Figure 3
Bot master establishes a botnet by deploying bots and launches attacks from the original host to victims through a number of stepping-stones and C&C server. Bot binaries are executed at victim machines, which become zombies and join the botnet. Bot master attempts to communicate with the victims for stealing sensitive information. It is different from another type of botnet attacks, such as DoS/DDoS attacks where an attacker has no interest in any communications with victims. Under the supervision of bot master through C&C server, victims periodically send data to receivers (i.e. drop-zones). The collected data are then sent back to bot master through stepping-stones.
A major difficulty for analyzing botnet attack traffic is that communication between bots and C&C servers are usually encrypted, and the encryption keys are to be identified first and also attackers usually hide behind stepping-stones from Web proxy, VPN and SSH tunneling.
For example, Zeus bot uses RC4 encryption scheme in which the string of key is transformed into a 256-byte S array. It is the S array that resides in memory to encrypt plaintexts and decrypt cipher texts. Therefore the key identification scheme looks for an S array in the memory image. RC4 utilizes important strings of varying length to generate a permutation of 256 bytes with different values, denoted as S arrays array constitutes the RC4 key for information traffic encryption and decryption.
Therefore in order to nab the bot master, systematic and reinforce analyzing of network traffic within the multi cloud environment is required. Therefore this work is mainly focused on designing a systematic network traffic analyzer which would find the exact origin of destruction and remove from the cloud.