{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T16:40:55Z","timestamp":1770482455032,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":47,"publisher":"ACM","license":[{"start":{"date-parts":[[2009,11,9]],"date-time":"2009-11-09T00:00:00Z","timestamp":1257724800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2009,11,9]]},"DOI":"10.1145\/1653662.1653738","type":"proceedings-article","created":{"date-parts":[[2009,11,11]],"date-time":"2009-11-11T13:02:08Z","timestamp":1257944528000},"page":"635-647","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":349,"title":["Your botnet is my botnet"],"prefix":"10.1145","author":[{"given":"Brett","family":"Stone-Gross","sequence":"first","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Marco","family":"Cova","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Lorenzo","family":"Cavallaro","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Bob","family":"Gilbert","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Martin","family":"Szydlowski","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Richard","family":"Kemmerer","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA, USA"}]}],"member":"320","published-online":{"date-parts":[[2009,11,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"P. Amini. Kraken Botnet Infiltration. http:\/\/dvlabs.tippingpoint.com\/blog\/ 2008\/04\/28\/kraken-botnet-infiltration 2008.  P. Amini. Kraken Botnet Infiltration. http:\/\/dvlabs.tippingpoint.com\/blog\/ 2008\/04\/28\/kraken-botnet-infiltration 2008."},{"key":"e_1_3_2_1_2_1","unstructured":"S. Burnette. Notice of Termination of ICANN Registrar Accreditation Agreement. http:\/\/www.icann.org\/correspondence\/burnette-to-tsastsin-28oct08-en.pdf 2008.  S. Burnette. Notice of Termination of ICANN Registrar Accreditation Agreement. http:\/\/www.icann.org\/correspondence\/burnette-to-tsastsin-28oct08-en.pdf 2008."},{"key":"e_1_3_2_1_3_1","volume-title":"Conducting Cybersecurity Research Legally and Ethically. In USENIX Workshop on Large-Scale Exploits and Emergent Threats","author":"Burstein A.","year":"2008","unstructured":"A. Burstein . Conducting Cybersecurity Research Legally and Ethically. In USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2008 . A. Burstein. Conducting Cybersecurity Research Legally and Ethically. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008."},{"key":"e_1_3_2_1_4_1","volume-title":"Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI)","author":"Cooke E.","year":"2006","unstructured":"E. Cooke , F. Jahanian , and D. McPherson . The zombie roundup: Understanding, detecting, and disrupting botnets . In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI) , 2006 . E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.44"},{"key":"e_1_3_2_1_6_1","volume-title":"Modeling Botnet Propagation Using Time Zones. In Symposium on Network and Distributed System Security","author":"Dagon D.","year":"2006","unstructured":"D. Dagon , C. Zou , and W. Lee . Modeling Botnet Propagation Using Time Zones. In Symposium on Network and Distributed System Security , 2006 . D. Dagon, C. Zou, and W. Lee. Modeling Botnet Propagation Using Time Zones. In Symposium on Network and Distributed System Security, 2006."},{"key":"e_1_3_2_1_7_1","unstructured":"Finjan. How a cybergang operates a network of 1.9 million infected computers. http:\/\/www.finjan.com\/MCRCblog.aspx?EntryId=2237 2009.  Finjan. How a cybergang operates a network of 1.9 million infected computers. http:\/\/www.finjan.com\/MCRCblog.aspx?EntryId=2237 2009."},{"key":"e_1_3_2_1_8_1","unstructured":"J. Fink. FBI Agents Raid Dallas Computer Business. http:\/\/cbs11tv.com\/local\/Core.IP. Networks.2.974706.html 2009.  J. Fink. FBI Agents Raid Dallas Computer Business. http:\/\/cbs11tv.com\/local\/Core.IP. Networks.2.974706.html 2009."},{"key":"e_1_3_2_1_9_1","volume-title":"Virus Bulletin","author":"Florio E.","year":"2008","unstructured":"E. Florio and K. Kasslin . Your computer is now stoned (...again!) . Virus Bulletin , April 2008 . E. Florio and K. Kasslin. Your computer is now stoned (...again!). Virus Bulletin, April 2008."