1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Slides:

Advertisements

Similar presentations

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.

Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Threat infrastructure: proxies, botnets, fast-flux

Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.

Peer-to-peer file-sharing over mobile ad hoc networks Gang Ding and Bharat Bhargava Department of Computer Sciences Purdue University Pervasive Computing.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Freenet: A Distributed Anonymous Information Storage and Retrieval System Presentation by Theodore Mao CS294-4: Peer-to-peer Systems August 27, 2003.

INTRODUCTION TO PEER TO PEER NETWORKS Z.M. Joseph CSE 6392 – DB Exploration Spring 2006 CSE, UT Arlington.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Introduction to Honeypot, Botnet, and Security Measurement

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Botnets: Yesterday, Today, and Tomorrow CS 598: Advanced Internet Presented by: Imranul Hoque.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Chapter 2 ARCHITECTURES.

Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Node Lookup in P2P Networks. Node lookup in p2p networks In a p2p network, each node may provide some kind of service for other nodes and also will ask.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang /6/3.

An Improved Kademlia Protocol In a VoIP System Xiao Wu ， Cuiyun Fu and Huiyou Chang Department of Computer Science, Zhongshan University, Guangzhou, China.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

1 Peer-to-Peer Technologies Seminar by: Kunal Goswami (05IT6006) School of Information Technology Guided by: Prof. C.R.Mandal, School of Information Technology.

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/

Peer to Peer A Survey and comparison of peer-to-peer overlay network schemes And so on… Chulhyun Park

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

DHT-based unicast for mobile ad hoc networks Thomas Zahn, Jochen Schiller Institute of Computer Science Freie Universitat Berlin 報告 : 羅世豪.

Studying Spamming Botnets Using Botlab

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Kademlia: A Peer-to-peer Information System Based on the XOR Metric

Peer to Peer Network Design Discovery and Routing algorithms

Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter:

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

INTERNET TECHNOLOGIES Week 10 Peer to Peer Paradigm 1.

Botnets. A botnet is a network of compromised machines (bots) remotely controlled by an attacker. B ot Key U ncompromised Host B Botmaster B B B U U Commands.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Large-Scale Monitoring of DHT Traffic Ghulam Memon – University of Oregon Reza Rejaie – University of Oregon Yang Guo – Corporate Research, Thomson Daniel.

P2P Networking: Freenet Adriane Lau November 9, 2004 MIE456F.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Chapter 29 Peer-to-Peer Paradigm Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CS Spring 2010 CS 414 – Multimedia Systems Design Lecture 24 – Introduction to Peer-to-Peer (P2P) Systems Klara Nahrstedt (presented by Long Vu)

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Data Management on Opportunistic Grids

Internet Worm propagation

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

Presentation transcript:

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/08/04

2 Outline Introduction Botnet tracking adapted tp P2P botnets ◦ Class of botnets considered ◦ Botnet tracking extended Inside Storm Worm ◦ Propagation mechanism ◦ Network-level behavior Case study: tracking Storm Worm Conclusion

3 Introduction IRC based botnet Botnet tracking ◦ Acquire and analyze a copy of a bot ◦ Infiltrate the botnet ◦ Identify the central IRC server P2P botnet ◦ Storm Worm

4 Class of Botnets Considered Unauthenticated content-based publish/subscribe style communication ◦ Peer-to-peer network architecture ◦ Content-based publish/subscribe-style communication ◦ Unauthenticated communication

5 Botnet Tracking Extended Step 1: Exploiting the P2P bootstrapping process ◦ Getting hold of a bot by honetpot Step 2: Infiltration and analysis ◦ Join the botnet to retrieve connection information Step 3: Mitigation ◦ Can’t send information directly

6 Propagation Mechanism of Storm Worm Similar to mail worms Spamtraps: addresses not used for communication but to lure spam s Client honeypots to exam the links Only webbrowers with a specific HTTP request header field will be exploited Send different exploits to install a copy of the Storm binary The exploit code changes periodically The binary itself is also polymorphic

7 Routing Lookup OVERNET and Stormnet DHT ID: randomly generated 128 bit ID XOR-distance: d (a,b) = a  b Query from a to b: ◦ To the node in its routing table that has the smallest XOR-distance with b ◦ Route requests to three peers ◦ Route responses containing new peers even closer to the DHT ID of b

8 Publishing and Searching Key: an identifier used to retrieve information A key is published on twenty different peers Search procedure uses the routing lookup to find the peer(s) closest to the key searched for Four important message type: ◦ Hello ◦ Route request/response(kid), ◦ Publish request/response ◦ Search request/response(key)

9 Storm Worm Communication Infected machine searches for specific keys The controller publishes commands at these keys The key is generated by a function f(d,r) Capture the keys the bot searches for ◦ Reverse engineered the bot binary and identified the function that computes the key ◦ Repeatedly force a bot to re-connect the network The actual content published in OVERNET at these keys contains a characteristic filename pattern

10 Exploiting the P2P Bootstrapping Process Use spamtraps to collect spam mails Client honeypots to visit the URLs Obtain a binary copy of the malware Obtain the current peer list used by the binary Observe the keys that Storm Worm searches for

11 Infiltration and Analysis -Crawling the P2P Network To measure the number of peers within the whole P2P network Crawler: issue route requests to find the peers currently participating ◦ Thread1: send the route request ◦ Thread2: receive and parse the route response

12 Infiltration and Analysis-Spying in OVERNET and Stormnet Sybil attack: introduce malicious peers, the sybils, to gain control over a fraction of the P2P network Implement the spy: ◦ Crawl the DHT ID space ◦ Send hello requests to the peers ◦ When a route request initiated by non-sybil peer P reaches a sybil, that request will be answered with a set of sybils whose DHT IDs are closer to the target ◦ Store the content of all the requests received

13 Results for Crawling and Spying Upped bound of Storm bots in OVERNET ◦ ~ concurrent online peers in OVERNET (October 2007 ~ February 2008) Lower bound of Storm bots in OVERNET ◦ 5000 ~ 6000 distinct peers that publish Storm related content per day

14 Size Estimation for Stormnet

15 Search Activity & Publish Activity in Stormnet

16 Mitigation Polluting ◦ Overwrite the content previously published under key K ◦ Publish files to all those peers having at least the first 4 bits in common with K ◦ A search for K will receive so many results (our fake announcements) that it is going to stop the search very soon

17 Experiment Polluting a hash used by Storm and searching at the same time for that hash

18 Conclusion Extend the method of botnet tracking to P2P based botnets Demonstrate the applicability by performing a case study of Storm Worm, thereby being the first to develop ways to mitigate Storm Worm. Present the first empirical study of P2P botnets giving details about their propagation phase, their malicious activities, and other features

19 References T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, "Measurements and mitigation of peer- to-peer-based botnets: A case study on storm worm.", In Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), 2008.