Botzilla: Detecting the "Phoning Home" of Malicious Software

Hosts infected with malicious software, so called malware, are ubiquitous in today's computer networks. The means whereby malware can in ltrate a network are manifold and range from exploiting of software vulnerabilities to tricking a user into executing malicious code. Monitoring and detection of all possible infection vectors is intractable in practice. Hence, one approaches the problem of detecting malicious software at a later point when it initiates contact with its maintainer; a process referred to as "phoning home". In particular, the paper introduces Botzilla, a method for detection of malware communication, which proceeds by repetitively recording network traffic of malware in a controlled environment and generating network signatures from invariant content patterns.