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315292"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/11555827_19"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","unstructured":"GMER Team. Stealth MBR rootkit. http:\/\/www2.gmer.net\/mbr\/ 2008.  GMER Team. Stealth MBR rootkit. http:\/\/www2.gmer.net\/mbr\/ 2008.","DOI":"10.1016\/S0958-2118(08)70195-2"},{"key":"e_1_3_2_1_13_1","unstructured":"D. Goodin. Superworm seizes 9m pcs 'stunned' researchers say. http:\/\/www.theregister.co.uk\/2009\/01\/16\/9m_downadup_infections\/ 2009.  D. Goodin. Superworm seizes 9m pcs 'stunned' researchers say. http:\/\/www.theregister.co.uk\/2009\/01\/16\/9m_downadup_infections\/ 2009."},{"key":"e_1_3_2_1_14_1","unstructured":"P. Guehring. Concepts against Man-in-the-Browser Attacks. http:\/\/www2.futureware.at\/svn\/sourcerer\/CAcert\/SecureClient.pdf 2006.  P. Guehring. Concepts against Man-in-the-Browser Attacks. http:\/\/www2.futureware.at\/svn\/sourcerer\/CAcert\/SecureClient.pdf 2006."},{"key":"e_1_3_2_1_15_1","volume-title":"The Commercial Malware Industry. In DEFCON conference","author":"Gutmann P.","year":"2007","unstructured":"P. Gutmann . The Commercial Malware Industry. In DEFCON conference , 2007 . P. Gutmann. The Commercial Malware Industry. In DEFCON conference, 2007."},{"key":"e_1_3_2_1_16_1","volume-title":"Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Reihe Informatik TR-2008-006","author":"Holz T.","year":"2008","unstructured":"T. Holz , M. Engelberth , and F. Freiling . Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Reihe Informatik TR-2008-006 , University of Mannheim , 2008 . T. Holz, M. Engelberth, and F. Freiling. Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Reihe Informatik TR-2008-006, University of Mannheim, 2008."},{"key":"e_1_3_2_1_17_1","volume-title":"Measuring and Detecting Fast-Flux Service Networks. In Symposium on Network and Distributed System Security","author":"Holz T.","year":"2008","unstructured":"T. Holz , C. Gorecki , K. Rieck , and F. Freiling . Measuring and Detecting Fast-Flux Service Networks. In Symposium on Network and Distributed System Security , 2008 . T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and Detecting Fast-Flux Service Networks. In Symposium on Network and Distributed System Security, 2008."},{"key":"e_1_3_2_1_18_1","volume-title":"Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In USENIX Workshop on Large-Scale Exploits and Emergent Threats","author":"Holz T.","year":"2008","unstructured":"T. Holz , M. Steiner , F. Dahl , E. Biersack , and F. Freiling . Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2008 . T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008."},{"key":"e_1_3_2_1_19_1","unstructured":"J. Hruska. Cracking down on Conficker: Kaspersky OpenDNS join forces. http:\/\/arstechnica.com\/business\/news\/2009\/02\/cracking-down-on-confickerkaspersky-opendns-join-forces February 2009.  J. Hruska. Cracking down on Conficker: Kaspersky OpenDNS join forces. http:\/\/arstechnica.com\/business\/news\/2009\/02\/cracking-down-on-confickerkaspersky-opendns-join-forces February 2009."},{"key":"e_1_3_2_1_20_1","volume-title":"http:\/\/www.secureworks. com\/research\/tools\/untorpig\/","author":"Jackson D.","year":"2008","unstructured":"D. Jackson . Untorpig. http:\/\/www.secureworks. com\/research\/tools\/untorpig\/ , 2008 . D. Jackson. Untorpig. http:\/\/www.secureworks. com\/research\/tools\/untorpig\/, 2008."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1533057.1533064"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455774"},{"key":"e_1_3_2_1_23_1","volume-title":"USENIX Workshop on Large-Scale Exploits and Emergent Threats","author":"Kanich C.","year":"2008","unstructured":"C. Kanich , K. Levchenko , B. Enright , G. Voelker , and S. Savage . The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff . In USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2008 . C. Kanich, K. Levchenko, B. Enright, G. Voelker, and S. Savage. The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/1323128.1323135"},{"key":"e_1_3_2_1_25_1","unstructured":"P. Kleissner. Analysis of Sinowal. http:\/\/web17.webbpro.de\/index.php?page=analysis-of-sinowal 2008.  