CRESTBOT: A New Family of Resilient Botnets

We show that it is possible to design botnet structures called CRESTBOT based on extractor graphs which are highly resilient to command-and-control (C&C) take-downs, yet do not require significant changes to existing botnet designs and codes, and do not suffer from the implementation complexity of P2P-based and hybrid structures. The UDP family of CRESTBOT is shown to be able to send commands from the botmaster much faster than traditional botnet. Our analyses are validated by extensive experiments on Emulab. Our results prove that current C&C-takedown solutions are ineffective against well designed botnets such as our crestbot. Secondly, short UDP commands can be as reliable as TCP commands with much less time consumption. Third, extremely fast command issuing is possible, which at first glance might seem beneficial to the attacker; however, it might also be of use for the "good guys" when certain race conditions are desired such as software patching or quick bot takedowns.