1
  Understanding Botnets How Massive Internet
Break-Ins Fuel an Underground Economy

• Jason Franklin and Vern Paxson

2
Abstract

• We study how the creation of massive networks of
  compromised machines fuel an underground economy.
  
• The underground market being studied is a central
  point for miscreant activity including identity
  theft, phishing, sale of compromised machines,
  and credit card fraud.
• Through extensive passive monitoring and analysis
  of this underground marketplace, we hope to
  establish connections between various facets of
  illegal online activities.

3
Measurement Methodology
M

• Passive monitoring and archival of Internet Relay
  Chat (IRC) channels
• 50 monitored servers
• Over 7 months of data
• Over 12 million individual messages from as many
  as 50k individuals
• Limitations and Complexities
• No private IRC messages
• Complex underground dialect (slang)
• Difficult to establish reputation

S
S
IRC
C
S
C
C
C
4
Botnet Definition

• A botnet is a network of compromised machines
  (bots) remotely controlled by an attacker.

Key
U
ncompromised Host
5
Underground Market Breakdown
Item Times Mentioned Offered for sale Wanted
Potential Bots (hacked hosts, roots, shells) 760,000 500,000 300,000
Exploits 44,000 24,000 10,000
Spam Related Items 750,000 450,000 250,000
Credit Cards Identities 800,000 340,000 370,000
Compromised E-merchant Accounts 300,000 170,000 160,000
Scam Websites 310,000 200,000 130,000
6
Observed Relationships and Causality
Stolen Credit cards
7
Market at a Glance
Percentage of Monitored Messages
Number of Days Monitored
8
Market at a Glance
Percentage of Monitored Messages
Number of Days Monitored
9
Vulnerability Alerts, Exploits, and Potential Bots

• Vertical lines represent releases of major
  vulnerability alert.

Percentage of Monitored Messages
Number of Days Monitored
10
Vulnerability Alerts, Exploits, and Potential Bots

• Vertical lines represent releases of major
  vulnerability alert.

Percentage of Monitored Messages
Number of Days Monitored
11
Complex Social Network

• Future work includes leveraging social network
  analysis techniques to map connections between
  players.

12
Conclusion

• Preliminary results show that underground markets
  aggregate information which is otherwise
  difficult to observe.
• Monitoring underground markets may be useful as a
  predictor of future widespread malicious
  activities on the Internet. We may be able to
  use the market as an oracle.
• Future analysis of the complex relationships
  between market players is required.

13
Acknowledgements

• We would like to thank Rob Thomas of team Cymru
  for providing access to the IRC logs.
• We would also like to thank Stefan Savage, Robin
  Sommers, and Nick Weaver for their comments and
  suggestions.
• This research was performed while on appointment
  as a U.S. Department of Homeland Security (DHS)
  Fellow under the DHS Scholarship and Fellowship
  Program, a program administered by the Oak Ridge
  Institute for Science and education (ORISE) for
  DHS through an interagency agreement with the U.S
  Department of Energy (DOE). ORISE is managed by
  Oak Ridge Associated Universities under DOE
  contract number DE-AC05-00OR22750. All opinions
  expressed in this paper are the author's and do
  not necessarily reflect the policies and views of
  DHS, DOE, or ORISE.
• The research described here was performed at the
  Lawrence Berkeley National Laboratory and
  supported by the Director, Office of Science,
  Office of Workforce Development for Teachers and
  Scientists, of the U.S. Department of Energy
  under Contract No. DE-AC02-05CH11231.