Benchmarking IP blacklists for financial botnet detection

Every day, hundreds or even thousands of computers are infected with financial malware (i.e. Zeus) that forces them to become zombies or drones, capable of joining massive financial botnets that can be hired by well-organized cyber-criminals in order to steal online banking customers´ credentials. Despite the fact that detection and mitigation mechanisms for spam and DDoS-related botnets have been widely researched and developed, it is true that the passive nature (i.e. low network traffic, fewer connections) of financial botnets greatly hinder their countermeasures. Therefore, cyber-criminals are still obtaining high economical profits at relatively low risk with financial botnets. In this paper we propose the use of publicly available IP blacklists to detect both drones and Command & Control nodes that are part of financial botnets. To prove this hypothesis we have developed a formal framework capable of evaluating the quality of a blacklist by comparing it versus a baseline and taking into account different metrics. The contributed framework has been tested with approximately 500 million IP addresses, retrieved during a one-month period from seven different well-known blacklist providers. Our experimental results showed that these IP blacklists are able to detect both drones and C&C related with the Zeus botnet and most important, that it is possible to assign different quality scores to each blacklist based on our metrics. Finally, we introduce the basics of a high-performance IP reputation system that uses the previously obtained blacklists´ quality scores, in order to reply almost in real-time whether a certain IP is a member of a financial botnet or not. Our belief is that such a system can be easily integrated into e-banking anti-fraud systems.