A Large-Scale Empirical Study of Conficker.

In this paper, we analyze Conficker infections at a large scale, about 25 millions victims, and study various interesting aspects about this state-of-the-art malware. ... We show that neighborhood watch is a surprisingly effective approach in the case of Conficker. ... Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research, the National Science ...

doi:10.1109/tifs.2011.2173486 fatcat:obyxvwgpvfexxb73iyvzzfztga

Much less is known about the effectiveness of large-scale efforts to clean up infected machines. ... We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that ... Acknowledgment The authors would like to explicitly thank Chris Lee, Paul Vixie and Eric Ziegast for providing us with access to the Conficker sinkhole and supporting our research. ...

dblp:conf/uss/AsghariCE15 fatcat:vp4spgjgonfpvbaj3rc6hgbo4u

We apply the model to observed data from Conficker-C scans sent over a 51-day period (March 5th through April 24th, 2009) to a large private network. ... For an observer with access to a proportion δ of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study ... As a result, Conficker-C P2P traffic can be observed with high reliability in the large-scale summary information contained in network flow data, making it a good candidate for behavioral modeling. ...

doi:10.1007/978-3-642-12334-4_19 fatcat:aa2u6z7kufbirktezq7baqfg6u

In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. ... We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. ... Measurement studies of the Type II botnet were also conducted. In [6] , Mori et al. performed a large scale empirical study of the Srizbi botnet. ...

doi:10.1007/978-3-642-23644-0_13 fatcat:k3bmr5q65bfllkplaoiubfblpm

We evaluate AGAMI on a large set of real-world malware samples and successfully extract working vaccines for many families such as Conficker and Zeus. ... We provide the first systematic study towards this direction and present a prototype system, AGAMI, for automatic generation of vaccines for malware immunization. ... Interestingly, if we look at the case of pandemic diseases that can infect a large-scale human bodies, an effective and successful defense against known notorious diseases is vaccine. ...

doi:10.1145/2382196.2382317 dblp:conf/ccs/XuZGL12 fatcat:evihnfpd2jas5ot73qtdr45ina

Graph isomorphism Visual signature a b s t r a c t The botnets are one of the most dangerous species of network-based attack. ... They cause severe network disruptions through massive coordinated attacks nowadays and the results of this disruption frequently cost enterprises large sums in financial losses. ... Acknowledgments This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MEST) (2012M3A2A1051118, 2012-0005552, 2011-0015187, 2011-0003930, 2010 ...

doi:10.1016/j.cose.2014.07.007 fatcat:eo3o4mazyzgcdoxhac5bl5fo4e

As a response, botmasters have begun employing domain generation algorithms (DGAs) to dynamically produce a large number of random domain names and select a small subset for actual C&C use. ... We implemented a prototype system and evaluated it on real-world DNS traffic obtained from large ISPs in North America. We report the discovery of twelve DGAs. ... local network, they do not scale well to the overwhelming volume of traffic typical of large ISP environments. ...

dblp:conf/uss/AntonakakisPNVALD12 fatcat:q66byshhsvfpfd5xxj4a4clix4

Finally, we apply our findings to develop bot detection methods and study potential countermeasures for a botnet (e.g., Conficker C) that uses scan-based peer discovery to form a P2P-based botnet. ... As a result, on average half of infected hosts never compromise any vulnerable host, over 98% of infected hosts have no more than five children, and a small portion of infected hosts have a large number ... Specifically, we study a simple and efficient bot detection method in a Conficker C like P2P-based botnet and consider a countermeasure by future botnets. ...

arXiv:1001.1195v2 fatcat:vqguuiafzvavjhijcwjol5wdeq

Multiple Versions

This documents presents the final report of a two-year project to evaluate the impact of AbuseHUB, a Dutch clearinghouse for acquiring and processing abuse data on infected machines. ... The report was commissioned by the Netherlands Ministry of Economic Affairs, a co-funder of the development of AbuseHUB. ... Although Conficker has managed to replicate very successfully, with around several million active bots at any given moment, it has not been used for any large-scale malicious purposes -or at least no such ...

