1. Botnet analysis
Even with the latest unprecedented growth of emerging botnets, the research community is still struggling to answer questions on the nature of the botnets. Specifically, the following questions remain open:
1. Who and why creates & controls the botnets? Historically three primary motivations have been considered in the literature: social, political or financial. However, a number of recent studies have shown an increasing shift toward financial profits as the main driving force. If traditionally ``script kiddies'' have been motivated by the desire to become skilled hacker, nowadays their interests have shifted toward more materialistic goals. This economical trend is also considered as one of the primary motives behind a substantial growth of botnet activity. However, very little is known about the specifics of people behind the botnets. A number of studies have emphasized the existence of a link between the attacker motivations, his characteristics, and behavioral patterns (e.g., hacking habits, names used, traces left, malware preferred). As such a comprehensive picture of botmasters and their malicious behavior is essential for a detailed understanding of the botnet phenomenon.
2. How to detect new forms of botnets? A conventional botnet usually has a centralized C&C structure based on IRC or HTTP network protocols. Majority of the existing approaches for IRC or HTTP-based botnet detection employ bot binaries or botnet signatures often generated through the analysis of applications' network traffic. However, one of the primary challenges here is the accurate classification of network traffic into specific applications. The traffic application classification in the existing IRC or HTTP based botnet detection approaches relies to a large extent on the transport layer port numbers. Although the traffic identification using port numbers was an effective way in the early days of the Internet, it provides very limited information nowadays.
3. How to ensure a full destruction of a botnet? Current approaches to botnet mitigation focus primarily on using defensive techniques such as filtering the network traffic, improving the anti-virus and anti-spam software, etc. Since these techniques attempt to combat the attacks, they generally leave the botnet intact, allowing to proceed to the next victim. Recent studies on more advanced approaches to disrupting botnet communication although primarily aim to understand the botnet structure, allow dismounting some bots. At the same time, they do not guarantee the disruption of the whole botnet. After all, what does it mean to destroy a botnet? Is it sufficient to disrupt the communication channels or identify and clean the bots? Will the defeat of the botmaster ensure that the botnet will never be used again? The research in this area is just taking the initial steps emphasizing what needs to be done.
While these three questions outline our current research focus, our interests in each area are much broader and include general attacker analysis and effective intrusion detection techniques and countermeasures.
2. Malware analysis
The Ontario nodes of the Canadian Honeynet Chapter are currently working on analyzing malware found on websites of the Canadian domains. There are billions of web pages we can go to, hundreds of them we visit every day, but do we really know how dangerous our trips to the Internet are?
This research will allow us better understand malicious content, find solutions to automated website analysis and to create better defense tools. For our initial tests we decided to build a system based on Monkey-Spider honey client architecture. However, we intend to expand and enhance its functionality over time.
Our primary objective is to focus on analyzing .CA domain space, and in particular gather statistics about:
* Malicious domain distribution
* Malware types
* Phishing sites
* Gather statistics about Typosquatted domain names
* Develop new tools for automated website analysis by using honey client mythology
