An Empirical Study of HTTP-based Financial Botnets

Cyber criminals are covertly attacking critical infrastructures, and botnets are a common component of those attacks. In recent years, botnets have been shifting their focus from broad-based attacks to more targeted ones such as attacking financial institutions, especially banks. The primary reason for this shift towards financial institutions is that, where the money is. We present an empirical study of the components, features and operations of some of the most widely deployed HTTP-based financial botnets (such as Zeus, SpyEye, ICE 1X, Citadel, Carberp, Tinba, Bugat and Shylock). Our study provides critical insights into the design of these botnets and should help the security community to generate intelligence and develop more robust security solutions to defend against cyber attacks by these botnets. In addition, our comparative analysis of insidious techniques pertaining to Command and Control (C&C) communication, system exploitation and data exfiltration also provides an effective and a holistic view of the capabilities of HTTP-based financial botnets. This study also highlights the evolution of various HTTP-based financial botnets over a period of time. Finally, we discuss security solutions that can help mitigate some of the techniques used by HTTP-based financial botnets.