Botnets are recognized as one of the most serious threats to today's Internet. To combat them, one key step is to effectively understand how the botnet members communicate with each other. Unfortunately, the trend of adopting various obfuscation schemes (e.g., encryption) in recent bots greatly impedes our understanding. The main thrust of this research is the investigation of several interrelated key techniques to overcome the above challenges and significantly enrich the understanding of botnet command and control. Specifically, this work introduces a methodology called context-aware bot execution monitoring, from the following observations: (1) implementing the bot communication protocol, a bot program contains the authoritative protocol logic it will follow to respond and the ultimate specification of the bot messages it can handle; (2) a bot typically handles different fields of the bot message under different execution contexts, (e.g., with different run-time call stacks). As such, this research will collect, characterize, and analyze traces with execution context information to discern various protocol fields as well as associated semantics in the bot message. The broader impact of this research is two-fold: (1) It will significantly enrich the understanding of the botnet threat by not only observing and inferring the network-level interactions among bots, but also exposing the botnet C&C communication protocol logic behind detailed bot interactions. (2) Results from this research will also lead to the development of education materials for undergraduate and graduate courses and for professional training sessions. Intellectual merit of the work includes a novel approach to reverse engineering the botnet C&C communications protocol.
CT-ISG: Understanding Botnet Command and Control (C&C) Communication