Make It Count: an Analysis of a Brute-forcing Botnet
Abstract
The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Commonly driven by profit, bots are expected to be profitable. If an infected bot does not fulfill the expectations, the botmaster can instruct the bot to switch it's behavior to serve a better purpose. This paper presents a detailed analysis of a network traffic capture of a machine originally infected by a Gamarue variant. The analysis will uncover the behavior of the bot since the initial infection, inactivity period, delivery of a new payload and the following switch of behavior of the bot. The paper will analyze the infection in detail, including the horizontal brute-forcing activity affecting thousands of WordPress websites. The goal of the paper is to show a concrete example of a bot performing brute-forcing, analyze it, identify the mechanisms used and indicators of compromise that will help detect it.
Published
2016-02-29
Section
Conference short papers
Copyright (c) 2015 Veronica Valeros

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.