DeepAI AI Chat
Log In Sign Up

Mining Function Homology of Bot Loaders from Honeypot Logs

by   Yuhui Zhu, et al.

Self-contained loaders are widely adopted in botnets for injecting loading commands and spawning new bots. While researchers can dissect bot clients to get various information of botnets, the cloud-based and self-contained design of loaders effectively hinders researchers from understanding the loaders' evolution and variation using classic methods. The decoupled nature of bot loaders also dramatically reduces the feasibility of investigating relationships among clients and infrastructures. In this paper, we propose a text-based method to investigate and analyze details of bot loaders using honeypots. We leverage high interaction honeypots to collect request logs and define eight families of bot loaders based on the result of agglomerative clustering. At the function level, we push our study further to explore their homological relationship based on similarity analysis of request logs using sequence aligning techniques. This further exploration discloses that the released code of Mirai keeps spawning new generations of botnets both on the client and the server side. This paper uncovers the homology of active botnet infrastructures, providing a new prospect on finding covert relationships among cybercrimes. Bot loaders are precisely investigated at the function level to yield a new insight for researchers to identify the botnet's infrastructures and track their evolution over time.


Secure Consistency Verification for Untrusted Cloud Storage by Public Blockchains

This work presents ContractChecker, a Blockchain-based security protocol...

FAURAS: A Proxy-based Framework for Ensuring the Fairness of Adaptive Video Streaming over HTTP/2 Server Push

HTTP/2 video streaming has caught a lot of attentions in the development...

Anomaly Detection for Network Connection Logs

We leverage a streaming architecture based on ELK, Spark and Hadoop in o...

Devils in the Clouds: An Evolutionary Study of Telnet Bot Loaders

One of the innovations brought by Mirai and its derived malware is the a...

Comparing Constraints Mined From Execution Logs to Understand Software Evolution

Complex software systems evolve frequently, e.g., when introducing new f...

TCP SYN Cookie Vulnerability

TCP SYN Cookies were implemented to mitigate against DoS attacks. It ens...