Monday, December 03, 2007

Technical Report: Characterizing the IRC-based Botnet Phenomenon

Thorsten Holz writes on The Honeyblog:

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel.

Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report [.pdf] we just published.

More here.

posted by Fergie @ 12/03/2007 08:31:00 PM

0 Comments:

Post a Comment

<< Home