The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware
The proliferation of botnets reveal a worrisome trend in the spread and sophistication of computer viruses and worms in the Internet today. (A botnet is essentially a collection of compromised distributed computers or systems, known as bots because of their zombie-like nature, under the control of a bot-herder, by virtue of the use of command and control servers.) Botnets are the latest scourge to hit the Internet, each one revealing a new level of technologic expertise and the use of quality software processes that undermine, if not downright prohibit, the ability of current anti-malware and other intrusion detection systems (IDSs) to deal with them. Most IDSs focus on detecting known threats, or on detecting the volume of traffic generated by a bot-host after it has been activated. Most bots, however, are polymorphic: they change with every instantiation so appear as something new every time. Furthermore, most bots generate only low-volume, periodic communication back to a bot-herder, and this volume is generally within the thresholds used by IDSs. In this article, we present an overview of the state of the art of botnets and stealthy malware, then develop and present several promising anti-botnet defense strategies that specifically target current and emerging trends in botnet development.