Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm
Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling
What is a botnet?
A bot is a hacked computer with some remote control mechanism
A botnet is a network of these machines.
Typically under the control of one person or group.
How are they used?
Spam
DDOS
Phishing
How are machines compromised?
Worms
Trojans (Storm)
Links to malicious sites (Storm)
Tracking Botnets
Best technique is to use honeypots
A bot must contain information on how to bootstrap itself within the botnet.
Obtain information on how to connect
Craft a special client to do so
Botnet Control Mechanisms
IRC
HTTP
A custom method
P2P (the latest and greatest)
Storm Botnet
Propagates solely through email
Named from the Kyrill Storm in Europe
At one point, responsible for ~10% of all spam
Changes social engineering theme in emails frequently
P2P
Storm Botnet, cont.
Very sophisticated binary packer
Rootkit
Time synchronized with NTP
P2P Botnets
Storm botnet uses P2P.
Publish/subscribe style of communication
Unauthenticated
Publish/Subscribe
Information is not directly sent
An information provider publishes a piece of information, i, by using an identifier that is derived solely from i.
A consumer can subscribe to that information by using a filter on the identifiers
The identifiers are usually derived from specific content or a hash function
The P2P system matches the published items to the subscriptions and delivers the information
Storm P2P Scheme
Uses the Overnet DHT (Distributed Hash Table) Routing Protocol
Also starting to use Stormnet, which is encrypted by XORing with a 40-byte key.
Still unauthenticated
Each client generates a 128-bit ID
Routing Lookup
Uses prefix matching
Node a forwards a query to a node d in its routing table that has the smallest XOR distance with d.
XOR distance is done on the DHT ids
A peer stores more contacts that are closer
Routing Query
Done iteratively.
A node sends route requests to 3 peers, and they may or may not return peers that are even closer to the DHT ID.
These closer peers are then queried in the same manner.
Publishing in Depth
Uses a key to identify and retrieve information
To deal with node churn, a key is published on 20 peers and is periodically republished.
Infected machines search for keys that the controller publishes.
Storm Communication
To find other Storm machines, a bot subscribes to a key based off the function of the current day and a random number between 0 and 31.
f(d, r) = key
Storm Publish Method
On Overnet, the Storm bots publish information in the following format: *.mpg;size=*
Infiltrating a botnet
Can be dangerous
Craft a special P2P client
Goal is to defeat the control structure
Crawling the Botnet
After building a custom P2P client, they can crawl the botnet by using a BFS.
Issue route requests to find all the peers.
Takes 20 to 40 seconds.
Spying on the Botnet
Use a Sybil attack.
Introduce malicious peers to the botnet to gain control of parts or all of the network
Can monitor traffic or reroute requests to the wrong peers
Mitigation
When the attack wants to issue a command, he publishes the information on the network
Because the information is unauthenticated, any member of the p2p network can publish information
From this, we can publish our own information to try to disrupt the communication channel
Eclipse Attack
Position sybils closely around a keyword K.
Make the DHT IDs of the sybils close to the hash value of K.
Announce these sybils to the peers to poison the tables.
Does not completely eclipse a particular keyword.
Overnet uses the entire hash space for a keyword.
Polluting
Publish a very large number of files using the keyword K.
This overwrites the real content previously published under K.
Their results showed that this is very effective.
Pollution Results
As more polluted content is published, the true content decreases and is virtually eliminated.
QUESTIONS??????
Top Related