Post-mortem of a zombie: Conficker cleanup after six years

From Botnets.fr
Revision as of 12:49, 25 August 2015 by Eric.freyssinet (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Post-mortem of a zombie: Conficker cleanup after six years
Botnet Conficker
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2015 / 2015-08-12
Editor/Conference 24th USENIX Security Symposium
Link https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf (Archive copy)
Author Hadi Asghari, Michael Ciere, Michel J.G. van Eeten
Type Conference paper or presentation

Abstract

Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand-control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that support largescale cleanup of end user machines. It has been six years since the Conficker botnet was sinkholed. The attackers have abandoned it. Still, nearly a million machines remain infected. Conficker provides us with a unique opportunity to estimate cleanup rates, because there are relatively few interfering factors at work. This paper is the

first to propose a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. We compare the growth, peak, and decay of Conficker across countries.

We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact. Cleanup seems even slower than the replacement of machines running Windows XP. In general, the infected users appear outside the reach of current remediation practices. Some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation. These machines can however be magnets for other threats — we find an overlap between GameoverZeus and Conficker infections. We conclude by reflecting on what this means for the future of botnet mitigation.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2015BFR4758,
   editor = {24th USENIX Security Symposium},
   author = {Hadi Asghari, Michael Ciere, Michel J.G. van Eeten},
   title = {Post-mortem of a zombie: Conficker cleanup after six years},
   date = {12},
   month = Aug,
   year = {2015},
   howpublished = {\url{https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf}},
 }