Botnets Assignment

ReadThis resource may not render correctly in a screen reader. "Your Botnet is My Botnet: Analysis of a Botnet Takeover (PDF)" by Stone-Gross, et al. You can skim sections 5.2.1–5.2.3.

  • Section 2 explains how Torpig infects a user's machine. After reading this section, you should understand how that happens: how the rootkit gets installed and why its installation remains undetected.
  • Section 3 explains the technique (domain flux) by which Torpig bots communicate with the C&C (command and control) server. After reading this section, you should understand why it's difficult to simply block bots from accessing the C&C server.
  • Section 4 explains how the authors were able to take control of the Torpig botnet for a few weeks.
  • Sections 5 and 6 give an analysis of the botnet based on the authors' takeover. (Remember you can skim sections 5.2.1–5.2.3)

As you read, think about

  • What tools and/or threat models are violated by Torpig?
  • Think about the key factors that allowed the authors to infiltrate the Torpig botnet. Would their techniques work for all botnets?
  • Was the authors' methodology—taking over the botnet—necessary to collect the data they wanted? Was it ethical?

Questions for Recitation

Before you come to this recitation, write up (on paper) a brief answer to the following (really—we don't need more than a couple sentences for each question).  

Your answers to these questions should be in your own words, not direct quotations from the paper.

  • What does it mean for a computer to be a "bot"?
  • In Torpig, how does a machine become a bot, and how does it receive instructions to carry out attacks?
  • Why is it difficult to prevent a machine from becoming a bot? Why is it difficult to simply block bots from accessing the C&C server?

As always, there are multiple answers to each of these questions.