The Dorothy project : an open botnet analysis framework for automatic tracking and activity visualization

Botnets, networks of compromised machines remotely controlled and instructed to work in a coordinated fashion, have had an epidemic diffusion over the Internet and represent one of today's most insidious threat. In this paper, we present an open framework called Dorothy that permits to monitor the activity of a botnet. We propose to characterize a botnet behavior through a set of parameters and a graphical representation. In a case study, we infiltrated and monitored a botnet named siwa collecting information about its functional structure, geographical distribution, communication mechanisms, command language and operations

A First Step Towards Characterizing Stealthy Botnets

Botnets have become a top cyber threat. Existing studies on botnets have mainly focused on showing how to exploit certain characteristics of existing botnets to detect them. However, such detection mechanisms could be defeated by stealthy botnets that are designed to evade them. Therefore, it is important to understand the power of stealthy botnets so as to answer questions such as: What kinds of stealth techniques can survive what kinds of detection mechanisms? Towards the ultimate goal, this paper makes a first step with the aim to build fundamental understandings of stealthy botnet Command and Control (C&C)