Field of the Invention
The present invention relates generally to network security and more particularly to detecting command and control communication channels of a bot.
Background Art
Presently, malicious software (i.e., malware) can attack various devices via a network. For example, malware may include any program or file that is harmful to a computer user, such as bots, computer viruses, worms, Trojan horses, spyware, or any programming that gathers information about a computer user or otherwise operates without permission. Various processes and devices have been employed to prevent the problems that malware can cause.
For example, computers often include antivirus scanning software that scans a particular client device for viruses. The scanning may be performed based on a schedule specified by a user associated with the particular computer, a system administrator, and so forth. Unfortunately, by the time a virus is detected by the scanning software, some damage on the particular computer may have already occurred.
Another option for preventing malware is a honey pot. A honey pot is a computer system on the Internet that is expressly set up to attract and “trap” an illicit user that attempts to penetrate another's computer system. The illicit user can include a hacker, a cracker, or a script kiddy, for example. The honey pot records the activities associated with the invasion of the computer system. Disadvantageously, as the honey pot is being invaded, so too are other users' computer systems on the same network. Thus, other users' computer systems may be harmed while the honey pot determines the nature of the malware invading the honey pot's own computer system.
In some instances, malware comprises a bot. A bot is a software robot configured to remotely control all or a portion of a digital device (e.g., a computer) without authorization by the digital device's user. Bot related activities include bot propagation and attacking other computers on a network. Bots commonly propagate by scanning nodes (e.g., computers or other digital devices) available on a network to search for a vulnerable target. When a vulnerable computer is scanned, the bot may install a copy of itself. Once installed, the new bot may continue to seek other computers on a network to infect.
A bot may also, without the authority of the infected computer user, establish a command and control communication channel to receive instructions. Bots may receive command and control communication from a centralized bot server or another infected computer (e.g., via a peer-to-peer (P2P) network established by a bot on the infected computer).
The bot may receive instructions to perform bot related activities. When a plurality of bots (i.e., a botnet) act together, the infected computers (i.e., zombies) can perform organized attacks against one or more computers on a network. In one example, bot infected computers may be directed to ping another computer on a network in a denial-of-service attack. In another example, upon receiving instructions, one or more bots may direct the infected computer to transmit spam across a network.
A bot may also receive instructions to transmit information regarding the infected host computer. In one example, the bot may be instructed to act as a keylogger and record keystrokes on the infected host computer. The bot may also be instructed to search for personal information and email addresses of other users contained in an email or contacts file. This information may be transmitted to one or more other infected computers or a user in command of the bot or botnet.