Multi-level analysis of Botnets behaviour

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Rui Sousa

Análise Comportamental Multi-Nível de

Botnets

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Rui Sousa

Análise Comportamental Multi-Nível de

Botnets

(Multi-Level Analysis of Botnets behaviour)

“When you want to succeed as bad

as you want to breathe, then you’ll

be successful”

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Rui Sousa

Análise Comportamental Multi-Nível de

Botnets

(Multi-Level Analysis of Botnets behaviour)

Dissertation submitted to University of Aveiro to fulfill the requirements needed

to obtain the Masters degree in Engenharia de Computadores e Telemática,

held under the supervision of Paulo Salvador and António Nogueira, Assistant

Professors at the Department of Electronics, Telecommunications and

Informatics of University of Aveiro.

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

The Jury

President

Examiners

Committee

Rui Luís Andrade Aguiar

Associate Professor at University of Aveiro

Paulo Jorge Salvador Serra Ferreira

Assistant Professor at University of Aveiro(Supervisor)

António Manuel Duarte Nogueira

Assistant Professor at University of Aveiro(Co-Supervisor)

Carlos Manuel da Silva Rabadão

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Acknowledgements

To my supervisor, Professor Paulo Salvador, as well as

my co-supervisor, Professor António Nogueira, for all the

support and motivation.

To Ivo Petiz, a good friend, for helping me along the way.

To my close friends, for the encouragement given and

pushing me to be a better person and student.

To my family, for being such an inspiration, throughout my

whole life.

And to Silvana, for all the caring and making me want to

thrive.

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Resumo

Hoje em dia, as redes de computadores têm sido, mais

do que nunca, alvo de ataques de segurança. Estes

ataques tornaram-se bastante complexos, e com

diferentes tipos de motivações. Uma grande parte destes

ataques está ligado a Botnets.

As Botnets podem ser descritas como um grupo de bots

que executam software malicioso autonomamente.

Infectam maioritariamente computadores pessoais, e

começam a executar tarefas automáticamente, sem o

conhecimento dos utilizadores. Os computadores

tornam-se então “parte” da Botnet.

Nesta dissertação, são descritos e analisados diferentes

tipos de Botnets dedicadas ao envio de spam. Após

serem instaladas, o tráfego gerado é capturado,

processado e analisado, por forma a identificar

características que possam diferenciar cada um dos tipos

de Botnets.

São efectuados diferentes níveis de análise, de forma a

compreender todos os mecanismos de funcionamento

destes tipos de redes.

2011

Universidade de Aveiro

Departamento de Electrónica,

Telecomunicações e Informática

Abstract

Nowadays, computer networks are, more than ever, major

targets of security attacks. These attacks became very

complex, and with different kinds of motivations. A major

part of the network attacks is linked to Botnets.

Botnets can be described as a group of bots that run

malicious software autonomously. They mainly infect

personal computers, and start performing automatic

tasks, without the awareness of the users. Computers

then become “part” of the Botnet.

This dissertation will describe and analyse different types

of spam Botnets, by installing them, capturing the

generated traffic and characterizing it, in order to identify

differentiating characteristics that can be used to detect

their activity.

Different levels of analysis are conducted, in order to

understand all the functioning mechanisms of these types

of networks.

Contents i

ListofFigures iii

ListofTables vii

Nomen lature ix

1 Introdu tion 1

1.1 Obje tives . . . 1

1.2 Motivation . . . 2

1.3 DissertationStru ture . . . 2

2 State ofthe Art 3 2.1 Introdu tion. . . 3

2.2 Overviewandevolution . . . 3

2.3 BotnetsClassi ationandBehaviours . . . 6

2.3.1 Most ommonbots . . . 7

2.3.1.1 Agobot . . . 7 2.3.1.2 SDBot . . . 8 2.3.1.3 SpyBot . . . 8 2.3.1.4 GTBot . . . 9 2.3.2 TypesofBotnets . . . 9 2.3.2.1 IRCBotnets . . . 9 2.3.2.2 P2PBotnets . . . 11 2.3.2.3 HTTPBotnets . . . 12 2.4 Dete tionMe hanisms . . . 14 2.4.1 Host-basedpro edures . . . 15 2.4.2 Network-basedpro edures . . . 15 3 Study of Botnets 17 3.1 Trojandetails . . . 18 3.1.1 Kazy. . . 18 3.2 Botnetsdetails . . . 19 3.2.1 Grum . . . 19

3.2.2 Cutwail . . . 19 3.2.3 Bobax . . . 20 3.2.4 Lethi . . . 20 3.3 AnalysisMethodology . . . 21 4 Experimental results 23 4.1 Grum . . . 26 4.1.1 Generalanalysis . . . 26 4.1.2 High-LevelAnalysis . . . 26 4.1.3 Low-LevelAnalysis . . . 34 4.2 Cutwail . . . 36 4.2.1 Generalanalysis . . . 36 4.2.2 High-LevelAnalysis . . . 37 4.2.3 Low-LevelAnalysis . . . 50 4.3 Bobax . . . 53 4.3.1 Generalanalysis . . . 53 4.3.2 High-LevelAnalysis . . . 53 4.3.3 Low-LevelAnalysis . . . 61 4.4 Lethi . . . 63 4.4.1 Generalanalysis . . . 63 4.4.2 High-LevelAnalysis . . . 63 4.4.3 Low-LevelAnalysis . . . 70 4.5 Kazy . . . 72 4.5.1 Generalanalysis . . . 72 4.5.2 High-LevelAnalysis . . . 73 4.5.3 Low-LevelAnalysis . . . 86 5 Con lusions 89 5.1 Final on lusions . . . 89 5.2 FutureWork . . . 89

