Botnet spoofing: fighting botnet with itself

As the arms race between botmasters and defenders becomes increasingly common, the emerging advanced botnets have evolved to be more resilient to traditional mitigation strategies. For security-conscious Internet users, the host-based security software i.e., antivirus and firewall could provide effective protection against the botnet attacks; however, the remaining security-unconscious users will suffer from the botnet attacks and will be compromised easily. Consequently, how to protect both security-conscious and security-unconscious users against advanced botnets without any command and control vulnerability has posed a great challenge to this day. In this paper, we propose the idea of botnet spoofing that aims at addressing the aforementioned challenge to some degree. Botnet spoofing exploits the essential property of a persistent bot that it MUST obtain its file path before subsequent autostart registration or self-propagation to spoof a specific bot and trick the specific bot to propagate BotSpoofer instead of propagating itself, consequently making the victim not only avoid an originally successful attack but also achieve extra protection provided by BotSpoofer. Thus, botnet spoofing is independent of the vulnerability, protocol, and structure of botnet command and control. To prove the feasibility of botnet spoofing, we create a prototype named ConSpoofer-targeting Conficker. The results show that ConSpoofer could be passively delivered to other victims, which are located by Conficker, through Conficker's three propagation methods in an automatic, simple, accurate, and scalable manner. The goal of our work is to provide a new mitigation strategy that will promote the development of more efficient countermeasures against advanced botnets. Copyright © 2013 John Wiley & Sons, Ltd.