Brent ByungHoon Kang
ABSTRACT
Modern advanced botnets may employ a decentralized peer-to-peer overlay network to bootstrap and maintain their command and control channels, making them more resilient to traditional mitigation efforts such as server incapacitation. As an alternative strategy, the malware defense community has been trying to identify the bot-infected hosts and enumerate the IP addresses of the participating nodes so that the list can be used by system administrators to identify local infections, block spam emails sent from bots, and configure firewalls to protect local users. Enumerating the infected hosts, however, has presented challenges. One cannot identify infected hosts behind firewalls or NAT devices by employing crawlers, a commonly used enumeration technique where recursive get-peerlist lookup requests are sent newly discovered IP addresses of infected hosts. As many bot-infected machines in homes or offices are behind firewall or NAT devices, these crawler-based enumeration methods would miss a large portions of botnet infections. In this paper, we present the Passive P2P Monitor (PPM), which can enumerate the infected hosts regardless whether or not they are behind a firewall or NAT. As an empirical study, we examined the Storm botnet and enumerated its infected hosts using the PPM. We also improve our PPM design by incorporating a FireWall Checker (FWC) to identify nodes behind a firewall. Our experiment with the peer-to-peer Storm botnet shows that more than 40% of bots that contact the PPM are behind firewall or NAT devices, implying that crawler-based enumeration techniques would miss out a significant portion of the botnet population. Finally, we show that the PPM's coverage is based on a probability-based coverage model that we derived from the empirical observation of the Storm botnet.
- Atrivo/intercage's disconnection briefly disrupts spam levels. http://blogs.zdnet.com/security/?p=2006.Google Scholar
- aMule network. http://www.amule.org.Google Scholar
- E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet, pages 39--44, July 2006. Google ScholarDigital Library
- D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23rd Annual Computer Security Applications Conference. ACSAC, December 2007.Google ScholarCross Ref
- J. R. Douceur. The sybil attack. In Proc. of the International workshop on Peer-To-Peer Systems (IPTPS) 02, March 2002. Google ScholarDigital Library
- B. Enright. Exposing storm. In ToorCon, 2007.Google Scholar
- B. Enright, G. Voelker, S. Savage, C. Kanich, and K. Levchenko. Storm: When researchers collide. ;Login, Usenix, 33(4), August 2008.Google Scholar
- Attacks on virtual machine emulators, http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.Google Scholar
- E. Florino and M. Cibotariu. Peerbot: Catch me if you can. In Symantec Security Response: Ireland, Virus Bulletin, March 2007.Google Scholar
- J. Grizzard, V. Sharma, C. Nunnery, B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In Usenix First Workshop on Hot Topics in Understanding Botnets, April 2007. Google ScholarDigital Library
- G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic from protocol and command and control channels in network traffic. In Proceedings of the 17th annual USENIX Security Symposium. USENIX Association, July 2008. Google ScholarDigital Library
- G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of The 16th USENIX Security Symposium. USENIX Association, August 2007. Google ScholarDigital Library
- G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium. ISOC, February 2008.Google Scholar
- T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the First USENIX Workshop on Large Scale Exploits and Emergent Threats. USENIX Association, April 2008. Google ScholarDigital Library
- C. Kanich, K. Levchenko, B. Enright, G. Voelker, and S. Savage. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the First USENIX Workshop on Large Scale Exploits and Emergent Threats. USENIX Association, April 2008. Google ScholarDigital Library
- Mainline. http://www.bittorrent.com.Google Scholar
- matlab. http://www.mathworks.com/.Google Scholar
- P. Maymounkov and D. Mazières. Kademlia: A peer-to-peer information system based on the xor metric. In 1st International Workshop on Peer-to-Peer Systems, pages 53--62, 2002. Google ScholarDigital Library
- The Overnet Protocol, https://opensvn.csie.org/mlnet/trunk/docs/overnet.txt.Google Scholar
- M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the USENIX Internet Measurement Conference. USENIX Association, October 2006. Google ScholarDigital Library
- A. Singh, T.-W. J. Ngan, P. Druschel, and D. S. Wallach. Eclipse attacks on overlay networks: Threats and defenses. In IEEE International Conference on Computer Communications (Infocom), 2006.Google ScholarCross Ref
- SORBS. http://www.us.sorbs.net/faq/dul.shtml.Google Scholar
- M. Steiner, T. En-Najjary, and E. W. Biersack. A global view of kad. In IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pages 117--122, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- J. Stewart. Protocols and encryption of the storm botnet. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf.Google Scholar
- J. Stewart. Storm worm ddos attack. http://www.secureworks.com/research/threats/view.html?threat=storm-worm, February 2007.Google Scholar
- S. Stover, D. Dittrich, J. Hernandez, and S. Deitrich. Analysis of the storm and nugache trojans - P2P is here. ;Login, Usenix, 32(6), December 2007.Google Scholar
- D. Stutzbach and R. Rejaie. Improving lookup performance over a widely-deployed DHT. In IEEE International Conference on Computer Communications (Infocom) 06, 2006.Google ScholarCross Ref
- Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are ip addresses? In Special Interest Group on Data Communications (SIGCOMM), 2007. Google ScholarDigital Library
Index Terms
- Towards complete node enumeration in a peer-to-peer botnet
Recommendations
An Advanced Hybrid Peer-to-Peer Botnet
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...
Classification of Botnet Detection Based on Botnet Architechture
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesNowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses ...
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Comments