2.1 Classi exampleofthepropagationofaBotnet . . . 4

2.2 Ar hite tureofa ommonDDoSatta k . . . 5

2.3 BotnetandBotLife y le . . . 6

2.4 IRCBotnetpropagation . . . 9

2.5 C&Cme hanismsusedbyBotnetfamiliesa ordingtothenumberofunique omputers that reportdete tions . . . 10

2.6 P2PBotnetpropagation . . . 11

2.7 HTTPBotnetpropagation. . . 12

4.1 TCPSessionEstablishmentdiagram . . . 24

4.2 Proto ols(Upload),Grum Botnet . . . 27

4.3 Proto ols(Download),Grum Botnet . . . 27

4.4 Pa kets perhour,GrumBotnet . . . 28

4.5 Pa kets perminute,Grum Botnet . . . 28

4.6 Sample ofpa ketsperminute,GrumBotnet. . . 29

4.7 Amountoftra perhour,GrumBotnet . . . 29

4.8 Amountoftra perminute,Grum Botnet . . . 30

4.9 Sample ofamountoftra perminute,GrumBotnet . . . 30

4.10 Unique peers perhour,GrumBotnet. . . 31

4.11 TCPSessionEstablishment(Outbound),GrumBotnet . . . 31

4.12 TCPSessionEstablishment(Inbound), GrumBotnet . . . 32

4.13 WorldMap,GrumBotnet . . . 33

4.14 S alogram,GrumBotnet . . . 34

4.15 Energy Mean,GrumBotnet . . . 34

4.16 Energy Varian e,Grum Botnet . . . 35

4.17 Proto ols(Upload),CutwailBotnet . . . 37

4.18 Proto ols(Upload),CutwailBotnet(2ndCapture) . . . 37

4.19 Proto ols(Download),CutwailBotnet . . . 38

4.20 Proto ols(Download),CutwailBotnet(2ndCapture) . . . 38

4.21 Pa kets perhour,CutwailBotnet . . . 39

4.22 Pa kets perhour,CutwailBotnet(2ndCapture). . . 40

4.23 Pa kets perminute,CutwailBotnet . . . 40

4.24 Pa kets perminute,CutwailBotnet(2ndCapture) . . . 41

4.26 Sampleofpa ketsperminute,CutwailBotnet(2ndCapture) . . . 42

4.27 Amountoftra perhour,CutwailBotnet . . . 42

4.28 Amountoftra perhour,CutwailBotnet(2ndCapture) . . . 43

4.29 Amountoftra perminute,CutwailBotnet . . . 43

4.30 Amountoftra perminute,CutwailBotnet(2ndCapture) . . . 44

4.31 Sampleofamountoftra perminute,CutwailBotnet . . . 44

4.32 Sampleofamountoftra perminute,CutwailBotnet(2ndCapture) . . . 45

4.33 Unique peersperhour,CutwailBotnet. . . 45

4.34 Unique peersperhour,CutwailBotnet(2ndCapture). . . 46

4.35 TCPSessionEstablishment(Outbound), CutwailBotnet . . . 46

4.36 TCPSessionEstablishment(Outbound), CutwailBotnet(2ndCapture) . . . 47

4.37 TCPSessionEstablishment(Inbound),CutwailBotnet . . . 47

4.38 TCPSessionEstablishment(Inbound),CutwailBotnet(2ndCapture) . . . 48

4.39 WorldMap,CutwailBotnet . . . 48

4.40 WorldMap,CutwailBotnet(2ndCapture) . . . 49

4.41 S alogram,CutwailBotnet . . . 50

4.42 S alogram,CutwailBotnet(2ndCapture) . . . 50

4.43 EnergyMean, CutwailBotnet . . . 51

4.44 EnergyMean, CutwailBotnet(2ndCapture). . . 51

4.45 EnergyVarian e,CutwailBotnet . . . 52

4.46 EnergyVarian e,CutwailBotnet(2ndCapture) . . . 52

4.47 Proto ols(Upload),BobaxBotnet. . . 53

4.48 Proto ols(Download),BobaxBotnet . . . 54

4.49 Pa ketsperhour,BobaxBotnet . . . 54

4.50 Pa ketsperminute,BobaxBotnet . . . 55

4.51 Sampleofpa ketsperminute,BobaxBotnet . . . 55

4.52 Amountoftra perhour,BobaxBotnet . . . 56

4.53 Amountoftra perminute,BobaxBotnet. . . 56

4.54 Sampleofamountoftra perminute,BobaxBotnet . . . 57

4.55 Unique peersperhour,BobaxBotnet . . . 57

4.56 TCPSessionEstablishment(Outbound), BobaxBotnet. . . 58

4.57 TCPSessionEstablishment(Inbound),BobaxBotnet . . . 58

4.58 WorldMap,BobaxBotnet. . . 59

4.59 WorldMap,BobaxBotnet(OutboundConne tions). . . 60

4.60 S alogram,BobaxBotnet . . . 61

4.61 EnergyMean, BobaxBotnet . . . 61

4.62 EnergyVarian e,BobaxBotnet. . . 62

4.63 Proto ols(Upload),Lethi Botnet . . . 63

4.64 Proto ols(Download),Lethi Botnet . . . 64

4.65 Pa ketsperhour,Lethi Botnet. . . 64

4.66 Pa ketsperminute,Lethi Botnet . . . 65

4.69 Amountoftra perminute,Lethi Botnet . . . 66

4.70 Sample ofamountoftra perminute,Lethi Botnet . . . 67

4.71 Unique peersperhour,Lethi Botnet . . . 67

4.72 TCPSessionEstablishment(Outbound),Lethi Botnet . . . 68

4.73 TCPSessionEstablishment(Inbound), Lethi Botnet . . . 68

4.74 WorldMap,Lethi Botnet. . . 69

4.75 Lethi ,BobaxBotnet . . . 70

4.76 Energy Mean,Lethi Botnet. . . 70

4.77 Energy Varian e,Lethi Botnet . . . 71

4.78 Proto ols(Download),KazyBotnet . . . 73

4.79 Proto ols(Download),KazyBotnet(2ndCapture) . . . 73

4.80 Proto ols(Upload),KazyBotnet . . . 74

4.81 Proto ols(Upload),KazyBotnet(2ndCapture) . . . 74

4.82 Pa kets perhour,KazyBotnet . . . 75

4.83 Pa kets perhour,KazyBotnet(2ndCapture) . . . 75

4.84 Pa kets perminute,KazyBotnet . . . 76

4.85 Pa kets perminute,KazyBotnet(2ndCapture) . . . 76

4.86 Sample ofpa ketsperminute,KazyBotnet . . . 77

4.87 Sample ofpa ketsperminute,KazyBotnet(2ndCapture) . . . 77

4.88 Amountoftra perhour,KazyBotnet . . . 78

4.89 Amountoftra perhour,KazyBotnet(2ndCapture). . . 78

4.90 Amountoftra perminute,KazyBotnet . . . 79

4.91 Amountoftra perminute,KazyBotnet(2ndCapture) . . . 79

4.92 Sample ofamountoftra perminute,KazyBotnet . . . 80

4.93 Sample ofamountoftra perminute,KazyBotnet(2ndCapture). . . 80

4.94 Unique peers perhour,KazyBotnet . . . 81

4.95 Unique peers perhour,KazyBotnet(2ndCapture) . . . 81

4.96 TCPSessionEstablishment(Outbound),KazyBotnet . . . 82

4.97 TCPSessionEstablishment(Outbound),KazyBotnet(2ndCapture) . . . 82

4.98 TCPSessionEstablishment(Inbound), KazyBotnet . . . 83

4.99 TCPSessionEstablishment(Inbound), KazyBotnet(2ndCapture) . . . 83

4.100WorldMap,KazyBotnet . . . 84

4.101WorldMap,KazyBotnet(2ndCapture) . . . 84

4.102WorldMap,KazyBotnet(2ndCapture,OutboundConne tions) . . . 85

4.103S alogram,KazyBotnet . . . 86

4.104S alogram,KazyBotnet(2ndCapture) . . . 86

4.105EnergyMean,KazyBotnet . . . 87

4.106EnergyMean,KazyBotnet(2ndCapture) . . . 87

2.1 Typesofbots . . . 7

3.1 TopBotnetsof2010 . . . 17

3.2 TopBotnetsofJune2011 . . . 18

AV Antivirus Bot Robot

Botnet Network ofBots CC CommandandControl

CERT ComputerEmergen yResponseTeam DCC Dire tClient-to-Client

DDoS DistributedDenialofServi e Atta ks DNS DomainNameSystem

DoS DenialofServi e FTP FileTransferProto ol GPL GeneralPubli Li ense GT GlobalThreat

HTTP HypertextTransferProto ol ICMP InternetControlMessageProto ol IP InternetProto ol

IRC InternetRelayChat ISP InternetServi eProvider mIRC multipleIRC

MX MailEx hange

NBNS NetBIOSNameServi e NBSS NetBIOSSessionServi e P2P Peer-to-Peer

SIP SessionInitiationProto ol SMB ServerMessageBlo k

SMTP SimpleMailTransferProto ol

SNMP SimpleNetworkManagementProto ol SOCKS So kets

SSH Se ure Shell

TCP TransmissionControlProto ol UDP UserDatagramProto ol VM VirtualMa hine

Introdu tion

Inthelast de ade,te hnology ompletely revolutionized ourworld. Internetbe ameapriorityneed onpeopleslives. Whatusedtobesomewhatofaluxury,tobe onstantly onne tedtotheInternet,is now ommonandpeople onne tusingdierenttypesofterminals,like omputers,phonesortablets. With this growth, se urity dangers startedto be ome moreand more important,as happens in manyothertypesofa tivities. Ha kersstarteddevelopingmore omplexviruses,takingadvantageof thesystemsaws.

Whatusedtobeaquestionofpersonalre ognition,gotto apointwhereha kersuseNetworksof Bots(Botnets)to renttheresour esofinfe tedma hinesin ordertoobtainhigherprots.

Botnets are one of the main problems of the Internet nowadays. Largest Botnets have sizable proportions, and their main obje tiveis to obtain private information from the infe ted ma hines, alsoreferredtoasrobots(bots).

Botnets an then bedes ribedasa set ofinfe ted ma hines that remotely ontrolled by amain entity, alled aBotmaster. The Botmasteris responsiblefor the a tions performed by theinfe ted ma hines,whi husuallymeansinfe tingmorema hines fortheBotnet.

BotnetsrelyonCommandandControl(C&C)servers. This ommuni ationismandatorybefore remoteatta ks anbemade.

InordertostudyBotnets,wehavetode idewhi happroa htofollow. Forinstan e,we anstudy theC&Cserversandtheira tivity,thesour e odeoftheBotnetorevenanalyseitsbehaviour. This iswheretheresear h forthisdissertationwasfo usedon. Using ama hinewith thesolepurpose of gettinginfe ted,wewereableto observevariousatta ksandrealizehowtheybehave.

Majoreortsarebeingmadeeverywhere,someofthemsu essfully,todismantlethemost impor-tantBotnetsthathavebeendete tedaroundtheInternet. However,existingBotnetsare ontinuously evolvingandnewthreatsarealwaysappearing.

1.1 Obje tives

Themain obje tive of this dissertation is to developa dete tion me hanism that anhelp prevent Botnetsinfe tions. Inorder toa hievethis goal,itisne essaryto havea ompleteknowledgeofthe Botnetsa tivitiesandbehaviours. Thisknowledge anonlybeobtainedbyperformingananalysisof thetra owsgenerated bytheidentiedBotnets.

So,themain obje tivesofthisdissertationare: ˆ Chara terizethedierenttypesofexistingBotnets ˆ Identifythemost ommonbehavioursofexistingBotnets

ˆ Des ribeindetailtheBotnetsthatweresele tedforfurtherstudy ˆ Installthesele tedBotnets

ˆ Analysethetra generatedbytheinstalledBotnetsintheinfe tedma hine ˆ Chara terizethebehaviourofthestudiedBotnets

1.2 Motivation

Currently,itisbelievedthataround25%ofall omputers worldwideareinfe ted. Despitetheeorts that havebeenmadetodismantleallBotnets,themain goalin thisareaistodismantleat leastthe biggestones,although therearehundredsofthem.

The main obje tive of this dissertation is to study, analyse and understand how spam Botnets work, in order to identify dierentiating hara teristi s that an be used to dete t their a tivity. Hopefully, ea h spam Botnet an present a hara teristi behaviour pattern that an be used to dierentiateitfromotherse uritythreats. However,amongthedierentoptionsthat anbeusedto study Botnets,installing appropriatebotsand apturing thegenerated tra seemsto bethe most reliablemethodology,asitwillbeexplainedlatter.

1.3 Dissertation Stru ture Thisdissertationhasthefollowingstru ture:

ˆ ChaptertwopresentstheBotnetsstateoftheart. ItwillexplainthedierenttypesofBotnets, theirevolution,their ommonbehaviours,aswellasthedete tionte hniquesthatare urrently used.

ˆ Chapterthreewilldis ussindetailthedierentBotnetsthatwere hosenforanalysis,explaining whytheywere hosenandhowwillbetheanalysispro ess.

ˆ In hapterfour, wewill startbypresentingtheresultstakenfrom the apturesofthedierent Botnets,makingalsohighandlowlevelanalysisoftheobtainedresults.

