Forensic analysis of a botnet system: architecture and capabilities

Almutairi, Sultan
Cusack, Brian
Item type
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

The botnet is one of the biggest threats to computer machines and systems. The main challenge of the botnet is that this type of malware has developed to avoid detection. Many of the computer users use anti-virus tools that do not detect the botnet existence in the computer system. The botnet infects a computer then connects the computer to the command and control server to join. The botnet runs in the background and communicates with the (C&C) server to receive instruction that typically involves being part of malicious activities performed against other organisations. The malicious activities typically performed without the knowledge of the owner of the computer machine is being part of the malicious activities. The victims of the botnet are usually in the millions of infected hosts.

A secure laboratory environment made this research to be able to examine actions close to a real botnet event. The Dionaea honeypot used to be able to collect the samples of the malware including the botnet samples. Then, the downloaded botnet samples submitted into two external sandbox services to be able to analyse the samples. After that, the samples were analysed by a malware analysis tool to be able to have a clear picture of the botnet malware samples. In addition, the downloaded botnet samples by Dionaea then used to infect the Virtual machine (VM) host in the experiment. Each botnet sample used to infect the host, then, the host formatted to its original status for fresh infects on with other bots downloaded by Dionaea. The focus of this research is to be able to find the possible evidence in the infected host as well as the communication of the host with the C&C server. 

The findings from the laboratory experiment show evidence that related to a botnet event. The research was able to locate the evidence of the existence of the botnet in the infected host in the registry, file system, network and the physical memory of the infected host. The research found that there were a large number of changes, which have performed to the infected host. The research was also able to find that the infected host was communicating with the suspicious C&C server. The infected host connects to the suspicious C&C straightaway after the infection of the bot sample. The infected host by the IRC bot was requesting more than 200 domain names and IP addresses within a short period of the infection of the bot. 

The sniffer tools were able to show the domain names and the IP addresses that have requested by the infected host. The research was able to find the instructions sent to and from the suspicious C&C server. The research was able to find that the instructions of the IRC bot usually sent in a plain text using the TCP protocol. However, the checking of the status of the bot in the infected host performed by using the ICMP checked channel that encrypted.

The research recommendations discuss the cross-border-issues as one of the challenges that stop the international effort to track down the botnet master. The botnet master is difficult to locate due to the complexity of the techniques they use to hide their location. Furthermore, the detection of the botnet needs to be improved as the current detection techniques of a botnet are still evolving. However, this research recommends that in order to shut down the C&C server future work should also consider the destruction of the C&C server. The contribution of this research is on better understanding of the C&C communicating and hence evidence that can be used to disrupt a botnet.
Botnet , Botnet communications , Botnet architecture and capabilities , Botnet analysis , IRC bot
Publisher's version
Rights statement