The continued growth and diversification of the Internet has been accompanied by
an increasing prevalence of attacks and intrusions [40]. It can be argued, however,
that a significant change in motivation for malicious activity has taken place over
the past several years: from vandalism and recognition in the hacker community, to
attacks and intrusions for financial gain. This shift has been marked by a growing
sophistication in the tools and methods used to conduct attacks, thereby escalating
the network security arms race.
    Our thesis is that the reactive methods for network security that are predominant
today are ultimately insufficient and that more proactive methods are required. One
such approach is to develop a foundational understanding of the mechanisms em-
ployed by malicious software (malware) which is often readily available in source
form on the Internet. While it is well known that large IT security companies main-
tain detailed databases of this information, these are not openly available and we are
not aware of any such open repository. In this paper we begin the process of codify-
ing the capabilities of malware by dissecting four widely-used Internet Relay Chat
(IRC) botnet codebases. Each codebase is classified along seven key dimensions
including botnet control mechanisms, host control mechanisms, propagation mech-
anisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our
study reveals the complexity of botnet software, and we discuss implications for
defense strategies based on our analysis.