Check out the new USENIX Web site.

USENIX Home . About USENIX . Events . membership . Publications . Students
Steps to Reducing Unwanted Traffic on the Internet Workshop — Abstract

Pp. 39–44 of the Proceedings

The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

Evan Cooke, University of Michigan; Farnam Jahanian, University of Michigan and Arbor Networks; Danny McPherson, Arbor Networks

Abstract

Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, businesses, and governments around the world. These systems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required. We conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
  • View the full text of this paper in HTML and PDF, or the talk slides in PDF.

    Click here if you have forgotten your password Until July 2006, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.
?Need help? Use our Contacts page.

Last changed: 17 Aug. 2005 ch
Technical Program
SRUTI '05 Home
USENIX home