Understanding Botnets: How Massive Internet Break-Ins Fuel an

Underground Economy

Jason Franklin and Vern Paxson

Abstract

• We study how the creation of massive networks of compromised machines fuel an underground economy.

• The underground market being studied is a central point for miscreant activity including identity theft, phishing, sale of compromised machines, and credit card fraud.

• Through extensive passive monitoring and analysis of this underground marketplace, we hope to establish connections between various facets of illegal online activities.

Measurement Methodology• Passive monitoring and archival of

Internet Relay Chat (IRC) channels– 50+ monitored servers– Over 7 months of data– Over 12 million individual messages from

as many as 50k individuals

• Limitations and Complexities– No private IRC messages– Complex underground dialect (slang)– Difficult to establish reputation

S

SS

C

CC

M

C

IRC

S

C

erver

lient

Key

M onitor

Botnet Definition

• A botnet is a network of compromised machines (bots) remotely controlled by an attacker.

B ot

Key

U ncompromised Host

B

Attacker

B

B

B

U

UCommands

CommandsAttacks

Attacks

Underground Market Breakdown

Item Times Mentioned Offered for sale Wanted

Potential Bots (hacked hosts, roots, shells)

760,000 500,000 300,000

Exploits 44,000 24,000 10,000

Spam Related Items 750,000 450,000 250,000

Credit Cards & Identities

800,000 340,000 370,000

Compromised

E-merchant Accounts

300,000 170,000 160,000

Scam Websites 310,000 200,000 130,000

Observed Relationships and Causality

Stolen Credit cards

Botnets

Exploits

Spam

Phishing &Identity Theft

Scam Websites Compromised E-Merchants

Credit Card Fraud

Hacked Databases

Identities

UndergroundCurrency

Credit Cards

Market at a Glance

Number of Days Monitored

Per

cent

age

of M

onito

red

Mes

sage

s

Market at a Glance

Number of Days Monitored

Per

cent

age

of M

onito

red

Mes

sage

s

Vulnerability Alerts, Exploits, and Potential Bots

• Vertical lines represent releases of major vulnerability alert.

Per

cent

age

of M

onito

red

Mes

sage

s

Number of Days Monitored

Vulnerability Alerts, Exploits, and Potential Bots

• Vertical lines represent releases of major vulnerability alert.

Per

cent

age

of M

onito

red

Mes

sage

s

Number of Days Monitored

Complex Social Network

• Future work includes leveraging social network analysis techniques to map connections between players.

“Carders”

Buyers

Identity Thieves

Crackers

Sellers

Insiders

Market

Traders

Conclusion

• Preliminary results show that underground markets aggregate information which is otherwise difficult to observe.

• Monitoring underground markets may be useful as a predictor of future widespread malicious activities on the Internet. We may be able to use the market as an oracle.

• Future analysis of the complex relationships between market players is required.

Acknowledgements• We would like to thank Rob Thomas of team Cymru for

providing access to the IRC logs.• We would also like to thank Stefan Savage, Robin Sommers,

and Nick Weaver for their comments and suggestions.• This research was performed while on appointment as a U.S.

Department of Homeland Security (DHS) Fellow under the DHS Scholarship and Fellowship Program, a program administered by the Oak Ridge Institute for Science and education (ORISE) for DHS through an interagency agreement with the U.S Department of Energy (DOE). ORISE is managed by Oak Ridge Associated Universities under DOE contract number DE-AC05-00OR22750. All opinions expressed in this paper are the author's and do not necessarily reflect the policies and views of DHS, DOE, or ORISE.

• The research described here was performed at the Lawrence Berkeley National Laboratory and supported by the Director, Office of Science, Office of Workforce Development for Teachers and Scientists, of the U.S. Department of Energy under Contract No. DE-AC02-05CH11231.