1 / 24

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling. What is a botnet?. A bot is a hacked computer with some remote control mechanism A botnet is a network of these machines.

Download Presentation

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling

  2. What is a botnet? • A bot is a hacked computer with some remote control mechanism • A botnet is a network of these machines. • Typically under the control of one person or group.

  3. How are they used? • Spam • DDOS • Phishing

  4. How are machines compromised? • Worms • Trojans (Storm)‏ • Links to malicious sites (Storm)‏

  5. Tracking Botnets • Best technique is to use honeypots • A bot must contain information on how to bootstrap itself within the botnet. • Obtain information on how to connect • Craft a special client to do so

  6. Botnet Control Mechanisms • IRC • HTTP • A custom method • P2P (the latest and greatest)‏

  7. Storm Botnet • Propagates solely through email • Named from the Kyrill Storm in Europe • At one point, responsible for ~10% of all spam • Changes social engineering theme in emails frequently • P2P

  8. Storm Botnet, cont. • Very sophisticated binary packer • Rootkit • Time synchronized with NTP

  9. P2P Botnets • Storm botnet uses P2P. • Publish/subscribe style of communication • Unauthenticated

  10. Publish/Subscribe • Information is not directly sent • An information provider publishes a piece of information, i, by using an identifier that is derived solely from i. • A consumer can subscribe to that information by using a filter on the identifiers • The identifiers are usually derived from specific content or a hash function • The P2P system matches the published items to the subscriptions and delivers the information

  11. Storm P2P Scheme • Uses the Overnet DHT (Distributed Hash Table) Routing Protocol • Also starting to use Stormnet, which is encrypted by XORing with a 40-byte key. • Still unauthenticated • Each client generates a 128-bit ID

  12. Routing Lookup • Uses prefix matching • Node a forwards a query to a node d in its routing table that has the smallest XOR distance with d. • XOR distance is done on the DHT ids • A peer stores more contacts that are closer

  13. Routing Query • Done iteratively. • A node sends route requests to 3 peers, and they may or may not return peers that are even closer to the DHT ID. • These closer peers are then queried in the same manner.

  14. Publishing in Depth • Uses a key to identify and retrieve information • To deal with node churn, a key is published on 20 peers and is periodically republished. • Infected machines search for keys that the controller publishes.

  15. Storm Communication • To find other Storm machines, a bot subscribes to a key based off the function of the current day and a random number between 0 and 31. • f(d, r) = key

  16. Storm Publish Method • On Overnet, the Storm bots publish information in the following format: *.mpg;size=*

  17. Infiltrating a botnet • Can be dangerous • Craft a special P2P client • Goal is to defeat the control structure

  18. Crawling the Botnet • After building a custom P2P client, they can crawl the botnet by using a BFS. • Issue route requests to find all the peers. • Takes 20 to 40 seconds.

  19. Spying on the Botnet • Use a Sybil attack. • Introduce malicious peers to the botnet to gain control of parts or all of the network • Can monitor traffic or reroute requests to the wrong peers

  20. Mitigation • When the attack wants to issue a command, he publishes the information on the network • Because the information is unauthenticated, any member of the p2p network can publish information • From this, we can publish our own information to try to disrupt the communication channel

  21. Eclipse Attack • Position sybils closely around a keyword K. • Make the DHT IDs of the sybils close to the hash value of K. • Announce these sybils to the peers to poison the tables. • Does not completely eclipse a particular keyword. • Overnet uses the entire hash space for a keyword.

  22. Polluting • Publish a very large number of files using the keyword K. • This overwrites the real content previously published under K. • Their results showed that this is very effective.

  23. Pollution Results • As more polluted content is published, the true content decreases and is virtually eliminated.

  24. QUESTIONS??????

More Related