Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

Published byRosa Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling."— Presentation transcript:

1 Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling

2 What is a botnet? A bot is a hacked computer with some remote control mechanism A botnet is a network of these machines. Typically under the control of one person or group.

3 How are they used? Spam DDOS Phishing

4 How are machines compromised? Worms Trojans (Storm)‏ Links to malicious sites (Storm)‏

5 Tracking Botnets Best technique is to use honeypots A bot must contain information on how to bootstrap itself within the botnet. Obtain information on how to connect Craft a special client to do so

6 Botnet Control Mechanisms IRC HTTP A custom method P2P (the latest and greatest)‏

7 Storm Botnet Propagates solely through email Named from the Kyrill Storm in Europe At one point, responsible for ~10% of all spam Changes social engineering theme in emails frequently P2P

8 Storm Botnet, cont. Very sophisticated binary packer Rootkit Time synchronized with NTP

9 P2P Botnets Storm botnet uses P2P. Publish/subscribe style of communication Unauthenticated

10 Publish/Subscribe Information is not directly sent An information provider publishes a piece of information, i, by using an identifier that is derived solely from i. A consumer can subscribe to that information by using a filter on the identifiers The identifiers are usually derived from specific content or a hash function The P2P system matches the published items to the subscriptions and delivers the information

11 Storm P2P Scheme Uses the Overnet DHT (Distributed Hash Table) Routing Protocol Also starting to use Stormnet, which is encrypted by XORing with a 40-byte key. Still unauthenticated Each client generates a 128-bit ID

12 Routing Lookup Uses prefix matching Node a forwards a query to a node d in its routing table that has the smallest XOR distance with d. XOR distance is done on the DHT ids A peer stores more contacts that are closer

13 Routing Query Done iteratively. A node sends route requests to 3 peers, and they may or may not return peers that are even closer to the DHT ID. These closer peers are then queried in the same manner.

14 Publishing in Depth Uses a key to identify and retrieve information To deal with node churn, a key is published on 20 peers and is periodically republished. Infected machines search for keys that the controller publishes.

15 Storm Communication To find other Storm machines, a bot subscribes to a key based off the function of the current day and a random number between 0 and 31. f(d, r) = key

16 Storm Publish Method On Overnet, the Storm bots publish information in the following format: *.mpg;size=*

17 Infiltrating a botnet Can be dangerous Craft a special P2P client Goal is to defeat the control structure

18 Crawling the Botnet After building a custom P2P client, they can crawl the botnet by using a BFS. Issue route requests to find all the peers. Takes 20 to 40 seconds.

19 Spying on the Botnet Use a Sybil attack. Introduce malicious peers to the botnet to gain control of parts or all of the network Can monitor traffic or reroute requests to the wrong peers

20 Mitigation When the attack wants to issue a command, he publishes the information on the network Because the information is unauthenticated, any member of the p2p network can publish information From this, we can publish our own information to try to disrupt the communication channel

21 Eclipse Attack Position sybils closely around a keyword K. Make the DHT IDs of the sybils close to the hash value of K. Announce these sybils to the peers to poison the tables. Does not completely eclipse a particular keyword. Overnet uses the entire hash space for a keyword.

22 Polluting Publish a very large number of files using the keyword K. This overwrites the real content previously published under K. Their results showed that this is very effective.

23 Pollution Results As more polluted content is published, the true content decreases and is virtually eliminated.

24 QUESTIONS??????

Download ppt "Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling."

Similar presentations

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
University of Cincinnati1 Towards A Content-Based Aggregation Network By Shagun Kakkar May 29, 2002.

University of Cincinnati1 Towards A Content-Based Aggregation Network By Shagun Kakkar May 29, 2002.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.
Gnutella, Freenet and Peer to Peer Networks By Norman Eng Steven Hnatko George Papadopoulos.

Gnutella, Freenet and Peer to Peer Networks By Norman Eng Steven Hnatko George Papadopoulos.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
P2P File Sharing Systems

P2P File Sharing Systems
Freenet: A Distributed Anonymous Information Storage and Retrieval System Presentation by Theodore Mao CS294-4: Peer-to-peer Systems August 27, 2003.

Freenet: A Distributed Anonymous Information Storage and Retrieval System Presentation by Theodore Mao CS294-4: Peer-to-peer Systems August 27, 2003.
INTRODUCTION TO PEER TO PEER NETWORKS Z.M. Joseph CSE 6392 – DB Exploration Spring 2006 CSE, UT Arlington.

INTRODUCTION TO PEER TO PEER NETWORKS Z.M. Joseph CSE 6392 – DB Exploration Spring 2006 CSE, UT Arlington.

Similar presentations

Ads by Google