Check out the new USENIX Web site. next up previous
Next: Exposing hidden botnet connections Up: Just How Big is Previous: Large Botnets May Not


Challenges and Caveats

As we alluded to earlier, there are several additional issues that complicate the task of counting botnet members. Temporary bot migration and bot cloning are major contributors to this effect. In several occasions, we observed botmasters commandeering their bots to temporarily migrate from one botnet to another. In cloning, botmasters command bots to create copies of themselves and join a new channel on the same server, or to connect to a different server altogether [14]. Generally, we observed two types of cloning: (i) clone flooding, in which bots create a large number of instances to overwhelm a target IRC server, and (ii) normal cloning events in which botmasters command their bots to create a new IRC connection and join another channel on the same server or on a different server.

These observations raise the following important question: when we count botnet members are we really counting actual compromised machines? Although direct counting of bots by botnet infiltration seems to be the most direct way of estimating a botnet size, it is, unfortunately, unclear whether or not the resulting estimate is a count of real bots. For one, temporary botnet migration can significantly inflate the membership of a particular botnet. Figure 4, for example, presents an instance of temporary migration observed by our IRC tracker. In this example, if we were to count the population of Botnet II immediately after the migration, we would arrive at an inflated count. While on the surface this may not seem as a big concern, if such migrations occur frequently, then we could be substantially over-counting the cumulative bot population.

To further illustrate the impact of bot cloning on size estimation we extracted all clone commands observed in the IRC traces of the botnets we tracked. In this case, we only consider the events corresponding to the second type of cloning and therefore we exclude all commands corresponding to ``clone flood'' attacks. Overall, we observed cloning behavior in 20 tracked botnets. Interestingly, our results show that although the total footprint of these botnets was near 130,000 bots, they created a total of 2,383,500 clone instances of which roughly 10% connected to new botnet servers. Figure 5 presents an example of one such cloning event in which bots are asked to join another channel on the same server. The graph shows a sudden surge in the number of online bots reported in the server's welcome message shortly after the botmaster posted a command to her bots to create clones and join a new channel on the same server. Obviously, the population count in this case is not indicative of actual bots. Coupled with the issue of bot migration, this may be one of the underlying reasons for the wide variation in botnet sizes quoted in the literature. Unfortunately, without more qualified discussions of what botnet sizes represent, it is difficult to come to any definitive conclusions.

Figure 4: Botnet temporary migration instance.
\epsfig{figure=graphs/botnet-migration.eps, width=\columnwidth}

Figure 5: Bot count for a botnet with cloning.
\epsfig{figure=graphs/bruimi.shgon.net.0burimi_online_bots.eps,width=\columnwidth}


next up previous
Next: Exposing hidden botnet connections Up: Just How Big is Previous: Large Botnets May Not
Fabian Monrose 2007-04-03