08 Storm LEET

7/31/2019 08 Storm LEET

1/23

Pi1 - Laboratory for DependableDistributed Systems

Measurements and Mitigationof Peer-to-Peer-based Botnets

Thorsten Holz, Moritz Steiner, Frederic Dahl,Ernst Biersack, and Felix Freiling

A Case Study on Storm Worm

7/31/2019 08 Storm LEET

2/23

Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT

MANNHEIM

Outline

Introduction Botnet Tracking for peer-to-peer botnets

Inside Storm Worm (briefly) Tracking Storm Worm

Measurement results Conclusion

7/31/2019 08 Storm LEET

3/23


MANNHEIM

Introduction

Most work in the past focussing on bots withcentralcommand & control server Commonly IRC and HTTP

Peer-to-peer botnets are out there Most media attention for Storm

But others are out there, e.g., Nugache Basic question: How can we track P2P botnets

and learn more about them?

7/31/2019 08 Storm LEET

4/23


MANNHEIM

Botnet Trackin

Class of botnets considered1. Peer-to-peer network architecture

2. Content-based publish / subscribe-style

communication

3. Unauthenticated communication

7/31/2019 08 Storm LEET

5/23


MANNHEIM

Botnet Trackin

Class of botnets considered1. Peer-to-peer network architecture

2. Content-based publish / subscribe-style

communication

3. Unauthenticated communication

Very loosely coupledcommunication

Consumer does not know who published info Provider does not know who received info

7/31/2019 08 Storm LEET

6/23


MANNHEIM

Botnet Trackin

Extension of botnet tracking methodology(ESORICS05) for peer-to-peer botnets

1. Exploiting the P2P bootstrapping process

2. Infiltration and analysis

3. Mitigation

Goal: automation as good as possible

7/31/2019 08 Storm LEET

7/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT

MANNHEIM

Inside Storm

Propagation is purely based on spam / socialengineering linking to web sites

See work by Kreibich et al. With the help of spamtraps, we can obtain copies

of these propagation mails

Client honeypots analyze mails, click on links, andget infected (like normal user would)

We can obtain new samples in an automated way

7/31/2019 08 Storm LEET


MANNHEIM

Network-level behavior First versions: Overnet (Kademlia-based DHT)

Obfuscation was added in October 2007 Called Stormnet in the following

Seems to change from DHT to linked list Lightning talk by David Dagon? :-)

Inside Storm

7/31/2019 08 Storm LEET


MANNHEIM

Inside Storm

Bot communication (simplified, valid for Overnet) Infected machine searches for specific keys

within the network

Botmaster knows in advance which keys aresearched for publishes commands there

rendezvous points

7/31/2019 08 Storm LEET


MANNHEIM

Authentication

challenge1: 0x55018273response1: 0x6bd87335XOR: 0x3ED9F146

challenge2: 0x387fa822response2: 0x06a65964XOR: 0x3ED9F146

challenge3: 0xf00e5810response3: 0xced7a956XOR: 0x3ED9F146

7/31/2019 08 Storm LEET


MANNHEIM

Ke Search

7/31/2019 08 Storm LEET

13/23

7/31/2019 08 Storm LEET


MANNHEIM

Modes

69.41.162.69

HTTP

Gateways

TCPundOvernet

216.255.189.210

Controller

Spam/DoS-Bots

Two different modes: NAT or public IP address

Actually Storm Worm is hybrid networkwith P2P component for lookup

7/31/2019 08 Storm LEET

15/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets

UNIVERSITTMANNHEIM

InfiltrationAlgorithm 1: send thread (is executed once per crawl)

Data: peer: struct{IP address, port number, DHT ID}Data: shared list Peers = list ofpeer elements

/* the list of peers filled by the receive thread and worked on by the send thread */Data: int position = 0/* the position in the list up to which the peers have already been queried */

Data: list ids = list of 16 properly chosen DHT ID elementsPeers.add(seed); /* initialize the list with the seed peer */1

while position< size(Peers) do2for i=1 to 16do3

dest DHT ID = Peers[position].DHT ID ids[i]; /* normalize bucket to peers position */4

send route requests(dest DHT ID) to Peers[position];5

position++;6

Algorithm 2: receive thread (waits for the route response messages)

Data: message mess = route response messageData: peer: struct{IP address, port number, DHT ID}Data: shared list Peers = list ofpeer elements

/* the list shared with the send thread */

while true do1 wait for (mess = route response) message; foreach peer mess do2

ifpeer / Peers then3Peers.add(peer);4

Crawler algorithm, adopted version of

KAD crawler by Steiner et al.

7/31/2019 08 Storm LEET


UNIVERSITTMANNHEIM

Results

0

5000

10000

15000

20000

25000

30000

35000

40000

12-15 12-22 12-29 01-05 01-12 01-19 01-26 02-02

storm

bots

date

US

IN

--

TR

Number of bots in Stormnet, split by geo-location

7/31/2019 08 Storm LEET


UNIVERSITTMANNHEIM

S in On Content

Sybil attack Introduce 224 peers into botnet

First 24 bit of DHT ID are different, rest is fixed We inject into DHT and can observe route /publish request messages

We can now monitor requests within the wholenetwork (and observe many other researchers)

7/31/2019 08 Storm LEET


UNIVERSITTMANNHEIM

Results

0

1000

2000

3000

4000

5000

6000

7000

8000

11-24 12-08 12-22 01-05 01-19 02-02

date

ip addresseshashes

Search activity in Stormnet

7/31/2019 08 Storm LEET


UNIVERSITTMANNHEIM

Results

0

100

200

300

400

500

11-24 12-08 12-22 01-05 01-19 02-02

date

ip addresseshashes

Publish activity in Stormnet

7/31/2019 08 Storm LEET

20/23


MANNHEIM

Miti ation

Eclipsing content (special form of Sybil attack)

To eclipse keyword K, position certain numberof sybils closely around K (in terms of XOR)

Poison regular peers routing table Attract routerequest messages for K

Does not work in practice since content is

spread through entire hash space, notrestricted to zone around K

Works for KAD as shown by Steiner et al.

7/31/2019 08 Storm LEET

21/23


MANNHEIM

Miti ation

Polluting content Prevent peers from retrieving search results forK by publishing large number of files using K

Overwrite content previously published as K Storm bots continuously publish arms race

First crawl network, then publish files to peershaving at least 4 first bits in common with K Publish takes 5 seconds; 400 / 2200 peers accept

R l

7/31/2019 08 Storm LEET

22/23


MANNHEIM

Results

0 10 20 30 40 50 60 70 800

20

40

60

80

100

minutes

results

storm

pollution

start of pollution

stop of pollution

0 10 20 30 40 50 60 70 80 90 1000

0.5

1

1.5

2x 10

4

minutes

result

s

storm

pollutionstart of pollution

stop of pollution

standardsearch

exhaustivesearch

7/31/2019 08 Storm LEET

23/23

Thorsten Holz

http://pi1.informatik.uni-mannheim.de/[email protected]

Pi1 - Laboratory for Dependable

Distributed Systems

Acknowledgments:

Thanks to network staff and anonymous reviewers

More info: http://honeyblog.org
http://pi1.informatik.uni-mannheim.de/fast-fluxhttp://pi1.informatik.uni-mannheim.de/fast-fluxmailto:[email protected]:[email protected]://www-pi1.informatik.uni-mannheim.de/http://www-pi1.informatik.uni-mannheim.de/

Documents

08 Storm LEET