P. Kleissner. Analysis of Sinowal. http:\/\/web17.webbpro.de\/index.php?page=analysis-of-sinowal 2008."},{"key":"e_1_3_2_1_26_1","volume-title":"http:\/\/www.theregister.co.uk\/2009\/01\/26\/conficker_botnet\/","author":"Leyden J.","year":"2009","unstructured":"J. Leyden . Conficker botnet growth slows at 10m infections. http:\/\/www.theregister.co.uk\/2009\/01\/26\/conficker_botnet\/ , 2009 . J. Leyden. Conficker botnet growth slows at 10m infections. http:\/\/www.theregister.co.uk\/2009\/01\/26\/conficker_botnet\/, 2009."},{"key":"e_1_3_2_1_27_1","unstructured":"J. Leyden. Conficker zombie botnet drops to 3.5 million. http:\/\/www.theregister.co.uk\/2009\/04\/03\/conficker_zombie_count\/ 2009.  J. Leyden. Conficker zombie botnet drops to 3.5 million. http:\/\/www.theregister.co.uk\/2009\/04\/03\/conficker_zombie_count\/ 2009."},{"key":"e_1_3_2_1_28_1","unstructured":"R. McMillan. Conficker group says worm 4.6 million strong. http:\/\/www.cw.com.hk\/content\/conficker-group-says-worm-46-million-strong 2009.  R. McMillan. Conficker group says worm 4.6 million strong. http:\/\/www.cw.com.hk\/content\/conficker-group-says-worm-46-million-strong 2009."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.5555\/1251327.1251329"},{"key":"e_1_3_2_1_30_1","unstructured":"G. Ollmann. Caution Over Counting Numbers in C&C Portals. http:\/\/blog.damballa.com\/?p=157 2009.  G. Ollmann. Caution Over Counting Numbers in C&C Portals. http:\/\/blog.damballa.com\/?p=157 2009."},{"key":"e_1_3_2_1_31_1","unstructured":"Openwall Project. John the Ripper password cracker. http:\/\/www.openwall.com\/john\/.  Openwall Project. John the Ripper password cracker. http:\/\/www.openwall.com\/john\/."},{"key":"e_1_3_2_1_32_1","volume-title":"USENIX Workshop on Large-Scale Exploits and Emergent Threats","author":"Porras P.","year":"2009","unstructured":"P. Porras , H. Saidi , and V. Yegneswaran . A Foray into Conficker's Logic and Rendezvous Points . In USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2009 . P. Porras, H. Saidi, and V. Yegneswaran. A Foray into Conficker's Logic and Rendezvous Points. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009."},{"key":"e_1_3_2_1_33_1","volume-title":"USENIX Security Symposium","author":"Provos N.","year":"2008","unstructured":"N. Provos and P. Mavrommatis . All Your iFRAMEs Point to Us . In USENIX Security Symposium , 2008 . N. Provos and P. Mavrommatis. All Your iFRAMEs Point to Us. In USENIX Security Symposium, 2008."},{"key":"e_1_3_2_1_34_1","volume-title":"USENIX Workshop on Hot Topics in Understanding Botnet","author":"Rajab M.","year":"2007","unstructured":"M. Rajab , J. Zarfoss , F. Monrose , and A. Terzis . My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging . In USENIX Workshop on Hot Topics in Understanding Botnet , 2007 . M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging. In USENIX Workshop on Hot Topics in Understanding Botnet, 2007."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159913.1159947"},{"key":"e_1_3_2_1_37_1","volume-title":"Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Conference on Steps to Reducing Unwanted Traffic on the Internet","author":"Ramachandran A.","year":"2006","unstructured":"A. Ramachandran , N. Feamster , and D. Dagon . Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Conference on Steps to Reducing Unwanted Traffic on the Internet , 2006 . A. Ramachandran, N. Feamster, and D. Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Conference on Steps to Reducing Unwanted Traffic on the Internet, 2006."},{"key":"e_1_3_2_1_38_1","unstructured":"RSA FraudAction Lab. One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts. http:\/\/www.rsa.com\/blog\/blog_entry.aspx? id=1378 October 2008.  RSA FraudAction Lab. One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts. http:\/\/www.rsa.com\/blog\/blog_entry.aspx? id=1378 October 2008."