Botnet Infiltration.

An obvious way to learn several aspects of a botnet's activity is to infiltrate the botnet by joining the command and control channel. Botnet infiltration provides valuable information about several malicious activities such as DDoS attacks as shown earlier by Freiling et al. [7]. In our earlier work [14], we used botnet infiltration to provide in-depth analysis of several facets of botnets, including inferring their membership by directly counting the bots observed on individual command and control channels. To achieve this, we developed a lightweight IRC tracker (see [14] for details). In a nutshell, the tracker intelligently mimics the behavior of actual bots and joins a number of botnets, all the while recording any information observed on the command and control channel. This information may include the identities of all active bots. In this case, the botnet's footprint is simply the total number of unique identities observed on the channel over the entire tracking period. Similarly, the botnet's live population is measured by counting the number of bots simultaneously present on the channel at a particular time. In some cases, this estimate can also be derived from the IRC server's welcome message.

Despite its simplicity, this technique suffers from a number of limitations. First, botmasters may suppress bot identities from being transmitted to the channel and in doing so render this technique useless. Second, even when this information is available, counting can lead to different estimates depending on whether we count the fully qualified unique user IDs or the IP addresses--be it cloaked or plain. As we show later, temporal population variations due to bot cloning and temporary migration of bots complicate this issue even further. What this means is that it is difficult to provide an accurate bot count in these cases, as distinguishing between actual bots and temporary clones or migrants is nontrivial.