Visualizing Spatial and Temporal Dynamics of a Class of IRC-Based Botnets

摘要

Botnets are a serious threat to the security of personal computers, businesses and even countries. They can launch attacks on remote systems and infrastructure, perform espionage and once installed they essentially hand over control of the computer to a botnet administrator. It is very difficult to detect their presence in a network as it is hard to distinguish their footprint from normal traffic. By using Internet Relay Chat (IRC)-based botnets as an example for visualizing spatial and temporal dynamics, I will attempt to detect the presence of a bot and visualize the results. Based on previous works for detecting malware, the choice was made to use process-to-port mapping as the base metric for visualization. Investigation into botnets was an integral part of the thesis. Published sources along with research into botnet administrator communities were used to provide a solid information base. A bot application, which is part of a botnet, can be regarded in the same way as any other piece of software, but with added functionality for communication and remote control. As such, it is bound by the same proprietary technologies. The thesis focuses on a method of detection that relies on IP and port pairs with host computer metrics, which can be expanded to a distributed context with the use of Simple Network Management Protocol (SNMP). The software for process-to-port mapping and visualization of a botnet has been developed with focus on geographical location. Use of geography for the Visualization application proved to be a good choice and communicating applications are shown in a distinct and clear way. Experiments conducted, successfully detected and visualized the bot communicating with the command and control server as metrics were collected on a host machine. The developed visualization software also shows general network activity and has potential to be used in a more general context. It is concluded that given some preconditions with regards to a bot s rootkit capabilities, detection of a botnet is successful. Given the availability of certain SNMP OIDs, it is possible to perform botnet detection and general network visualization in a large scale and distributed context.