nach oben

International Journal of Information Security

Erschienen in:

01.10.2016 | Regular Contribution

New facets of mobile botnet: architecture and evaluation

verfasst von: Marios Anagnostopoulos, Georgios Kambourakis, Stefanos Gritzalis

Erschienen in: International Journal of Information Security | Ausgabe 5/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

It is without a doubt that botnets pose a growing threat to the Internet, with DDoS attacks of any kind carried out by botnets to be on the rise. Nowadays, botmasters rely on advanced Command and Control (C&C) infrastructures to achieve their goals and most importantly to remain undetected. This work introduces two novel botnet architectures that consist only of mobile devices and evaluates both their impact in terms of DNS amplification and TCP flooding attacks, and their cost pertaining to the maintenance of the C&C channel. The first one puts forward the idea of using a continually changing mobile HTTP proxy in front of the botherder, while the other capitalizes on DNS protocol as a covert channel for coordinating the botnet. That is, for the latter, the messages exchanged among the bots and the herder appear as legitimate DNS transactions. Also, a third architecture is described and assessed, which is basically an optimized variation of the first one. Namely, it utilizes a mixed layout where all the attacking bots are mobile, but the proxy machines are typical PCs not involved in the actual attack. For the DNS amplification attack, which is by nature more powerful, we report an amplification factor that fluctuates between 32.7 and 34.1. Also, regarding the imposed C&C cost, we assert that it is minimal (about 0.25 Mbps) per bot in the worst case happening momentarily when the bot learns about the parameters of the attack.

Nächster Artikel If it looks like a spammer and behaves like a spammer, it must be a spammer: analysis and detection of microblogging spam accounts

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Ianelli, N., Hackworth, A.: Botnets as a vehicle for online crime. In: CERT Coordination Center (2005)

Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, 2008. MALWARE 2008, pp. 24–31 Oct (2008)

Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks (2008). In: Symposium on Network and Distributed System Security - NDSS(2008)

Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based Malware. In: Proceedings of the 21st USENIX Security Symposium (USENIX Security 12), pp. 491–506, USENIX, Bellevue, WA (2012)

Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. Comput. Secur. 39(Part B), 475–485 (2013)CrossRef

Gu, G., Perdisci, R., Zhang, J., Lee, W. et al.: BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, USENIX Association, pp. 139–154 (2008)

Pinto, R.C.G., Silva, S.S.C., Silva, R.M.P., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)CrossRef

Binsalleeh, H., Kara, A.M., Youssef, A., Debbabi, M.: Characterization of covert channels in DNS. In 6th International Conference on New Technologies, Mobility and Security (NTMS), 2014, pp. 1–5, March (2014)

Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In Seventh European Conference on Computer Network Defense (EC2ND), 2011, pp. 9–16, Sept (2011)

10.

Wang, P., Wu, L., Aslam, B., Zou, C.C.: A systematic study on peer-to-peer botnets. In Proceedings of 18th International Conference on Computer Communications and Networks (ICCN2009), IEEE, pp. 1–8. (2009)

11.

Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010)CrossRef

12.

Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI05) Workshop, vol. 39, p. 44 (2005)

13.

Damopoulos, D., Kambourakis, G., Anagnostopoulos, M., Gritzalis, S., Park, J.H.: User privacy and modern mobile services: are they on the same path? Pers. Ubiquitous Comput. 17(7), 1437–1448 (2013)CrossRef

14.

Apvrille, A.: Symbian worm yxes: towards mobile botnets? J. Comput. Virol. 8(4), 117–131 (2012)CrossRef

15.

Porras, P., Saidi, H., Yegneswaran, V.: An analysis of the iKee. b iPhone botnet. In Security and Privacy in Mobile Information and Communication Systems, pp. 141–152. Springer (2010)

16.

Pieterse, H., Olivier, M.S.: Android botnets on the rise: trends and characteristics. In: Information Security for South Africa (ISSA), 2012, pp. 1–5, Aug (2012)

17.

Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In IEEE Symposium on Security and Privacy (SP), 2012, pp. 95–109, May (2012)

18.

La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. IEEE Commun. Surv. Tutor. 15(1), 446–471 (2013)CrossRef

19.

Singh, K., Sangal, S., Jain, N., Traynor, P., Lee, W.: Evaluating bluetooth as a medium for botnet command and control. In Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 61–80. Springer (2010)

20.

Hua, J., Sakurai, K.: A SMS-based mobile botnet using flooding algorithm. In: Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, pp. 264–279. Springer (2011)

21.

Mulliner, C., Seifert, J.P.: Rise of the iBots: owning a telco network. In: 5th International Conference on Malicious and Unwanted Software (MALWARE) 2010, IEEE, pp. 71–80. (2010)

22.

Xiang, C., Binxing, F., Lihua, Y., Xiaoyi, L., Tianning, Z.: Andbot: towards advanced mobile botnets. In: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats, p. 11. USENIX Association, Berkeley, CA, USA (2011)

23.

Faghani, M.R., Nguyen, U.T.: Socellbot: a new botnet design to infect smartphones via online social networking. In: 25th IEEE Canadian Conference on Electrical Computer Engineering (CCECE), 2012, pp. 1–5, April (2012)

24.

