1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to techniques for combating botnets.
2. Description of the Background Art
E-mail provides a convenient, fast, and relatively cost-effective way of sending messages to a large number of recipients. It is thus no wonder that solicitors, such as spammers, use e-mail to indiscriminately send messages to e-mail accounts accessible over the Internet. These unsolicited e-mails, also referred to as “junk mail” or “spam”, are not only a nuisance, but also translate to lost time and money as employees or home users are forced to segregate them from legitimate e-mails.
“Bots” are stealthy, remotely-controllable unauthorized software programs running quietly in user computers. A bot can receive and execute instructions from a remote server computer operated by the bot's originator, which is also referred to as a “bot herder.” A bot may also be pre-programmed to perform a function without additional instructions from a bot herder. A network of bots is called a “botnet.” A bot may be configured to use the infected computer to send spam. Computers can be infected by bots via several different methods including virus infection, drive-by-web-downloads and spyware downloaders that install other software onto a computer. Most users don't even know their computers have been hijacked and have become part of a botnet that sends spam messages.
Cooke et. al. (“The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets,” pages 39-44 of the 2005 Proceedings of SRUTI Workshop (Steps to Reducing Unwanted Traffic on the Internet)) describe three approaches to combating botnets, namely, (1) preventing systems from being infected in the first place, (2) directly detecting botnet command and control traffic, and (3) detecting secondary features of a bot infection such as propagation or attacks. The first and second approaches are ideal if they can be achieved. However, there are many situations where the first and second approaches may not be feasible, such as when the botnet comprises computers outside the control of the person or entity trying to eradicate the botnet. In that case, the third approach may be more feasible. However, effective techniques for selecting secondary features of bot infection and detecting these secondary features are heretofore unrealized.