Figure 3
Bot master establishes a botnet by deploying bots and launches attacks
from the original host to victims through a number of stepping-stones
and C&C server. Bot binaries are executed at victim machines, which
become zombies and join the botnet. Bot master attempts to communicate
with the victims for stealing sensitive information. It is different
from another type of botnet attacks, such as DoS/DDoS attacks where an
attacker has no interest in any communications with victims. Under the
supervision of bot master through C&C server, victims periodically send
data to receivers (i.e. drop-zones). The collected data are then sent
back to bot master through stepping-stones.
A major difficulty for analyzing botnet attack traffic is that
communication between bots and C&C servers are usually encrypted, and
the encryption keys are to be identified first and also attackers
usually hide behind stepping-stones from Web proxy, VPN and SSH
tunneling.
For example, Zeus bot uses RC4 encryption scheme in which the string of
key is transformed into a 256-byte S array. It is the S array that
resides in memory to encrypt plaintexts and decrypt cipher texts.
Therefore the key identification scheme looks for an S array in the
memory image. RC4 utilizes important strings of varying length to
generate a permutation of 256 bytes with different values, denoted as S
arrays array constitutes the RC4 key for information traffic encryption
and decryption.
Therefore in order to nab the bot master, systematic and reinforce
analyzing of network traffic within the multi cloud environment is
required. Therefore this work is mainly focused on designing a
systematic network traffic analyzer which would find the exact origin of
destruction and remove from the cloud.