically, a commandâs parameters provide
                  information used in the system call invocation.
                  For example, the connect system call takes an IP
                  address argument, which identifies the target host
                  with which a connection should be established.
                  Implementations of the web-download command obtain
                  that target host IP from the given URL parameter.
                  Thus, execution of many parameterized commands
                  causes system call invocations on arguments
                  obtained from those parameters.rnrnIn this paper,
                  we test the experimental hypothesis that the
                  remote control of bots through parameterized
                  commands separates bot behavior from normal
                  execution of innocuous programs. We postulate that
                  a process exhibits external or remote control when
                  it uses data received from the network (an
                  untrusted source) in a system call argument (a
                  trusted sink). We test our hypothesis via a
                  prototype implementation, BotSwat, designed for
                  the environment in which the vast majority of bots
                  operate: home usersâ PCs running Windows XP or
                  2000. BotSwat can monitor execution of an
                  arbitrary Win32 binary and interposes on the
                  run-time library calls (including system calls)
                  made by a process. We consider data received over
                  the network to be tainted and track tainted data
                  as it propagates via dynamic library calls to
                  other memory regions. We identify execution of
                  parameterized bot commands when tainted arguments
                  are supplied to select gate functions, which are
                  system calls used in malicious bot
                  activity.rnrnOur experimental results suggest that
                  the presence of network packet contents in
                  selected system call arguments is an effective
                  indicator for malicious Win32 bots, including
                  tested variants of agobot, DSNXbot, evilbot,
                  G-SySbot, sdbot, and Spybot. Bots from these
                  families constitute 98.2% of malicious bots seen
                  in the wild. While these bots may implement
                  commands in significantly different ways,
                  similarities in the way they respond to external
                  control allow a single approach to identify them.
                  Additionally, the thousands of variants of each
                  such family generally differ in ways that will not
                  affect our ability to detect them; this is in
                  contrast to traditional anti-malware signature
                  scanners which may require a distinct signature
                  for each variant. Moreover, our generic approach
                  does not rely on a particular command-and-control
                  communication protocol (e.g., IRC) or botnet
                  structure (e.g., centralized or peer-to-peer).},
        URL = {http://www.truststc.org/pubs/306.html}
    }
    

Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.