ˆ Thelast hapter will present the main on lusions about the developed work. Besides, some guidelinesforfutureresear hworkinthissubje twillalsobegiven,spe iallyregardingpossible

State of the Art

2.1 Introdu tion

This hapter presents an overview of Botnets, their evolution and lassi ation, as well as their behavioursandthete hniquesthatareusedtodete tthem.

The term Botnet is ommonly used to spe ify aset of automated software robots that exe ute instru tionswithout humanintervention. Their intentions are mali ious and endanger the se urity and safetyof the Internet, soit is mandatory to build dete tionme hanismsthat an help disrupt thisthreat.

Theremainingse tionsofthis hapterare organizedasfollows. Se tion 2.2,givesanoverviewof thedierenttypesofBotnets,alsodis ussingtheirevolution. Se tion2.3presentsthedierentBotnets lassi ationsandtheir ommonbehaviours. Finally,Se tion2.4, dis ussesthemainte hniquesthat areused todete tBotnets.

2.2 Overview and evolution

Aspreviouslysaid,Botnetsareare urrentthemenowadays. Theyhavebe omethebiggestthreatin theInternetatthismoment.

Originally, Botnets were developed asatool forInternet RelayChat (IRC) hannels. However, duetothevulnerabilitiesofthe lients,exploitsstartedtoappear,somewherearoundtheyear2000. Aftersometime,ha kersrealizedthepotentialgainthey ouldgetbyusingBotnets.

As Internet usersbegan to trade and arry on bankingoperations online thenature of malware shiftedfromdisruptingservi etoexploitingthesete hnologiesfornan ialgain. Malwaremaybeused to stealsensitive information,su h as redit ard numbers,so ialse uritynumbers,and passwords. It thensends the harvested information to abotmaster, whi h mayuse the information forfurther atta ksormaysellittoother riminals. Inturn,these riminalsmayusetheinformationfornefarious a tivitiesin ludingidentitytheft[1 ℄.

Andaswewillsee furtherahead, nowadaystheprimarymotivationforoperatingaBotnetisthe in omethat anbeearnedfromspammail. FerrisResear h[2℄ laimsthatemailspam ostsbusinesses over¿95milliardsperyearworldwide.

Anotherpopularsour eof in omefor online riminals is theinstallation ofadvertising software, knownasadware,onvi timsystems. Manyadwaresoftware ompaniesoermonetaryin entivesfor installingtheirsoftware[3℄. Phishings hemesarealsoamajorrevenuegeneratorforBotnetoperators. Thus, whatused tobeaquestionofreputation, soonbe ameaquestionof nan ialprots. The moneythat anbeobtaineddependsonthenumberofinfe tedma hines. Resour esfromtheinfe ted ma hines anberentedouttothehighestbidder,forvariouspurposes. So,itbe omeseasytorealize that thebiggertheBotnetis,themoremoneyistheretobemade.

We an laim that Botnetsare mainly used forspamming, Denialof Servi e(DoS) atta ks,data theft, aswellasother rimesthat willbeexplainedlaterinthisdissertation.

Regardingtheirbehaviour, atthebeginningof theBotnetsa tivity,infe ted ma hinesgenerated massivetra ,butduetotheappearan eofdete tionme hanisms,thatwillbedis ussedlaterinthis dissertation, they haveadapted themselves and be ame moreintelligent. Infe ted ma hines started to generatelesstra in ordertominimizetheprobabilityofbeingdete ted.

AgeneraloverviewoftheBotnetpropagationpro ess anbeseeninthepi turebelow.

Figure2.1: Classi exampleofthepropagationof aBotnet[4℄

Likeithasbeenpointedout,Botnetssendinstru tionstoinfe tedma hines,whi hthensendthe sameinstru tionstootherinfe tedma hines,mainlythroughtheIRCproto ol. There ipeofaBotnet is usuallyaserveranda lientprogram,and theprogramthat isinstalledin theinfe ted ma hines. Usually,thesethree entities ommuni atebetweenthemand anevenen ryptthe ommuni ationin orderto remainundete ted ortoavoidintrusionintotheBotnet ontrolnetwork[5℄.

Botnetshavea majorupside, theyare veryee tive performing tasks that would beimpossible with asingle omputer, asingleInternetProto ol (IP)addressorevenasingleInternet onne tion. BotnetswereintensivelyusedtoperformDistributedDenialofServi eAtta ks(DDoS)(Figure2.2),

Figure2.2: Ar hite tureofa ommonDDoSatta k[7℄

Inorderto betterunderstandBotnets,it isimportantto saysomethingaboutthedimensionsof Botnetsnowadays. A ording to [8℄, thetop Botnets at the end of 2010, regarding the per entage of spam, are Rusto k, Grum and Cutwail. Rusto k wasresponsible for 47.5% of spam sent in the Internet. Its size was estimated to be between1.1and 1.7 millionof infe ted omputers. Themain infe ted ountry was the United States of Ameri a. However, in Mar h 2011, in a joint task for e betweenPzer,theUniversityofWashington,FireEye,severalInternetServi eProviders(ISP's)and ComputerEmergen yResponseTeams(CERT)aroundtheworld,Mi rosoftwasabletotakeRusto k down. Grum andCutwailnumbersare relativelysmall, when ompared to Rusto k, with8.5%and 6.3%respe tively. Theirsizeswereestimatedtobebetween310and470thousandinfe tions,regarding Grum,andbetween560to840thousandinfe tionsforCutwail. Themaininfe ted ountriesareRussia andIndia,respe tively.

ThesetopthreeBotnetswereresponsibleforatotal57.9milliardsofspammailsperday. It wasexpe ted, that with thetakedown ofRusto k, these numberswouldgo down drasti ally, onsideringits size. Even a ording to [9℄, despitethe topBotnet(Cutwail) wasonly responsible for 16.1%of the spamreported, andwith an estimated size from 800thousandto 1.2 millionsinfe ted ma hines, onstrasting Rusto k's 47.5% and 1.1 million to 1.7 million users, the numbers did not hange as expe ted. In detail, the overall per entage of spam only dropped from 77% to 76.6%, however,thenumberofspammails perdaywentfromapproximately71milliardsto45milliards. It isimportanttomentionthatonthe2010report,fromthegrandtotalof71milliardsspammailsper day,Rusto kwasresponsiblefor45milliards.

2.3 Botnets Classi ation and Behaviours

Botnetsexhibitsome hara teristi sin their ommuni ationme hanismswiththe ontrolserverthat givesustheopportunityto distinguishthem, simplybyanalysingtheirbehaviour.

However,Botnetspresentageneral ommonbehaviourthatisshownin thefollowingpi ture.

Figure2.3: BotnetandBotLife y le[10℄

Therehasbeenanevolutionin the network stru turetopologiesthat areused, liketheresortto P2Pte hnologies. So,Botnets hara terizationshouldalso onsiderthegeneratednetworktra and

In[12℄,thedierenttypesofbotswereidentiedandlisted. Nexttablepresentsthat list.

Types Features

Agobot Theyaresoprevalentthatover500variantsexist inthe PhatBot Internettoday. Agobot istheonlybotthat anuseother ontrol

Forbot proto olsbesidesIRC[13℄. Itoersvariousapproa hestohide Xtrembot botsonthe ompromisedhosts,in ludingNTFSAlternateData

Stream,Polymorphi En ryptorEngineandAntivirusKiller[14℄. SDBot SDBotisthebasisoftheotherthree botsand probably

RBot manymore[13℄. DierentfromAgobot, its odeis UrBot un learandonlyhaslimitedfun tions. Evenso,this UrXBot groupofbots isstillwidelyusedintheInternet[14℄.

SpyBot Therearehundredsof variantsofSpyBot NetBIOS nowadays[15℄. MostoftheirC2frameworks

Kuang appeartobesharedwithorevolvedfrom Netdevil SDBot[15℄. Butitdoesnotprovidea ountabilityor

KaZaa on ealtheirmali iouspurposein odebase[15℄. mIRC-based GT(GlobalThreat)bot ismIRC-basedbot. Itenablesa

GT-Bots mIRC hat- lientbasedonasetofbinaries(mainlyDLLs) ands ripts[14℄. Itoftenhides theappli ationwindowin ompromisedhoststomakemIRCinvisibletotheuser[13℄. DSNXBots TheDSNX(DataSpyNetworkX)bot hasa onvenient

plug-ininterfa eforaddinganewfun tion[14℄. Albeitthedefault versiondoesnotmeettherequirement ofspreaders,plugins anhelpto addressthisproblem[13℄. Q8Bots ItisdesignedforUnix/LinuxOSwiththe ommonfeatures

ofabot, su hasdynami HTTPupdating,various exe utionofarbitrary ommandsandsoforth[13℄.

Kaiten It isquitesimilartoQ8Botsduetothesameruntimeenvironment andla kingofspreaderaswell. Kaitenhasaneasyremoteshell, thusitis onvenientto he kfurthervulnerabilitiesviaIRC[13℄. Perl-based Manyvariantswritten inPerlnowadays[13℄. Theyareso

bots smallthatonlyhaveafewhundredlines ofthebots ode[13℄. Thus,limitedfundamental ommandsareavailableforatta ks,

espe iallyforDDoS-atta ksin Unix-basedsystems[3℄. Table2.1: Typesofbots

Consideringtheprevioustable,itisimportanttodetailsomeofthemosttypi albots.

