190 likes | 203 Views
Peer-to-Peer Botnets : Overview and Case Study. Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao. Outline. Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work. IRC-based Botnet. Pros
E N D
Peer-to-Peer Botnets: Overview and Case Study Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao
Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work
IRC-based Botnet • Pros • Large base of knowledge and source codes for bot development • Centralized C&C, efficient communication • Cons • Centralized mechanism, easy to be conquered
Motivation and Goals • Motivation • A peer-to-peer structure for botnet communication is beginning to appear. • More attackers will move to the P2P botnet because it is difficult to be incapacitated. • Goals • To increase the understanding of P2P botnets and hope to help detect, mitigate, and eliminate P2P botnets in the future
Contributions • Providing an overview and historical perspective of botnets • Presenting a case study of a Trojan.Peacomm bot
Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work
Goals of Botnets • The three primary goals of botnets • Information dispersion • Spam, DoS attacks, dispersion of false information • Information harvesting • identity, password, credit card number, friend list • Information processing • CPU, memory resources
Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work
Trojan.Peacomm • Use the Overnet protocol, which implements a distributed hash table on Kademlia • The initial bot • Appears as an attachment “FullVideo.exe” in malicious emails • Targets Windows systems • Add “wincom32.sys” to the system and inject it into services.exe • Turn off the ICF/ICS service, open some ports
Overnet • A common 128-bit numeric space is used. • Node IDs are within the numeric space. • Values are mapped into the numeric space with keys. • (key, value) pairs are stored on the closest nodes, which is calculated by an XOR function. • List of nodes is kept for each bucket in the numeric space.
The Five Steps in Communication • Connect to Overnet • Bootstrap onto the P2P network based on a hard-coded node list with 146 nodes in wincom32.ini • Download secondary injection URL • Use keys to search for and download a value, which is an encrypted URL • The keys are generated from the date and a random number [0…31] using a built-in algorithm • Decrypt secondary injection URL • Download secondary injection • from a web server or other peers • Execute secondary injection
Secondary Injections • Include • Rootkit components • Email spamming components • Email address harvester • Email propagation components • DDoS tools • Update itself periodically by searching through the P2P network • These primitives provide a C&C mechanism.
Network Trace Analysis • The Overnet packet include 10,105 unique IPs. • The bot in the experiement contacts about 4200 hosts.
Findings of The Key Search • A node is asked to search for its own ID hash (h1) periodically to know the closest nodes. • The command latency is not high (i.e., 3~6 seconds). • The search results come from 4 responders, but their infection statuses are uncertain. • It is difficult to detect other infected hosts in Overnet just from the trace data.
Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work
Related Work • The zombie roundup: Understanding, detecting, and disrupting botnets. USENIX SRUTI, 2005 • Points out the potential threat posed by P2P-based botnets • Identifies some fundamental techniques for botnet analysis • An inside look at botnets. Advances in Information Security, 2006 • Gives an overview of some famous botnets, such as Agobot • Highlights the sophistication and diverse capabilities of botnets
Outline • Introduction • Background and history • Case study: Trojan.Peacomm • Related Work • Conclusions and future work
Conclusions and Future Work • There is a recent trend in increased development of P2P botnets because of the difficulty to detect and eliminate them. • An overview and a case study of the P2P botnet is presented. • The future work includes P2P botnet detection and analysis of P2P botnet resilience.