Mining Function Homology of Bot Loaders from Honeypot Logs

TL;DR

This paper introduces a text-based analysis method using honeypot logs to classify and explore the homological relationships of bot loaders, revealing insights into botnet evolution and infrastructure connections.

Contribution

It presents a novel approach to analyze bot loaders at the function level using sequence alignment, overcoming challenges posed by their cloud-based, self-contained design.

Findings

Identified eight families of bot loaders through clustering.

Discovered homological relationships indicating code reuse and evolution.

Revealed ongoing generation of botnets from Mirai's code base.

Abstract

Self-contained loaders are widely adopted in botnets for injecting loading commands and spawning new bots. While researchers can dissect bot clients to get various information of botnets, the cloud-based and self-contained design of loaders effectively hinders researchers from understanding the loaders' evolution and variation using classic methods. The decoupled nature of bot loaders also dramatically reduces the feasibility of investigating relationships among clients and infrastructures. In this paper, we propose a text-based method to investigate and analyze details of bot loaders using honeypots. We leverage high interaction honeypots to collect request logs and define eight families of bot loaders based on the result of agglomerative clustering. At the function level, we push our study further to explore their homological relationship based on similarity analysis of request logs using sequence aligning techniques. This further exploration discloses that the released code of Mirai keeps spawning new generations of botnets both on the client and the server side. This paper uncovers the homology of active botnet infrastructures, providing a new prospect on finding covert relationships among cybercrimes. Bot loaders are precisely investigated at the function level to yield a new insight for researchers to identify the botnet's infrastructures and track their evolution over time.