2.3.1 Most ommon bots 2.3.1.1 Agobot

Thisparti ularbotwasprogrammedinC/C++[13℄. A ordingto[13℄,itissofartheonlybotthat resortstoa ontrolproto olthatusestheIRC hannel[13℄. Be auseofitsimplementation,atta kers anvery easily adapt Agobot to their purposes, due to the possibility of adding new fun tions in therelated lasses[13℄. There are also various IRC ommands that anbe used to olle t sensitive information[15℄. As an example, a bot anbe instru ted to do someoperations[15℄. Besides that, Agobot is also able to se ure the system, through the losure of NetBIOS shares[15℄. Agobot has several ommandsto ontroltheinfe tedma hine,whi h anberelatedforexampletomanagingall thepro essesor managing autostart programs[15℄. Agobot also hasvarious features, asit hasbeen

ˆ ItisIRC-basedC/C++framework, ˆ It anlaun hDoSatta ks,

ˆ It anatta kalargenumberoftargets,

ˆ Itallowsthe olle tionof sensitiveinformationthroughtra sning,

ˆ Hasthe possibility to avoid dete tion by Antivirus (AV) software, by xing vulnerabilities or even losinga esstoAVwebsites[13℄,

ˆ Candete tvirtualma hinesandavoiddisassembly[13,15℄.

Tolookforanewpossiblevi tim,Agobotjustneedstos ananetworkrange[15℄. Onthedisadvantages side,itisnotabletodistributetargetsamongagroupofbotsasawholeee tively,duetoits ommand set limitations[12,15℄.

2.3.1.2 SDBot

SDBot'ssour e odeis small, around2500lines, but its ommand setresemblesAgobot[13, 15℄and it is published under General Publi Li ense (GPL)[13, 15℄. Even though this bot does not have the apabilityto propagateand hasonly afewfun tions, itis still appealing due to theirabilityto implement new ommands[15℄. SDBot has, however, someveryown IRC fun tions, su h as spying and loning[11℄. Thespyingmethodbasi allyre ordsthea tivitiesofa hannelonalogle[15℄. The loningmethodreferstotheabilityofthebottorepeata onne tiontoone hannel[15℄. In[13℄,itis believedthatthis bot maybethemosta tivebot aroundtheworld.

Thisbotrelies onanIRCimplementation[15℄. Inorderto establish onta twiththeIRCserver, itsendsidentityinformation,andifitgetsaPINGmessage,itwilla knowledgeitwithaPONG[15℄. Assuming the onne tion has been established, it is possible to request a hostname by using the USERHOST message, and after that, join a hannel resorting to the JOIN message[15℄. On e the response odehasbeenre eived,theBotmaster an ontrolitthroughIRC ommands[15℄.

SDBot hasthe ability to target new vi tims easily, due to its s anning tools[15℄. As an exam-ple presented on [15℄, by using the NetBIOS s anner it an sele t a random target that is in an IP range[15℄. The SDBot is apable to send Internet Control Message Proto ol(ICMP) and User DatagramProto ol(UDP) pa kets,whi h anbeusedforoodingatta ks[15℄.

2.3.1.3 SpyBot

SpyBotisa bot written in C, relativelysmall aswell,with nearly 3000 lines, that iswidely spread, with variousversionsnowadays[15℄. In[15℄, theauthors onsiderSpyBotan enhan edversionof the SDBot. It has, like SDBot, the s anning ability, host ontrolling fun tions, aswell as modules for DDoSatta ksandoodingatta ks[15℄. Thehost ontrolling apabilities areverysimilarto thoseof Agobot's[15℄. However,SpyBotdoesnotprovidethesamepossibilitiesasAgobot,whi hstillmakeit

2.3.1.4 GT Bot

This last bot, Global Threat (GT) Bot, also known asAristotles, supposedly stands for all mIRC-basedbotsthathaveseveralvariantsandaremainly usedfortheWindowsoperatingsystem[13,15℄. It has some more general apabilities like IRC host ontrol, DoS atta ks, port s anning, or even NetBIOS/RemotePro edureCall(RPC)exploiting. GTBotalsohasafewsetofbinariesands ripts formIRC[13, 15℄. It is importantto referthebinaryHideWindowprogram,whi hallowsthemIRC instan etoremaininvisiblefromtheuser[13,15℄. ThebinariesareusuallynamedasmIRC.exe,but they anhavedierent apabilities[15℄. When ompared to otherbots, GTBothas alimited set of ommandsforhost ontrol,only apableofgettinglo alsysteminformationandrunningordeleting lo alles[15℄.

Botnets analsobe lassieda ordingtotheproto olthatisusedfortheir ommandand ontrol operations: HypertextTransferProto ol(HTTP),Peer-to-Peer(P2P)orIRC.Althoughthis disserta-tionismainlyfo usedonHTTPBotnets,morespe i allyontheonesdedi atedtospamming,allof themwillbepresentedanddis ussedin thenextsubse tions.

2.3.2 Types of Botnets 2.3.2.1 IRC Botnets

IRCisaproto olused byInternetusersforinstantmessaging. It isbasedonaClient/Server(C/S) model, butit isalso suitedfor distributedenvironments[16℄. Usually,IRCseversare inter onne ted andex hange messagesbetweenthem[16℄. It ispossiblethatonema hine onne tswithhundredsof lientsthroughmultipleservers. ThemultipleIRC(mIRC)isamore omplex ommuni ation ontext, where ommuni ationsbetween the lients and the server are based on several spe i hannels to whi h lientsare onne ted. Theavailablefun tionsofIRCbasedbotsin ludemanaginga esslists, movingles,sharing lients,orevensharing hannelinformation[16℄.

IRCBotnetsweretherst toappear,but theylostsomerelevan eoverthelast years. However, they still exist and IRC is still the most ommon C&C me hanism used by bots. A ording to Mi rosoft, in these ond quarter of 2010, thenumberof omputers that reportedBotnets dete tion followthedistributionthatisshownin thenextgure.

Figure 2.5: C&Cme hanismsused byBotnetfamiliesa ordingtothenumberofunique omputers that reportdete tions[18℄

Ma hinesinfe tedbyIRCBotnetsareinstru tedto onne ttoanIRCserveranda hannel,where theywaitforfurtherinstru tions,usuallyintheformofpersonalizedtextmessages. Obviously,some havebe omemoresophisti ated,to preventdete tion,en rypting thebot ommandsin the hannel topi . This anbequite omplex,as they aninstru tdierentsubsetsofbotstododierenttasks. The riteria that is usually used relies on the Country, network lo ation, the uptime of the bot, bandwidthavailable,amongothers.

On[14℄,thefourstagesoftheatta ker'soperationsaredes ribed, asfollows:

1. TheCreationStage,wheretheha ker anaddmali ious odeormodifyanalreadyexistingone ofthemany ongurablebotsovertheInternet[14℄.

2. TheCongurationStageiswheretheIRCserverand hannelinformation anbe olle ted[14℄. Whilethe bot is in the vi tim's omputer, it onne ts automati ally to the sele tedhost[14℄. Then,theha ker anrestri tthea essandse urethe hanneltothebotsforbusinessorsome otherpurpose[14℄. Asanexample,theha ker anlistitsbotstoauthorizedusers,whointurn,

3. In the Infe tion Stage, bots are propagated by various dire t and indire t means[14℄. Dire t te hniquestake advantage of vulnerabilities on servi es or operating systems and are usually asso iated withtheuseof viruses[14℄. Whilethesystemsare ompromised,theykeeprunning theinfe tionpro ess,savingthetimeoftheha kertoaddnewvi tims[14℄. Themostvulnerable systemis Mi rosoftWindows, morespe i ally Windows2000 andXP, sin e theatta ker an tra k,withoutmu heort,unpat hedorunse uredusers[14℄. Indire tapproa hesresorttothe useofotherprogramsasaproxytospreadthebots, orin otherwords,theyuseDire t Client-to-Client(DCC)leex hangetodistribute malwareonIRCnetworksto vulnerablehosts[14℄. 4. Thelast operation, theControlStage, is wherethe atta keris ableto send instru tionsto its

botsthroughtheIRC hannel,usuallyto performsomemali ioustasks.

2.3.2.2 P2PBotnets

P2P Botnets started somewherearound the year 2003. They are more popular now, but they are notthefavourite me hanismusedbybots. Mainly,theywere reatedtoavoidbeingshutdown,like happenedtoothertypesofBotnets. SomeP2PBotnetsuseme hanismsthatderivefromopensour e P2Pimplementations(e.g. Kademlia),whileothers(e.g. Waleda ),havetheirownimplementation.

Atypi alP2PBotnet anbeobservedinthenextgure.

Figure2.6: P2PBotnetpropagation[19℄

P2PBotnetsarestillhardtostudy,sin ethereismu hlessinformationfromtheseBotnetswhen omparedtoHTTPorIRCBotnets. TherstwormrelatedtoP2PwasSlapper[20℄,whi hinfe tedthe Linuxoperatingsystemba kintheyearof2002,resortingtoDoSatta ks. Usinghypotheti al lients, thiswormsent ommandsto ompromisedma hines,inordertore eiveresponsesfromthem[20℄. Due tothis, itslo ationon thenetwork ouldremainanonymous,so itwasveryhard tomonitor[20℄. In 2003,anotherP2P-basedbot,DubbedSinit,waslaun hed[21℄. Thisbotusedpubli key ryptography to update authenti ation. PhatBot, whi h hasalready been mentioned, appeared in 2004. Using a

Storm Worm is probably, a ording to[22℄, the most spread P2P bot on the Internet. On [23℄, theauthorsanalysedthebotwithdierentdete tionme hanisms,anddevelopedsomete hniquesto disruptP2P-basedBotnets ommuni ations,likepollutingtheleore lipsing ontents.

