Virtual honeypots and detection of telnet botnets

Abstract

Despite recommendations to not use telnet, there is an increasing number of telnet-based botnets and a need to analyse these attacks. We deployed a network of high interaction honeypots that simulate telnet devices. From the collected data, we created a dataset that we analysed from different perspectives. In this paper, we focus on the infection phase of botnets. Based on the found signatures collected by our samples, we can divide the botnets into 9 families. We show dependencies between commands, and between commands and directories used to propagate botnets.