Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Jan Göbel, Thorsten Holz

USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 2007


In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C&C server, as well as, the channels a bot joined and the additional parameters which were set. The software Rishi implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 botinfected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.


Tags: botnet, detection