Still Beheading Hydras: Botnet Takedowns Then and Now

摘要

Devices infected with malicious software typically form botnet armies under the influence of one or more command and control (C&C) servers. The botnet problem reached such levels where federal law enforcement agencies have to step in and take actions against botnets by disrupting (or “taking down”) their C&Cs, and thus their illicit operations. Lately, more and more private companies have started to independently take action against botnet armies, primarily focusing on their DNS-based C&Cs. While well-intentioned, their C&C takedown methodology is in most cases ad-hoc, and limited by the breadth of knowledge available around the malware that facilitates the botnet. With this paper, we aim to bring order, measure, and reason to the botnet takedown problem. We improve an existing takedown analysis system called rza. Specifically, we examine additional botnet takedowns, enhance the risk calculation to use botnet population counts, and include a detailed discussion of policy improvements that can be made to improve takedowns. As part of our system evaluation, we perform a postmortem analysis of the recent 3322.org, Citadel, and No-IP takedowns.