Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm

Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling

What is a botnet?

A bot is a hacked computer with some remote control mechanism

A botnet is a network of these machines.

Typically under the control of one person or group.

How are they used?

Spam

DDOS

Phishing

How are machines compromised?

Worms

Trojans (Storm)

Links to malicious sites (Storm)

Tracking Botnets

Best technique is to use honeypots

A bot must contain information on how to bootstrap itself within the botnet.

Obtain information on how to connect

Craft a special client to do so

Botnet Control Mechanisms

IRC

HTTP

A custom method

P2P (the latest and greatest)

Storm Botnet

Propagates solely through email

Named from the Kyrill Storm in Europe

At one point, responsible for ~10% of all spam

Changes social engineering theme in emails frequently

P2P

Storm Botnet, cont.

Very sophisticated binary packer

Rootkit

Time synchronized with NTP

P2P Botnets

Storm botnet uses P2P.

Publish/subscribe style of communication

Unauthenticated

Publish/Subscribe

Information is not directly sent

An information provider publishes a piece of information, i, by using an identifier that is derived solely from i.

A consumer can subscribe to that information by using a filter on the identifiers

The identifiers are usually derived from specific content or a hash function

The P2P system matches the published items to the subscriptions and delivers the information

Storm P2P Scheme

Uses the Overnet DHT (Distributed Hash Table) Routing Protocol

Also starting to use Stormnet, which is encrypted by XORing with a 40-byte key.

Still unauthenticated

Each client generates a 128-bit ID

Routing Lookup

Uses prefix matching

Node a forwards a query to a node d in its routing table that has the smallest XOR distance with d.

XOR distance is done on the DHT ids

A peer stores more contacts that are closer

Routing Query

Done iteratively.

A node sends route requests to 3 peers, and they may or may not return peers that are even closer to the DHT ID.

These closer peers are then queried in the same manner.

Publishing in Depth

Uses a key to identify and retrieve information

To deal with node churn, a key is published on 20 peers and is periodically republished.

Infected machines search for keys that the controller publishes.

Storm Communication

To find other Storm machines, a bot subscribes to a key based off the function of the current day and a random number between 0 and 31.

f(d, r) = key

Storm Publish Method

On Overnet, the Storm bots publish information in the following format: *.mpg;size=*

Infiltrating a botnet

Can be dangerous

Craft a special P2P client

Goal is to defeat the control structure

Crawling the Botnet

After building a custom P2P client, they can crawl the botnet by using a BFS.

Issue route requests to find all the peers.

Takes 20 to 40 seconds.

Spying on the Botnet

Use a Sybil attack.

Introduce malicious peers to the botnet to gain control of parts or all of the network

Can monitor traffic or reroute requests to the wrong peers

Mitigation

When the attack wants to issue a command, he publishes the information on the network

Because the information is unauthenticated, any member of the p2p network can publish information

From this, we can publish our own information to try to disrupt the communication channel

Eclipse Attack

Position sybils closely around a keyword K.

Make the DHT IDs of the sybils close to the hash value of K.

Announce these sybils to the peers to poison the tables.

Does not completely eclipse a particular keyword.

Overnet uses the entire hash space for a keyword.

Polluting

Publish a very large number of files using the keyword K.

This overwrites the real content previously published under K.

Their results showed that this is very effective.

Pollution Results

As more polluted content is published, the true content decreases and is virtually eliminated.

QUESTIONS??????