A framework for financial botnet analysis

Financial botnets, those specifically aimed at carrying out financial fraud, represent a well-known threat for banking institutions all around the globe. Unfortunately, these malicious networks are responsible for huge economic losses or for conducting money laundering operations. Contrary to DDoS and spam malware, the stealthy nature of financial botnets requires new techniques and novel research in order to detect, analyze and even to take them down. This paper presents a work-in-progress research aimed at creating a system able to mitigate the financial botnet problem. The proposed system is based on a novel architecture that has been validated by one of the biggest savings banks in Spain. Based on previous experiences with two of the proposed architecture building blocks -the Dorothy framework and a blacklist-based IP reputation system-, we show that it is feasible to map financial botnet networks and to provide a non-deterministic score to its associated zombies. The proposed architecture also promotes intelligence information sharing with involved parties such as law enforcement authorities, ISPs and financial institutions. Our belief is that these functionalities will prove very useful to fight financial cybercrime.