},{"key":"e_1_3_2_1_39_1","volume-title":"Networked Systems Design and Implementation (NSDI)","author":"Saroiu S.","year":"2004","unstructured":"S. Saroiu , S. Gribble , and H. Levy . Measurement and Analysis of Spyware in a University Environment . In Networked Systems Design and Implementation (NSDI) , 2004 . S. Saroiu, S. Gribble, and H. Levy. Measurement and Analysis of Spyware in a University Environment. In Networked Systems Design and Implementation (NSDI), 2004."},{"key":"e_1_3_2_1_40_1","unstructured":"M. Shields. Trojan virus steals banking info. http:\/\/news.bbc.co.uk\/2\/hi\/technology\/7701227.stm 2008.  M. Shields. Trojan virus steals banking info. http:\/\/news.bbc.co.uk\/2\/hi\/technology\/7701227.stm 2008."},{"key":"e_1_3_2_1_41_1","unstructured":"Sophos. Security at risk as one third of surfers admit they use the same password for all websites Sophos reports. http:\/\/www.sophos.com\/pressoffice\/news\/articles\/2009\/03\/password-security.html March 2009.  Sophos. Security at risk as one third of surfers admit they use the same password for all websites Sophos reports. http:\/\/www.sophos.com\/pressoffice\/news\/articles\/2009\/03\/password-security.html March 2009."},{"key":"e_1_3_2_1_42_1","unstructured":"SpeedMatters.org. 2008 Report on Internet Speeds in All 50 States. http:\/\/www.speedmatters.org\/document-library\/sourcematerials\/cwa_report_on_internet_speeds_2008.pdf August 2008.  SpeedMatters.org. 2008 Report on Internet Speeds in All 50 States. http:\/\/www.speedmatters.org\/document-library\/sourcematerials\/cwa_report_on_internet_speeds_2008.pdf August 2008."},{"key":"e_1_3_2_1_43_1","unstructured":"Symantec. Report on the underground economy. http:\/\/www.symantec.com\/content\/en\/us\/about\/media\/pdfs\/Underground_Econ_Report.pdf 2008.  Symantec. Report on the underground economy. http:\/\/www.symantec.com\/content\/en\/us\/about\/media\/pdfs\/Underground_Econ_Report.pdf 2008."},{"key":"e_1_3_2_1_44_1","unstructured":"The Spamhaus Project. ZEN. http:\/\/www.spamhaus.org\/zen\/.  The Spamhaus Project. ZEN. http:\/\/www.spamhaus.org\/zen\/."},{"key":"e_1_3_2_1_45_1","volume-title":"The Russian Business Network: Rise and Fall of a Criminal ISP. blog.wired.com\/defense\/files\/iDefense_RBNUpdated_20080303.doc","author":"Defense Intelligence Operations Team VeriSign","year":"2008","unstructured":"VeriSign i Defense Intelligence Operations Team . The Russian Business Network: Rise and Fall of a Criminal ISP. blog.wired.com\/defense\/files\/iDefense_RBNUpdated_20080303.doc , 2008 . VeriSign iDefense Intelligence Operations Team. The Russian Business Network: Rise and Fall of a Criminal ISP. blog.wired.com\/defense\/files\/iDefense_RBNUpdated_20080303.doc, 2008."},{"key":"e_1_3_2_1_46_1","unstructured":"J. Wolf. Technical details of Srizbi's domain generation algorithm. http:\/\/blog.fireeye.com\/research\/2008\/11\/technical-details-of-srizbis-domaingeneration- algorithm.html 2008.  J. Wolf. Technical details of Srizbi's domain generation algorithm. http:\/\/blog.fireeye.com\/research\/2008\/11\/technical-details-of-srizbis-domaingeneration- algorithm.html 2008."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/1387709.1387711"}],"event":{"name":"CCS '09: 16th ACM Conference on Computer and Communications Security 2009","location":"Chicago Illinois USA","acronym":"CCS '09","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 16th ACM conference on Computer and communications security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1653662.1653738","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1653662.1653738","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:38:53Z","timestamp":1750253933000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1653662.1653738"}},"subtitle":["analysis of a botnet takeover"],"short-title":[],"issued":{"date-parts":[[2009,11,9]]},"references-count":47,"alternative-id":["10.1145\/1653662.1653738","10.1145\/1653662"],"URL":"https:\/\/doi.org\/10.1145\/1653662.1653738","relation":{},"subject":[],"published":{"date-parts":[[2009,11,9]]},"assertion":[{"value":"2009-11-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}