arXiv:1612.03101v1 fatcat:mfomd2cw45c53lk3edgtg5p2cu

In this work, we analyze data from a large network telescope to study scanning activity from the past year, uncovering large horizontal scan operations and identifying broad patterns in scanning behavior ... While it is widely known that port scanning is widespread, neither the scanning landscape nor the defensive reactions of network operators have been measured at Internet scale. ... The authors thank Michael Kallitsis and Manish Karir of Merit Network for helping facilitate our darknet analysis. ...

dblp:conf/uss/DurumericBH14 fatcat:xadw5ahzdnes3njosd4thksfvy

We thus propose a simple but effective taxonomy of darknet traffic, on the basis of observations, and evaluate it on real darknet traces covering six years. ... Our interest lies, however, in how darknets have evolved since those works and the effectiveness of a darknet taxonomy for real longrange traffic. ... Darknet traffic can be used to track such security-related activities on a global scale. ...

doi:10.1109/iwcmc.2014.6906329 dblp:conf/iwcmc/LiuF14 fatcat:7g52jpaovrf5dioiomaw6nofdq

Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space ... We were also able to observe surprisingly noticeable effects of such large scale censorship on ongoing global measurement activities, suggesting how similar events could be detected and/or documented in ... Antonio Pescapé has been partially supported by LINCE project of the FARO programme jointly financed by the Compagnia di San Paolo and by the Polo delle Scienze e delle Tecnologie of the University of ...

doi:10.1109/tnet.2013.2291244 fatcat:4oup7izelfbadf6jzj627rtblu

Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space ... We were also able to observe surprisingly noticeable effects of such large scale censorship on ongoing global measurement activities, suggesting how similar events could be detected and/or documented in ... Antonio Pescapé has been partially supported by LINCE project of the FARO programme jointly financed by the Compagnia di San Paolo and by the Polo delle Scienze e delle Tecnologie of the University of ...

doi:10.1145/2068816.2068818 dblp:conf/imc/DainottiSACCRP11 fatcat:parw7gleg5dvthxdbwflspve5a

We use a series of case studies to develop a security economics model for large-scale attacks against Internet-connected populations in general, and use it to explain both the current lack of interest ... We investigate the missing attacks against ICS, focusing on large-scale attacks enabled by Internet-connected populations. ... We developed the model by studying successful, large-scale attacks and empirically verified it using our end-to-end study of the Internet-connected ICS threat landscape. ...

doi:10.1109/ecrime51433.2020.9493257 fatcat:fm7igixwwbf7db663miuvbdhba

Our interest lies, however, in how darknet traffic has evolved and the effectiveness of a darknet traffic taxonomy for longitudinal data. ... To enhance Internet security, researchers have largely emphasized diverse cyberspace monitoring approaches to observe cyber attacks and anomalies. ... Later a careful inspection of packet payloads of suspicious ipSrcs helps identify Conficker according to Ref. [13] . ...

doi:10.2197/ipsjjip.26.148 fatcat:a2iqsmnzljghrantze5wunayq4

A Large-Scale Empirical Study of Conficker

Preserved Fulltext

Post-Mortem of a Zombie: Conficker Cleanup After Six Years

Preserved Fulltext

A Probabilistic Population Study of the Conficker-C Botnet [chapter]

Preserved Fulltext

Cross-Analysis of Botnet Victims: New Insights and Implications [chapter]

Preserved Fulltext

Automatic generation of vaccines for malware immunization

Preserved Fulltext

Cylindrical Coordinates Security Visualization for multiple domain command and control botnet detection

Preserved Fulltext

From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware

Preserved Fulltext

Characterizing Internet Worm Infection Structure [article]

Preserved Fulltext

Other Versions

Evaluating the Impact of AbuseHUB on Botnet Mitigation [article]

Preserved Fulltext

An Internet-Wide View of Internet-Wide Scanning

Preserved Fulltext

Towards a taxonomy of darknet traffic

Preserved Fulltext

Analysis of Country-Wide Internet Outages Caused by Censorship

Preserved Fulltext

Analysis of country-wide internet outages caused by censorship

Preserved Fulltext

When will my PLC support Mirai? The security economics of large-scale attacks against Internet-connected ICS devices

Preserved Fulltext

An Evaluation of Darknet Traffic Taxonomy

Preserved Fulltext