Zhao, S., Lee, P.P.C., Lui, J.C.S., Guan, X., Ma, X., Tao, J.: Cloud-based push-styled mobile botnets: a case study of exploiting the cloud to device messaging service. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pp. 119–128, ACM, New York, NY, USA (2012)

25.

Hasan, R., Saxena, N., Haleviz, T., Zawoad, S., Rinehart, D.: Sensing-enabled channels for hard-to-detect command and control of mobile devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13, pp. 469–480, ACM, New York, NY, USA (2013)

26.

Dagon, D., Zou, C.C., Lee, W.: Modeling botnet propagation using time zones. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), vol. 6, pp. 2–13 (2006)

27.

Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’11, pp. 3–14, ACM, New York, NY, USA (2011)

28.

Knysz, M., Hu, X., Zeng, Y., Shin, K.G.: Open WiFi networks: lethal weapons for botnets? In: INFOCOM, 2012 Proceedings IEEE, pp. 2631–2635, March (2012)

29.

Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS security introduction and requirements. http://www.ietf.org/rfc/rfc4033.txt (2005)

30.

Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034: Resource records for the DNS security extensions. http://www.ietf.org/rfc/rfc4034.txt (2005)

31.

Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4035: Protocol modifications for the DNS security extensions. http://www.ietf.org/rfc/rfc4035.txt (2005)

32.

Anagnostopoulos, M., Kambourakis, G., Konstantinou, E., Gritzalis, S.: DNSSEC vs. DNSCurve: A Side-by-Side Comparison, p. 201. IGI Global (2012)

33.

Rijswijk-Deij, van R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC ’14, pp. 449–460, ACM, New York, NY, USA (2014)

34.

Scapy project. http://www.secdev.org/projects/scapy/

35.

Eslahi, M., Salleh, R., Anuar, N.B.: MoBots: a new generation of botnets on mobile devices and networks. In: IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE), 2012, pp. 262–266, Dec (2012)

36.

Reinfelder, L., Benenson, Z., Gassmann, F.: Differences between android and iphone users in their security and privacy awareness. In: Eckert, C., Katsikas, S.K., Pernul, G., (eds.), Trust, Privacy, and Security in Digital Business, vol. 8647 of Lecture Notes in Computer Science, pp. 156–167. Springer International Publishing (2014)

37.

Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K.A., Camtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on android. In: IEEE International Conference on Communications, 2009. ICC ’09, pp. 1–5, June (2009)

38.

Abdullah, Z., Saudi, M.M., Anuar, N.B.: Mobile botnet detection: proof of concept. In: IEEE 5th Control and System Graduate Research Colloquium (ICSGRC), 2014, pp. 257–262, Aug (2014)

39.

Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’11, pp. 15–26, ACM, New York, NY, USA (2011)

40.

Feizollah, A., Anuar, N.B., Salleh, R., Amalina, F., Maarof, Rauf Ridzuan, Shamshirband, Shahaboddin: A study of machine learning classifiers for anomaly-based mobile botnet detection. Malays. J. Comput. Sci. 26(4), 251–265 (2014)

41.

Vural, I., Venter, H.: Mobile botnet detection using network forensics. In: ArneJ. Berre, Asuncion Gomez-Perez, Kurt Tutschku, and Dieter Fensel, editors, Future Internet—FIS 2010, vol. 6369 of Lecture Notes in Computer Science, pp. 57–67. Springer, Berlin (2010)

42.

Oberheide, J., Cooke, E., Jahanian, F.: CloudAV: N-version antivirus in the network cloud. In 17th USENIX Security Symposium, pp. 91–106 (2008)

43.

Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid android: versatile protection for smartphones. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pp. 347–356, ACM, New York, NY, USA, (2010)

44.

Damopoulos, D., Kambourakis, G., Portokalidis, G.: The best of both worlds: a framework for the synergistic operation of host and cloud anomaly-based IDS for smartphones. In: Proceedings of the Seventh European Workshop on System Security, EuroSec ’14, pp. 6:1–6:6, ACM, New York, NY, USA (2014)

45.

Tsiatsikas, Z., Anagnostopoulos, M., Kambourakis, G., Lambrou, S., Geneiatakis, D.: Hidden in plain sight. SDP-Based covert channel for botnet communication. In: Fischer-Hubner, S., Lambrinoudakis, C., Lopez, J. (eds.), Trust, Privacy and Security in Digital Business, vol. 9264 of Lecture Notes in Computer Science, pp. 48–59. Springer International Publishing (2015)

Titel: New facets of mobile botnet: architecture and evaluation
verfasst von: Marios Anagnostopoulos
Georgios Kambourakis
Stefanos Gritzalis
Publikationsdatum: 01.10.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 5/2016
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-015-0310-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 5/2016

Private and oblivious set and multiset operations

Time-specific encryption from forward-secure encryption: generic and direct constructions

Efficient wildcard search over encrypted data

If it looks like a spammer and behaves like a spammer, it must be a spammer: analysis and detection of microblogging spam accounts

Efficient and verifiable algorithms for secure outsourcing of cryptographic computations