Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Published bySandra Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings."— Presentation transcript:

1 1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), 2008. Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/08/04

2 2 Outline Introduction Botnet tracking adapted tp P2P botnets ◦ Class of botnets considered ◦ Botnet tracking extended Inside Storm Worm ◦ Propagation mechanism ◦ Network-level behavior Case study: tracking Storm Worm Conclusion

3 3 Introduction IRC based botnet Botnet tracking ◦ Acquire and analyze a copy of a bot ◦ Infiltrate the botnet ◦ Identify the central IRC server P2P botnet ◦ Storm Worm

4 4 Class of Botnets Considered Unauthenticated content-based publish/subscribe style communication ◦ Peer-to-peer network architecture ◦ Content-based publish/subscribe-style communication ◦ Unauthenticated communication

5 5 Botnet Tracking Extended Step 1: Exploiting the P2P bootstrapping process ◦ Getting hold of a bot by honetpot Step 2: Infiltration and analysis ◦ Join the botnet to retrieve connection information Step 3: Mitigation ◦ Can’t send information directly

6 6 Propagation Mechanism of Storm Worm Similar to mail worms Spamtraps: e-mail addresses not used for communication but to lure spam e-mails Client honeypots to exam the links Only webbrowers with a specific HTTP request header field will be exploited Send different exploits to install a copy of the Storm binary The exploit code changes periodically The binary itself is also polymorphic

7 7 Routing Lookup OVERNET and Stormnet DHT ID: randomly generated 128 bit ID XOR-distance: d (a,b) = a  b Query from a to b: ◦ To the node in its routing table that has the smallest XOR-distance with b ◦ Route requests to three peers ◦ Route responses containing new peers even closer to the DHT ID of b

8 8 Publishing and Searching Key: an identifier used to retrieve information A key is published on twenty different peers Search procedure uses the routing lookup to find the peer(s) closest to the key searched for Four important message type: ◦ Hello ◦ Route request/response(kid), ◦ Publish request/response ◦ Search request/response(key)

9 9 Storm Worm Communication Infected machine searches for specific keys The controller publishes commands at these keys The key is generated by a function f(d,r) Capture the keys the bot searches for ◦ Reverse engineered the bot binary and identified the function that computes the key ◦ Repeatedly force a bot to re-connect the network The actual content published in OVERNET at these keys contains a characteristic filename pattern

10 10 Exploiting the P2P Bootstrapping Process Use spamtraps to collect spam mails Client honeypots to visit the URLs Obtain a binary copy of the malware Obtain the current peer list used by the binary Observe the keys that Storm Worm searches for

11 11 Infiltration and Analysis -Crawling the P2P Network To measure the number of peers within the whole P2P network Crawler: issue route requests to find the peers currently participating ◦ Thread1: send the route request ◦ Thread2: receive and parse the route response

12 12 Infiltration and Analysis-Spying in OVERNET and Stormnet Sybil attack: introduce malicious peers, the sybils, to gain control over a fraction of the P2P network Implement the spy: ◦ Crawl the DHT ID space ◦ Send hello requests to the peers ◦ When a route request initiated by non-sybil peer P reaches a sybil, that request will be answered with a set of sybils whose DHT IDs are closer to the target ◦ Store the content of all the requests received

13 13 Results for Crawling and Spying Upped bound of Storm bots in OVERNET ◦ 45000 ~ 80000 concurrent online peers in OVERNET (October 2007 ~ February 2008) Lower bound of Storm bots in OVERNET ◦ 5000 ~ 6000 distinct peers that publish Storm related content per day

14 14 Size Estimation for Stormnet

15 15 Search Activity & Publish Activity in Stormnet

16 16 Mitigation Polluting ◦ Overwrite the content previously published under key K ◦ Publish files to all those peers having at least the first 4 bits in common with K ◦ A search for K will receive so many results (our fake announcements) that it is going to stop the search very soon

17 17 Experiment Polluting a hash used by Storm and searching at the same time for that hash

18 18 Conclusion Extend the method of botnet tracking to P2P based botnets Demonstrate the applicability by performing a case study of Storm Worm, thereby being the first to develop ways to mitigate Storm Worm. Present the first empirical study of P2P botnets giving details about their propagation phase, their malicious activities, and other features

19 19 References T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, "Measurements and mitigation of peer- to-peer-based botnets: A case study on storm worm.", In Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), 2008.

Download ppt "1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings."

Similar presentations

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.
Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.

Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By

Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.

Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.
Peer-to-peer file-sharing over mobile ad hoc networks Gang Ding and Bharat Bhargava Department of Computer Sciences Purdue University Pervasive Computing.

Peer-to-peer file-sharing over mobile ad hoc networks Gang Ding and Bharat Bhargava Department of Computer Sciences Purdue University Pervasive Computing.
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Freenet: A Distributed Anonymous Information Storage and Retrieval System Presentation by Theodore Mao CS294-4: Peer-to-peer Systems August 27, 2003.

Freenet: A Distributed Anonymous Information Storage and Retrieval System Presentation by Theodore Mao CS294-4: Peer-to-peer Systems August 27, 2003.

Similar presentations

Ads by Google