P2P-based bots are not a major on ern, sin e they are not well developed yet and still have manyfragilities. HybridorMixedP2Pnetworks,theonesthathavea entralserveroralistofpeers that anbe onta tedto addanewpeer, stillhaveasinglepointoffailure forthistypeof Botnets. However,in[24℄,anhybridP2PBotnetwaspresentedwiththeabilitytoover omethisfault.

This ar hite ture allows an atta kerto inje t ommands to any host of the Botnet. The hosts onne t periodi allyto their neighboursin order to olle torders that havebeen givenby his om-mander. When a ommand is issued, the hostwill forwardit to nearby bots. The features of this ar hite turearedes ribedasfollows[24℄,

1. Itdoesnotrequireabootstrappro edure

2. Onlysomebots(nearthe apturedone) anbeexposed

3. EaseofmanagementoftheentireBotnetwithasingle ommand

Eventhoughin[24℄theauthorsproposevarious ountermeasurestopreventthistypeofBotnetatta k, thisar hite turestillneedsfurtherresear h,aswellasnewpreventionmethods[10℄.

2.3.2.3 HTTP Botnets

HTTPBotnetsaretheperfe texampleoftheBotnetsevolution. IRCBotnetsstartedbeingdete ted and shutdown, soha kersfelttheurge toadapt andevolve. Now,IRCBotnetsaremu hharderto dete t,be ausetheyareeasily amouagedundertheHTTPproto ol.

HTTP Botnetsaremainly dedi ated to sending spammail and data theft. The biggestBotnets dedi atedtodatatheftareZeusandSpyEye.

HTTPBotnetsareamajorthreatfortheInternet. Thevolumeof spammailhasrea hed astro-nomi values,whi hendangertheInternetworldwide.

As previously dis ussed, ha kers rent out their bots to third parties, but they also use it for themselves,toinfe tmorema hines,thusin reasingthesize oftheirBotnet.

Itisimportanttomentionthateveryinfe tedma hineisbeingmonitoredbytheBotmaster. The Botnetisusually partitioned into subse tions,so they anbe ontrolled separately. This allowsthe botownertosele twhi hpartstorentortopreventa esstovaluablepartsoftheBotnetwithouthis permission. After anegotiationbetweenthebot ownerandthethird party,thebot ownerinstru ts ma hinestostartaproxyserver,andusuallyprovidesa esstoawebpagethathastheIP addresses andports ofthebots thatarepartofthedeal. These bots thenbe omepropertyof thespammer. AndanunawareusermaybeintheBotnetindeterminately,sin eeverytimethereisa hangeinthe IP addressorin the proxyserverport, the infe tedma hine informsitsC&C server, whi h in turn alertsthespammerwiththeupdates.

ThebiggestHTTPBotnetsdedi atedtospamare,a ordingto[8℄,Rusto k,Grum,andCutwail. Rusto kwasshutdowninMar h,soitwasnotusedin thisdissertation.

As it hasbeentold before, ha kershaveseveral mali iousintents. Mainly, Botnetsare used for either nan ial and destru tion purposes[26℄. There are several types of ommon atta ks, whi h in lude DDoS atta ks, spamming, sning tra , spreading new malware, installing advertisement Add-ons andBrowserHelperObje tsorevenatta kingIRCChat Networks[12℄.

Abriefexplanationonea honeofthese subje tsisgivenin thenextparagraphs.

DDoSnetwork atta ks auselossofservi eto users,whi h usuallymeanslosingnetwork onne -tivityandservi es, onsumingtheavailablenetworkbandwidthorevenoverloadingthe omputational resour esoftheuserssystems[12℄.

Spamming relates to bots that have the apabilities to open So kets(SOCKS) proxies on the infe ted ma hines. After aproxy is enabled, usually the ma hine starts relaying spam or phishing email[12℄.

Sning tra is the ability to use a pa ket snier in order to observe data from an infe ted ma hine. Itisusuallyusedto stealprivateinformation,likeusernamesandpasswords[12℄.

SpreadingnewmalwarereferstoBotnetsthatareusedtolaun hnewbotsand/ormalware. This anbeeasilydone,asallbotsimplementdownloadme hanismsandexe utelesusingHTTPorFile TransferProto ol(FTP). Somebots anevenbehaveasserversformalware[12℄.

InstallingadvertisementAdd-onsandBrowserHelperObje tsmeanstheassemblyof amali ious website,with someadvertisements,signing up ontra tswith ompaniesthat oer moneyfor li ks onadvertisements. In this way, the reator of the website an get somein ome. This method an be automated,where the li ks areperformedby severalbots li kingon theadvertisements[12℄. It anbeeasilyunderstoodthat thesea tions anprovidesigni antnan ialprots. Thisis learlya

Finally, atta kson IRCChat Networks are the ones where the network of the infe ted ma hine is oodedby servi erequestsfrom severalbots orbyseveral hannel-joinrequestsissued byvarious bots. Thisusually ausesthenetwork togodown,whi hisverysimilartoaDDoSatta k[12℄.

In order to end this se tion, I think it is important to mention some numbers that an give a real ideaoftheproblem thatwehaveonourhands. Theaverageglobalspam per entagewasequal to 89.1% in the yearof 2010, where 88.2% wasgenerated by Botnets[8℄. After Rusto k take down, thenumbersstartedtodrop,andin June2011,theglobalspamrateper entagewasequalto72.9%. Botnetswereresponsiblefor76.6%ofthat spam[9℄.

Asitwillbebetterexplainedinthenextse tion,itisurgenttodevelopbetterdete tionmethods andreliablewaystobringBotnetsdown. Failingtodosowillmakethetaskof ontrollingtheatta ks that wereexplainedbeforehardertoa hieve,due totheirgrowingpotential.

Wealreadyknowthemost ommon atta ksthat areperformedbyBotnets, soitis nowtime to betterunderstandthem, seehowtheybehave,analysethem,tryto ndpatternsandstartto reate ee tivete hniquestoshutBotnetsdown,in ordertopreventfurtherharm.

2.4 Dete tion Me hanisms

Sin eBotnetsareplayingakeyrole nowadays,theirdete tionme hanismsarein reasingin number andquality.

Referen e[12℄statesthatdueto thees alationoftheBotnets, omputerse urityexperts started to developways to dete t andmonitor their behaviour, in order to gatherinformation that anbe usefulin future resear h. Thistra kingapproa hgivesresear hersthepossibilitytoobservedire tly the mali ious a tivity on the Internet. It also gives resear hersinsight into the ha kerprole and motivations. Itisbelievedthatthisresear h anmitigatetheee ts orevendisruptBotnets.

However,theyalsopointoutthatthisisnotaneasytask. Theseatta ks anbevery omplexand anremainhiddenuntila ertain riteriaismet.

A ording toMattSergeant,senioranti-spamte hnologistfor MessageLabs Ltd.,evenaregular internet user antry to dete t ifhis omputeris infe ted. Hedefends that Botnets generatemu h more DomainName System(DNS) queriesthan normal, sousing atoollikeWireshark, this anbe easily investigated. He also points out that it is important to look out for Mail Ex hange (MX) lookups,aswellas.ru,. nand.infolookups. Thisusuallymeansthatthereisanattempttoestablish a onne tionbetweenthebotandtheC&Cserver.To on lude,thisspe ialist laimsthatthereisalso a possibilityto investigatethe unusual volumes of tra in anetwork,whi h usually aregenerated bytheinstru tionsgivenbytheBotmaster.

Therearehowever,moresophisti ateddete tionme hanisms. In[1℄,someBotnetdete tion me h-anisms areexplored. These approa hes anbe lassiedas

2.4.1 Host-based pro edures

Host-basedpro eduresrelyonthedete tionof possibleanomaliesonthelesystem.

One of the methods used to dete t these anomalies is AV software. Basi ally, ea h mali ious softwarerunningonthesystemhasasignature,andthissoftware anbeusedtodete tit.

This samesignatureis, however,the weak pointof themethod, be ause ha kers anmodify the sour e odeof thesignature that is allo atedto thebot. There is even thepossibilitythat the bot doesnothaveasignatureat all,sotheAVwillnotbeableto dete tit. So,it anbe on ludedthat thismethodisnotveryee tive.

Another approa h that must be onsidered is the dynami analysis of unknown software. This referstotheanalysisofthebehaviourofthesoftware. Onthedisadvantagessideofthisapproa h,we anmentionthatthesoftwareneedsto beinstalledoneverysystem,whi h generatessomeoverhead andmakesthesystemdegradein performan e.

Finally,it is importantto mentionthemethod that dete tsmodi ationsin theRegistryof Mi- rosoftWindows. Byanalysingthemalwarebinaries,itispossibleto obtainrelevantdataregarding IRC,su hastheusername,the hannel,theDNSoreventheIPaddresses.

Allthesearerea tiveapproa hes,asthey anonlybetreatedon ethe omputerhasbeeninfe ted.

2.4.2 Network-based pro edures

Network-based pro edures fo us on analysing the network tra , based on dete ted anomalies, to per eiveifitis ausedbyaBotnet.

