You are here: Home Contents V1 N3 V1N3_Goel.html
Personal tools

Botnets: The Anatomy of a Case



Full text

Journal of Information System Security
Volume 1, Number 3 (2005)
Pages 4560
ISSN 1551-0123
Sanjay Goel — University at Albany, USA
Adnan Baykal — University at Albany, USA
Damira Pon — University at Albany, USA
Information Institute Publishing, Washington DC, USA




Botnets have become the dominant mechanism for launching distributed denial-of-service attacks on computer networks. In a recent incident, the computer network of an organization was attacked and disabled. This attack was initially identified by intrusion detection devices and verified by an onsite review of activity, audit of the log files, and subsequent detailed forensic analysis of the data, which revealed a botnet. The botnet was initiated via a worm infection consequent to which the infected machines attempted to join a bot network. The case presents a forensics analysis of the incident and provides the anatomy of the worm that was used to perform the attack. The paper also presents detection techniques for identifying botnets and disabling them in order to protect the network infrastructure.




Botnets, Bots, Zombie Computers, IRC, Distributed Denial-of-Service, Computer Forensics




Acohido, B., and Swartz, J. (2004), Unprotected PCs can be hijacked in minutes. USA Today, 29 November 2004.

Auslander, S. (2002), “LIVE FROM CYBERSPACE or, I was sitting at my computer this guy appeared he thought I was a bot,” Performing Arts Journal, 70, 16-21.

Baumann, R. and Plattner, C. (2002). “Honeypots”. Computer Science. Institut für Technische Informatik und Kommunikationsnetze, Unpublished PhD Thesis.

Bollinger, J. and Kaufmann, T. (2004). “Detecting Bots in Internet Relay Chat Systems”. Computer Science, Institut für Technische Informatik und Kommunikationsnetze, Unpublished PhD Thesis.

Bruno, L. (2003), “Baffling the Bots”, Scientific American, 1-2. 

Bryan-Low, C. (2004), Virus for Hire: Growing Number of Hackers Attack Web Sites for Cash. Wall Street Journal, 30 November 2004.

Cowan, R. (2004, November 13), Hordes of web bots do crooks’ bidding. The Guardian.

Crane, E. (1999). ‘Attention Shoppers! Shopping bots promise to gather the best bargains on the Web—but do they really work? We sent out dozens of automated shopping assistants. Find out which ones brought home the Bacon’. PC World.

Elliott, J. (2000), “Distributed Denial of Service Attacks and the Zombie Ant Effect,” IT Pro, 55-57.

Garber, L. (2000), “Denial-of-Service Attacks Rip the Internet,” Computer, 12-17.

Gordon, L.A., Loeb, M.P., Lucyshyn, W. & Richardson, R. (2004), “2004 CSI/FBI Computer Crime and Security Survey,” CSI/FBI, 1-16.

Grabowski, S. (2003). The Real Cost of “Free” Programs such as Instant Messaging and Peer-to-Peer File Sharing Applications”. SANS Institute, 1-27.

Hanna, C.W. (2004), “Using Snort to Detect Rogue IRC Bot Programs,” SANS Institute, 1-17.

Houle, K.J., Weaver, G.M., Long, N., & Thomas, R. (2001), “Trends in Denial of Service Attack Technology,” CERT Coordination Center, 1-20.

Lau, F., Rubin, S.H., Smith, M.H., & Trajkovic, L. (2000). ‘Distributed Denial of Service Attacks’, IEEE International Conference on Systems, Man, and Cybernetics, October 8-11, Nashville, TN.

McCarty, B. (2003)., “Botnets: Big and Bigger,” IEEE Security & Privacy, 87-90.

McLaughlin, L. (2004), “Bot Software Spreads, Causes New Worries, ”IEEE Distributed Systems Online, 5(6): 1-5.

Merchant, C. (2002). ‘Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough’, SecurityFocus, 10 July 2002.

Munro, Jay. (2004), ‘Bots March In: These worms could “zombify” your computer, but you can give bots the boot’, PC Magazine, 41 December 2004.

NetworkPunk (2004), ‘Agobot3.0.2.1.’,, 30 November 2004.

Oikarinen, and Reed, D. (1993), ‘Internet Relay Chat Protocol’., 30 November 2004.

Olson, S. (2004), ‘Lawsuit filed by clicked-off company’. Canberra Times, 28 November 2004.

Papadopoulos,C., Lindell, R., Mehringer, J., Hussain, A., and Govindan, R. (2003). ‘COSSACK: Coordinated Suppression of Simultaneous Attacks’. DARPA Information Survivability Conference and Eposition (DICEX ’03), April 22-24. Washington, D.C.

Poulsen, K. (2004), ‘FBI busts alleged DDos Mafia’. Security Focus IDS News.

Prolexic. (2004), “Distributed Denial of Service Attacks”. Prolexic Technologies White Paper, 1-36.

Puri, R. (2003), “Bots & Botnet: An Overview”, SANS Institute, 1-16.

Ranum, M. (2004), ‘I, BOTNET’. Information Security Magazine.

Rosenfeld, J.M. (2002), “Spiders and Crawlers and bots, Oh My: The Economic Efficiency and Public Policy of Online Contracts that Restrict Data Collection”. Standford Technology Law Review, 1-31.

Sterne, D. Djahandar, K., Balupari, R., La Cholter, W., Babson, B., Wilson, B., Narasimhan, P. and Purtell, A. (2002). ‘Active Network Based DDoS Defense’. DARPA Active Networks Conference and Exposition (DANCE ’02), May 29-31. San Fransisco, CA.

SwatIt. (2003), ‘Bots, Drones, Zombies, Worms and other things that go bump in the night. BOTS’,, November 9, 2004.

Sysinternals. (2004),, 30 November 2004.

Turner, D., ed. (2004), “Symantec Internet Security Threat Report Trends for January 1, 2004 – June 30, 2004”. Symantec, VI, 1-55.