1 / 19

Peer-to-Peer Botnets : Overview and Case Study

Peer-to-Peer Botnets : Overview and Case Study. Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao. Outline. Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work. IRC-based Botnet. Pros

mestep
Download Presentation

Peer-to-Peer Botnets : Overview and Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Peer-to-Peer Botnets: Overview and Case Study Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao

  2. Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work

  3. IRC-based Botnet • Pros • Large base of knowledge and source codes for bot development • Centralized C&C, efficient communication • Cons • Centralized mechanism, easy to be conquered

  4. Motivation and Goals • Motivation • A peer-to-peer structure for botnet communication is beginning to appear. • More attackers will move to the P2P botnet because it is difficult to be incapacitated. • Goals • To increase the understanding of P2P botnets and hope to help detect, mitigate, and eliminate P2P botnets in the future

  5. Contributions • Providing an overview and historical perspective of botnets • Presenting a case study of a Trojan.Peacomm bot

  6. Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work

  7. History

  8. Goals of Botnets • The three primary goals of botnets • Information dispersion • Spam, DoS attacks, dispersion of false information • Information harvesting • identity, password, credit card number, friend list • Information processing • CPU, memory resources

  9. Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work

  10. Trojan.Peacomm • Use the Overnet protocol, which implements a distributed hash table on Kademlia • The initial bot • Appears as an attachment “FullVideo.exe” in malicious emails • Targets Windows systems • Add “wincom32.sys” to the system and inject it into services.exe • Turn off the ICF/ICS service, open some ports

  11. Overnet • A common 128-bit numeric space is used. • Node IDs are within the numeric space. • Values are mapped into the numeric space with keys. • (key, value) pairs are stored on the closest nodes, which is calculated by an XOR function. • List of nodes is kept for each bucket in the numeric space.

  12. The Five Steps in Communication • Connect to Overnet • Bootstrap onto the P2P network based on a hard-coded node list with 146 nodes in wincom32.ini • Download secondary injection URL • Use keys to search for and download a value, which is an encrypted URL • The keys are generated from the date and a random number [0…31] using a built-in algorithm • Decrypt secondary injection URL • Download secondary injection • from a web server or other peers • Execute secondary injection

  13. Secondary Injections • Include • Rootkit components • Email spamming components • Email address harvester • Email propagation components • DDoS tools • Update itself periodically by searching through the P2P network • These primitives provide a C&C mechanism.

  14. Network Trace Analysis • The Overnet packet include 10,105 unique IPs. • The bot in the experiement contacts about 4200 hosts.

  15. Findings of The Key Search • A node is asked to search for its own ID hash (h1) periodically to know the closest nodes. • The command latency is not high (i.e., 3~6 seconds). • The search results come from 4 responders, but their infection statuses are uncertain. • It is difficult to detect other infected hosts in Overnet just from the trace data.

  16. Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work

  17. Related Work • The zombie roundup: Understanding, detecting, and disrupting botnets. USENIX SRUTI, 2005 • Points out the potential threat posed by P2P-based botnets • Identifies some fundamental techniques for botnet analysis • An inside look at botnets. Advances in Information Security, 2006 • Gives an overview of some famous botnets, such as Agobot • Highlights the sophistication and diverse capabilities of botnets

  18. Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work

  19. Conclusions and Future Work • There is a recent trend in increased development of P2P botnets because of the difficulty to detect and eliminate them. • An overview and a case study of the P2P botnet is presented. • The future work includes P2P botnet detection and analysis of P2P botnet resilience.

More Related