The analysis an beperformed online, asthe tra is generated, orthe tra anbestored in ordertobeanalysedlater. Oneofthepro eduresmentionedistheVerti al orrelation,thatfo usthe dete tiononindividualorsinglebotinfe tions. Thesoftware he ksthenetworktra and ompares itwithpre astpatternsbetween ommuni ationsfrom theinfe ted omputerandtheC&Cserverto seeifthere isasimilarity,whi hwouldmeanthat the omputerisinfe ted. Thisapproa h,however, hasthe same limitationsas the previouslymentioned signature method, be ause the Botnettra annotbedete ted.

Another pro edure available is the Horizontal Correlation, whi h tries do dete t some infe ted omputers in the network. Network tra is analysed, sear hing for similarities that an be, for example,thesameC&Cserver. Thedisadvantageofthisapproa histhatdierentbotsinthesame network don'tshare anyrelationbetweenthem, sotheyremainunnoti edin thenetwork.

There is also an Anomaly dete tion pro edure. This pro edure tries to dete t anomalies in the networktra when omparedto ommontra . In[27℄,BinkleyandSinghstatethatoneinfe ted hostthat performs anetwork s an isnot ananomaly. However,if thereare manyhosts performing anetworks anandtheyarein thesameIRC hannel,thisphenomenonisanabnormality ompared tothe ommonnetworktra .

Another omparison that anbe madeis to he k theratio betweenthe numberof e-mailssent andre eived. Ifthisnumbershowsthatthere aremoree-mailssent,itusuallymeansthat thereisa spambotinfe tiontakingpla e.

Apro edure that analsobemade,spe i ally forIRCBotnets,is tomeasuretheIRCresponse time. Asmentionedin[28℄,ahuman an'trespondasqui klyasmali ioussoftware. So,by omparing

Study of Botnets

Asithasbeenper eivedbynow,thereisalotofworkthat anstillbedone. Thereare3majortypes of Botnets, and thousands of variantsinside them. This work ould be dire ted to many dierent ways,butitwillbefo usedonHTTPBotnets,morespe i allyonthevariantsdedi atedtosending spam. So,inordertoanalysethem,someresear hisneededinordertondthemostdangerousspam Botnets. Aftersomeresear h,wefoundthatthetop10Botnetsoftheyear2010aredes ribedin[8℄. So, a ordingto this report, the top 10Botnets of 2010, in terms of spam, spam perday, size and main ountries ofinfe tionaretheonespresentedin thefollowingTable.

Botnet % of Spam/ Estimated Country of

name Spam day Botnetsize infe tion

Rusto k 47.5% 44.1Milliards 1.1Mto1.7M USA(17%),Brazil(7%) Grum 8.5% 7.9Milliards 310kto470k Russia(12%),India(8%) Cutwail 6.3% 5.9Milliards 560kto840k India(17%),Russia(16%) Maazben 5.2% 4.8Milliards 510kto770k Russia(11%),India(10%) Mega-D 2.3% 2.1Milliards 80kto120k Russia(15%),Ukraine(14%) Cimbot 2.1% 1.9Milliards 32kto48k Italy(27%),Spain(25%)

Bobax 1.2% 1.1Milliard 250kto370k India(32%),Russia(25%) Xarvester 0.5% 501Million 17kto25k Italy(15%),UK(10%)

Festi 0.1% 96Million 8k to12k Vietnam(24%),Indonesia(21%) Gheg 0.1% 49.8Million 8k to12k Spain(12%),Indonesia(10%) Total Botnet

Spam 77% ±71Milliards 3.5Mto 5.4M India(9%),Russia(9%) Table3.1: TopBotnetsof2010

TheRusto kBotnetwasimmediatelydis ardedbe auseit wasalreadydismantled. Three ofthe hosenBotnetsare from thetopBotnetsof 2010. Themostdi ult taskwasto ndmalwarethat ouldbeinstalledonama hine in order toinfe t it. Aftersomeresear h, appropriatemalwarewas dis overedforvarious Botnets,whi hat thebeginningwereGrum, Cutwailand Bobax. Aftersome time,Itwasde idedtoalsoinstallmalwarefromtheLethi Botnet. EventhoughLethi isnotinthe topBotnetsof2010,itstillhasasigni antnumberofinfe tedma hines.

On June 2011, a new table with the top Botnets was released, onrming what was expe ted. Lethi ,that didnotappear onthetopBotnetsof2010, jumped to numberfour in sixmonths. The updatedtable anbeseenbelow,a ordingto [9℄.

Botnet % of Spam/ Estimated Countryof

name Spam day Botnetsize infe tion

Cutwail 16.1% 9.6Milliards 800kto1.2M India(10%), Russia(9%) Xarvester 6.7% 4.0Milliards 57kto86k UnitedKingdom(18%),Fran e(13%)

Maazben 3.1% 1.9Milliards 520kto780k Republi ofKorea(14%),Russia(10%) Lethi 3.1% 1.8Milliards 230kto340k Republi ofKorea(25%),Russia(15%) Grum 3.0% 1.8Milliards 200kto290k Russia(14%),India(14%) Bagle 2.7% 1.6Milliards 140kto200k India(15%), Argentina(8%) Fivetoone 2.3% 1.4Milliards 94kto 140k Vietnam(20%),Brazil(12%) Festi 1.2% 691Millions 25kto37k India(10%),Vietnam(10%) Bobax 0.4% 254Millions 80kto 120k Ukraine(27%),India(18%) DarkMailer 0.5% 43Millions 1kto 1.5k Fran e(27%),USA(16%) Total Botnet

Spam 76.6% ±45Milliards

Table3.2: TopBotnetsofJune2011

Thedieren ebetweenbothtables,in onlysixmonths,is lear,reinfor ingtheideathatBotnets are onstantly hanging. The Botnets used in this dissertation are all in the top 10, a ording to June'sreport. Cutwailgainedalot ofimportan ein theearliermonthsofthisyear,but noneof the a tualBotnetsa omplishevenhalfof whatRusto khasa omplished. Meanwhile,itwasexpe ted to seeade lineontheper entageofBotnetspamontheInternet,but thedieren eisonlyof0.4%. Whatwasmorenoti eablewastheredu tionofspamperday,whi hdroppedfrom71Milliardsto45 Milliards.

Finally, a trojan was also installed and analysed. The trojan name is Kazy and it will help understand betterthea tivityofabot.

So,fourBotnetswere onsideredinthis dissertation,asshownin thefollowingTable. Botnetname Aliases

Grum Tedroo

Cutwail Pandex/Pushdo Bobax Kraken/Oderoor

Lethi N/A

Table3.3: Botnetsanalysed

Beforegoingintothedetailsofea hBotnet,isitimportanttopresentsomedetailsabouttheKazy trojan.

3.1 Trojan details 3.1.1 Kazy

Thefollowingsenten e anbeusedto ompareatrojantoabot: Abotis alsoknownasa remote-a essTrojanhorseprogram[29℄. Thisspe i trojan,Kazy,downloadsmali iouslesfromaremote server,installsandexe utesthem.

Kazy is a ba kdoor trojan, well known for atta king online bank-related information[30℄. This trojan anbedistributedinmanyways,su hasmali iouss riptsondubioussites,likeadvertisements,

le. Wheninstallingitself,itusuallyresortstoafake.gifformatindi atorandthenameiexplorer.exe, whi hisslightlydierentfromtheInternetExplorerpro ess(iexplore.exe)[30℄. Themajorproblems ofthistrojanthathavebeenreportedarethedeletionofimportantlesfromanti-malware,anti-virus oranti-spyware programs. This makes it very hard to remove this trojan, turning the se urity of the infe ted ma hine into a veryfragile element. Another reported problem is browser redire tion tophishing sites. This Kazybehaviourisverywell known, onsistingusually in theuseof phishing s amsthat arepresentedintheformof fakeonlinebankloginpages. However,theseexpedients an be easily dete ted by looking into the web address[30℄. A ording to [30℄, Brazil based banks are privilegedtargetsoftheKazyphishingattempts.

A oupleofknownaliasesforKazyareTrojan.Win32.Pakes.oya,Trojan.Fakealert.20587,Mal/FakeA V-IK,Generi 22.YJandWin32/Kryptik.MLF[30℄.

3.2 Botnets details

Inorder to better understand these Botnets, it is important to givea briefba kground on ea h of them.

3.2.1 Grum

Grum, also knownas Tedroo, is anHTTP Spam Botnet, whi h mainly fo us its spam on pharma- euti alprodu ts. It usually infe ts les referen ed by theauto-run registries. This Botnet is able tohide omponentlesaswellaslegitimatewindowssystemles, makingitsdete tionandremoval quitedi ult[31℄. Ithasvekeyfeatures[31℄:

ˆ AKernel-basedroot-kit

ˆ Reportsto aC&CserverviaHTTPonport 80

ˆ Downloadsplaintextspamtemplates andaddresslistsfromaweb-server ˆ Hasmultiple ontrolservers

ˆ PerformsDNSMXlookupstosendspam.

Thebehaviourofthis Botnethas alreadybeen analysed, so itis known that thisBotnetwill tryto establisha ontrolserver onne tion,usinganemailmessage,bysendinganHTTPrequestmessage. Depending onthevariantoftheBotnet,Grummakes hangesintheSystemRegistry[31℄.

3.2.2 Cutwail

Cutwail,alsoreferredasPandexorPushdo,amongothernames,isalsoanHTTPSpamBotnet. Ithas beenworkingsin e2007[32℄. Itfo uses mainlyinsendingspampromoting pharma euti als,designer rip-osorevensoftware. Italsodistributesmalwareregularly,sendingatta hmentsinemails,usually a.zip le. It usuallyresortsto elebrity namestode eiveusers. Nowadays,theseBotnetsalsosend mali ious ampaigns, using so ial networking brands. Theyalso distribute phishing emails, mainly

ˆ ReportstoaC&Cserveronport80,resortingto en ryptedHTTP ˆ PerformsDNSlookupstosendspamandusestemplates.

