Detecting A Botnet By Reverse Engineering

Abstract— Botnet malware is a malicious program. Botnet that infects computers, called bots, will be controlled by a botmaster to do various things such as: spamming, phishing, keylogging Distributed Denial of Service (DDoS) and other activities that are generally profitable to the owner of the bot (botmaster) or those who use botnet services. The problem is that many computers have been controlled by botnets without the knowledge of the computer owner. There are many ways to examine botnets, for example by studying the traffic from the botnet network, studying how botnets communicate to each, studying how each robot receives orders to do something, and so forth. Of the many methods, the most frequently and commonly used is the reverse engineering, where researchers study how a botnet works by botnet debugging. In this study the author tries to understand or research botnets by taking a type of botnet, namely Agobot, using reverse engineering. One of the result of the research is that malware program files in general and in particular botnet has a technique to obscure the way that research using reverse engineering. Another result also shows that the botnet Agobot runs on computers by using the Windows service, and by changing the Windows registry so that every time the computer starts, Agobot always actively works in the computer memory. Keywords— Malware, Bot, Botnet, Botmaster, Agobot, Spam, Distributed Denial of Services, Identity Theft, Computer Security, Reverse Engineering, Debug, Windows Service, the Registry.