Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure

In this study, we advance the understanding of botmaster-owned systems in an advanced botnet, Waledac, through the analysis of file-system and network trace data from the upper-tiers in its architecture. The functionality and existence of these systems has to-date only been postulated as existing knowledge has generally been limited to behavioral observations from hosts infected by bot binaries. We describe our new findings for this botnet relating to botmaster interaction, topological nuances, provided services, and malicious output, providing a more complete view of the botnet infrastructure and insight into the motivations and methods of sophisticated botnet deployment. The exposure of these explicit details of Waledac reveals and clarifies overall trends in the construction of advanced botnets with tiered architectures, both past, such as the Storm botnet which featured a highly similar architecture, and future. Implications of our findings are discussed, addressing how the botnet’s auditing activities, authenticated spam dispersion technique, repacking method, and tier utilization affect remediation and challenge current notions of botnet configuration and behavior.