In[32℄,theCutwailbehaviourisdes ribed. Bots onne ttothe ontrolserverusingHTTP,through port80, resortingto anen rypted tunneland listenonarandom UDPport for ommandsfrom the ontrolserver. Thehostis apableofdownloadingmalwareand,afterinstallingit,it reatesdierent pro esses[32℄,mainly withthepurposeofnotifyingtheBotmasterand runningits ommands.

3.2.3 Bobax

Bobax,whi h analsobefoundunderthenameofKrakenorOderoor,isanotherHTTPSpamBotnet. Reportedly,ithasbeenworkingsin e2007andhaditspeakin 2008[33℄. Duringthelastsemesterof this year,itwasresponsiblefor5-10%ofallgeneratedspam. Itstartedattra tingalot ofattention, whi hleadtothedisruptionofits ontrolserversintheendof2008[33℄. Bobaxisstillaroundasone of thetopBotnetsof 2010,but it isresponsible foronly1.2%of spamnowadays, whi h pla esit in the7thpla e. Themain Bobaxfeaturesare[33℄:

ˆ Reportsto ontrol serveronUDP,throughport 447 ˆ Usesdynami domain nameprovidersfordomains ˆ PerformsDNSMXlookupstosendspam

ˆ Hasmultiple re ipientspermessage ˆ Usestemplates

ˆ Hasba kdoor apabilities.

Bobax starts by he king for a Simple Mail Transfer Proto ol(SMTP) onne tion to a server site, through port 25. Then it generates a pseudo-randomdomain name, and if theDNS query fails, it will append thedomain name on thelo al network of the infe ted ma hine to perform anewDNS query. On eit su essfullyndstheC&C server,itsendsan HTTPrequest[33℄. Likein Cutwail,it reatespro essestoexe uteonWindowsstart-up,andhidesitsmalwareregisteringitselfasarandom servi ename. Italsohasthe apabilityofsear hingforpotentialemailaddresses. Afterthispro ess, itre eivesatemplatefromtheservertosend toitstargets.

3.2.4 Lethi

Lethi is an HTTP Spam Botnet that is suspe ted to exist for quite some time already. It is a proxytype spambot, that relays spam from a ontrol serverto itsdestination[34℄. It mainly sends pharma euti alandrepli awat hesspamemails. EventhoughitisnotpresentonthetopBotnetsof 2010[8℄,atthebeginningof2010Lethi wasresponsibleforabout8-10%oftotalspam[34℄. However, this is due to thefa t that Lethi has been dismantled somewherenear January2010. Meanwhile,

In[34℄,itsmainfeaturesaredes ribedasfollows: ˆ A tsasaproxyrelayspam

ˆ Pro essinje tiontoExplorer.exe ˆ Fast, multi-threaded

ˆ Anti-debuggingandAnti-VirtualMa hinedete tion.

After the infe tion, the ompromised ma hine onne ts to dierent domains. The ommuni ation proto ol is ustomised. When onne ted, the ontrol server initiates the handshaking pro ess and givesthe bot anIP addressand port to forwardthe data to, hen e makingit work asaproxy[33℄. An thehost,it startsby installingthemalwareon theWindows Systemdire tory. As happenedin allotherBotnets,it reatesaregistryentrytoexe utelesonWindowsstart-up. Lethi alsohasthe apabilitytoinje tits odeintoexplorer.exe,and reaterandompro essesintheinfe tedma hine[33℄.

3.3 Analysis Methodology

Themain obje tiveofthis dissertationis to analysedierentBotnetsby looking atthe statisti sof thegenerated tra . Thisisapassiveapproa h. Wehave onne tedama hinetotheInternetwith theonlypurposeofgettinginfe ted. Likeithasexplainedbefore,somebotshavetheabilitytodete t VirtualMa hines(VM).Thus,in order to geta urate results,noVM's were usedin any ase. The usedma hinewasalwaysformattedbeforeea hmanipulatedinfe tion,inordertopreventinterferen e betweenthetra generatedbydierentBotnets.

TheoperatingsystemusedwasalwaysMi rosoftWindowsXPServi ePa k2,sin eitisthemost targetedoperatingsystem.

At theverybeginning, a apture of one hour was madein order to observethe typi al tra generatedbythe omputerimmediately after beingformatted. Afterthis rststep, wesear hed for dierentmalwarefromthedierentBotnets. In[35℄,thereisafairlygooddatabaseofmalware. The next step was to set the aptures to last for 48 hours. This time was hosen be ause it gives the possibilitytobetterinferthebehaviouroftheBotnetandobservetheirpatternsalongalongertime line.

Noother taskwasbeingperformedon theinfe ted omputerwhile itwas apturing,in orderto redu eother generatedtra besidestheBotnettra . So,apart fromthe tra generated bythe Botnets,there wasverylittle tra being generated. Obviously, any other tra was dis ardedin thestatisti s al ulatedin Chapter4.

Experimental results

This hapterwillanalysethetra thatwas apturedforthedierentBotnetssele tedinthis disser-tation. Tra wasstoredinordertobeanalysedaposteriori. The ondu tedanalysisisamulti-level one,looking athigh and lowleveldetails. Regarding thehigh levelanalysis,thefollowingstatisti s ofthe aptured tra wereanalysed:

ˆ Proto olsdetails

ˆ Pa ketsperhourandperminute

ˆ Amountoftra transferredperhourandperminute ˆ Uniquepeersperhour

ˆ TransmissionControlProto ol(TCP)SessionEstablishmentattempts ˆ Geographi allo ationofthe onta tedpeers.

Theproto ols details will help understand someof the Botneta tivities and obje tivesby looking attheproto olsthat are usedin thedierent ommuni ations. Usingthe apturesthat were made, and reating as ript for ltering them by Proto ol, it waspossible to get the dierent amount of pa ketsovertime per ommuni ationproto ol. Itisimportanttoreferthatinthefollowinganalysis thereferen estoTCP(unknown)andUDP(unknown)refertononidentiedpa ketsandshouldnot be onfusedwiththesumofproto olsfromea hlayer. So,thesele tedlterwasabletoanalysethe pa ketheader andreturntheProto ol towhi h itbelongsto.

Thepa ketsperhourandperminuteallowustoverifythebehaviouralpatternoftheBotnetover time. This wasa omplishedby reatingas riptthat lteredthe amount ofpa kets generatedper hourandperminute,plottingthem onveniently. InordertobetterillustratethePa ketsperminute statisti ,asampleofthersttwohourswasalsomadebysimplylteringthepa kets orresponding totherst120minutes.

Theamountoftra transferredperhourandperminutefollowthesamepro edureoftheprevious statisti . Thes riptwassimilar,andtheonly hangethatwasmadetothelterwasusingtheamount ofgenerateddatainsteadoftheamountofpa kets.

TheuniquepeerswillhelpusrealizehowspreadandlargetheBotnetis. Inordertoobservethis, anothers ript was made, lteringthe IP addressesperhour from thestored aptures and plotting

them overtime. In this pro edure,itwasde idedto report only thenumberof peers perhourand distinguishthemasInbound andOutbound.

It was also important to analyse the TCP Session Establishment attempts, dierentiating the onne tionsthatwere establishedfromtheunsu essful onne tionattempts. Inordertoobtainthis statisti ,wehadtoltertheSYNpa ketsfromtheSYN/ACK andRST/ACKpa kets. TCPsession establishmentfollowsthethree way-handshakes hemeillustratedinthefollowinggure.

Figure4.1: TCPSessionEstablishmentdiagram

TheACK pa ketswerenot onsidered forthisanalysis. Infa t,thenumberof ACKpa kets an beeasilymanipulatedby hangingtheagbitsinordertoobtainaparti ularvalue. Inourpro edure, wesplit theTCPSYNpa ketssentfrom theinfe tedma hine fromtheTCP SYNpa kets re eived at theinfe tedma hine.

Finally, aWorldMapshowingthegeographi allo ationofthe onta tedpeerswasbuiltinorder to observethe geographi al relevan e of ea h Botnet. This was possible by resorting to atool in Python[36℄thatallows toknowthepeers geographi allo ationbasedon theirIP addresses. With a s ript, providing GnuPlot's world map and the tool for getting the IP address oordinates, it was possibletopindownthese oordinatesinthemap.

Inorderto better understandtheBotnetbehaviour,itwasde ided to splitthetra originated in theinfe ted ma hine from thetra that isdestined to theinfe ted ma hine. Hen e, forfurther referen e,wewilldes ribethemastheUploadandDownloadtra ,respe tively. OntheWorldMap, this distin tion was made by using bla k dots for the Outbound onne tions and red dots for the Inbound onne tions.

Inthelowlevelanalysis,wede idedto analysethefollowingstati /metri : ˆ S alograms

S alogramsareavisualmethodofdisplayingwavelettransforms. Theyhavethreeaxes,representing time,s aleandtheenergy oe ients. Thisisonemethodofusingwaveletanalysistoobtainspe tral information. S alogramsallowsustoanalysewaveletsindierents alesoffrequen yandtime. They alsohelp dete tthevarian eofasignal.

All theseanalysiswerepossibledueto theuseofTsharkto apturethegeneratedtra , Matlab andGnuPlottomakethegraphi softhedierentstatisti sandPythontowrites riptsthatareused toextra tallthene essaryinformationfromthegeneratedtra .

Next se tions will present the analysis that was made to the tra generated by ea h Botnet, togetherwith adis ussionoftheresultsobtained.

4.1 Grum

Asithasbeensaidbefore,themalwarefromthisBotnetwasinstalledimmediatelyafterthe omputer wasformatted. Tra was apturedduring48 onse utivehours,in ordertomakeadeeperanalysis. Themalwareused wasdownloadedfromthesite[35℄onJuly 2011.

Thismalwarehadaparti ular hara teristi : everytimeitwasexe uted,it reatedanewpro ess, disguisedunder thenameofInternetExplorer(iexplore.exe).

Although we have repeated the same pro ess from s rat h, the tra obtained in the se ond apturewasverysimilartotherstone,soonlyone apturewillbepresentedandanalysed.

4.1.1 General analysis

The rsttask when analysing the aptures obtainedfrom Grum wasto see how tra behaveover time. Byanalysingthewhole apture,itwaspossibletotakethefollowing on lusions.

Immediatelyafterinstallingthemalware,DNSqueriesstartedbeingmadetooneofGoogle'sDNS (8.8.8.8)during100se onds,withaperiodi ityof50se onds. Then,mostofthetra thatwasltered asTCPUnknowninthehigh-Levelanalysisusedport80,sowe an on ludethatitisHTTPtra . The known HTTP tra wasgenerated during 150 se onds, also with a periodi ity of 50 se onds, makingvariousGETrequestsfordierenttypesofles(.exe,.gif, .png). Aftersometime,Unknown TCPpa kets,dire tedthroughport445,wereex hanged. Therefore,wewereseeinga ommuni ation of ServerMessage Blo k (SMB) over TCP/IP. Right after this ex hange, the SMB ommuni ation began. A seriesofrequestsand responseswere ex hanged. Theobje tiveofthisa tivitywasto nd sharedles. A SessionInitiationProto ol (SIP)pa ketwasthen re eived,in ludingtheinformation that is ne essaryto getoptionsfrom anIP address. Thispa kets ontinuedto appearsporadi ally. Besides,severalattemptsforSe ureShell(SSH)andTelnet onne tionswerealsomade. Re urrently, thereweresomepa ketsbeingex hangedthroughport6000,whi hhasbeenreportedasaportused byvirus ortrojans. SomeSMTP pa ketswere alsodete ted overtime, reinfor ingtheideaofspam intents.

The apture made followed a regulartrend, with the vast majority of the pa kets belonging to HTTPandSMB.Thesepa kets ontinuouslyqueriedservi esthroughNetBIOSNameServi e(NBNS) andtriedtoestablishsessionsthroughNetBIOSSessionServi e(NBSS).Thereweresomeex eptions that willbedis ussedlater.

Beforepresentingthestatisti sthat wereextra ted, we an on ludethat thisBotnetperformed somewhatlikeweexpe teditto, onsideringthatitstra ismostlyHTTP,itperformsDNSlookups and the ountriesof infe tion aremainly lo ated in thesame ontinentsthat havebeenreported in theliterature. ThenumberofSMTPpa ketswasexpe tedtobehigher,butthemostimportantissue isthat thesepa ketsarepresent.

0

20

40

60

80

100

120

0

5

10

15

20

25

30

35

40

45

Frames

Hours

DNS

SMTP

TCP (unknown)

SMB

UDP (unknown)

HTTP

Figure4.2: Proto ols(Upload),GrumBotnet

0

20

40

60

80

100

120

140

0

5

10

15

20

25

30

35

40

45

Frames

Hours

DNS

SMTP

TCP (unknown)

SMB

UDP (unknown)

HTTP

Figure4.3: Proto ols(Download),GrumBotnet

Regarding these twopi tures, it is learlyvisible that most of the generated tra wasltered asunknownTCP.IntheUploaddire tion,therearesomeHTTPandDNSpa kets inthersthour. Then,besidesunknownTCP,there arealsosomeSMBandunknownUDPpa kets.

In the Download dire tion, it is also possible to observe some few pa kets from three dierent proto ols(HTTP, DNSandSMB),althoughthis onlyhappensinthersthour.

The next pro edure onsisted in analysing the number of pa kets generated per hour and per minute.

0

20

40

60

80

100

120

140

160

180

200

0

5

10

15

20

25

30

35

40

45

Packets

Hours

Upload

Download

Figure4.4: Pa ketsperhour,GrumBotnet

Inthispi ture,itisvisiblethatthenumberofgeneratedpa ketsin reasedastimeprogressed,and therewerealwaysmoreDownloadthanUploadpa kets. Therearepeaksin theamountofgenerated tra aroundthe23th,37thand43ndhour.

Inthese peaks, it is possibleto observe anin rease of SMBsession requests, aswell asRemote Managementrequests.

0

10

20

30

40

50

60

70

80

0

500

1000

1500

2000

Packets

Minutes

Download

Upload

0

10

20

30

40

50

60

70

80

0

20

40

60

80

100

120

Packets

Minutes

Download

Upload

Figure4.6: Sample ofpa ketsperminute,GrumBotnet

Byobservingtheselasttwopi tures,we an on ludethatthisBotnetdoesnotgeneratea signi- antamountoftra perminute,ex eptonsomepeaksthato urovertime,aspreviouslyexplained. From the aptured pa kets, it is also important to observe the amount of generated data. The analysismadefollowthesame riteriaof thepreviouspro edure.

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0

5

10

15

20

25

30

35

40

45

Data (MB)

Hours

Upload

Download

0

5

10

15

20

25

30

35

40

45

50

0

500

1000

1500

2000

Bytes(KB)

Minutes

Download

Upload

Figure4.8: Amountoftra perminute,GrumBotnet

0

5

10

15

20

25

30

35

40

45

50

0

20

40

60

80

100

120

Bytes(KB)

Minutes

Download

Upload

Figure4.9: Sampleofamountoftra perminute,GrumBotnet

Fromthese three pi tureswe anobservethatGrum generated averylimited amountof tra , around 10KBperhour. As expe ted from theamountofre eivedpa kets, theamountofdownload

Nextgraphshowstheamountofuniquepeers onta tedovertime.

0

10

20

30

40

50

60

0

5

10

15

20

25

30

35

40

45

Peers

Hours

Inbound

Outbound

Figure4.10: Uniquepeersperhour,GrumBotnet

We anseethattherewasafairlyregularamountofpeers onta tedperhour,ex eptforthepeak onthe28thhour,wheresixtimesmorepeerswere onta tedthanusual. Thispeakwastheresultof theattempts ofTCPSessionEstablishmentthatwerenotsu essful.

Anotherpro edure thatis usefulto betterunderstand thebehaviourofthis Botnetisto analyse theTCPSessionEstablishments. Thisanalysis anbeseeninthefollowingpi tures.

0

2

4

6

8

10

0

5

10

15

20

25

30

35

40

45

Packets

Hours

Syn outbound

Syn/Ack inbound

Rst/Ack inbound

Inthepreviouspi ture,itis learthat mostofthepa ketsgeneratedinresponse toSYNpa kets wereSYN/ACK,sothesession establishmentsfollowedtheexpe ted behaviour.

0

10

20

30

40

50

60

70

80

90

0

5

10

15

20

25

30

35

40

45

Packets

Hours

Syn inbound

Syn/Ack outbound

Rst/Ack outbound

Figure 4.12: TCPSessionEstablishment(Inbound),Grum Botnet

In the Inbound pi ture, we see that most of the time there are more RST/ACK pa kets than SYN/ACK,whi hmeansthat mostof thesessionestablishmentsattemptswere notsu essful. Like we said before, there is a strangepeak of 60 peers onta tedper hour, whi h is due to these high numberofRST/ACKpa kets. Inthe28thhourofthis apture,atotalof84RST/ACKpa ketswere sentfromtheinfe tedma hine.

To on ludetheHigh-Levelanalysis,itisinterestingtoseeaworldmapthatshowsthegeographi al lo ationofthepeersthatestablished ommuni ationwiththeinfe tedma hine.

Figure4.13: WorldMap,GrumBotnet

Itisper eivablethatGrum'sinfe tedma hinesareprimarilylo atedinEurope,AsiaandAmeri a. Themain infe ted ountriesreportedin this aptureareChinaandtheUnitedStatesofAmeri a.

4.1.3 Low-Level Analysis

Thes alogramforthis aptureisshownin thenextpi ture.

50

100

150

200

250

300

350

400

450

500

550

600

0

50

100

Analyzed Signal

Scalogram

Percentage of energy for each wavelet coefficient

Time (or Space) b

Scales a

100

200

300

400

500

600

1

5

9

13

17

21

25

29

33

37

41

45

49

53

57

61

0

0.02

0.04

0.06

0.08

Figure 4.14: S alogram,Grum Botnet

Thein reaseof energyper entagearoundtherstminutesofthesampleis learlyvisible, whi h indi ates the high varian e at the beginning of the apture. There are also some smaller varian e peakso urringatminutesonehundred,fourhundredandvehundred. Thiss alogramallowusto learlyseethevarian eof thesignalovertime.

0

10

20

30

40

50

60

1

2

3

4

5

6

7

8

Scales a

Mean

0

10

20

30

40

50

60

0

5

10

15

20

25

30

35

Scales a

Variance

Figure 4.16: EnergyVarian e,GrumBotnet

The mean and varian e of the energy were also analysed. We an see in the last two pi tures thatthemeanisquitedierentforthevarious oe ientsof energy. Thevarian eoftheenergyhas signi antvalues.