Peer to Peer Botnets by Mehedy Masud

Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention

Taxonomy

Peer2Peer Bots: Overview & Case Studies ● Jullian B Grizzard – John Hopkins ● Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang – North Carolina, Chappel Hill ● David Dagon – Georgia Institute of Technology HotBots

Peer2Peer BotNets: History ● Napster: earliest Peer2Peer protocol – Not completely P2P – Shutdown because found illegal ● Gnutella – Completely decentralized ● Recent Protocols – Chord – Kademila

Botnet Goals ● All kinds of botnet have the same goals – Information dispersion – Information harvesting – Information processing ● Information dispersion – Spam, phishing, DOS etc. – Economic benefit ● Information harvesting – Identity data, password, relationship data etc – Direct economic benefit ● Information processing – Cracking passwords

Case Study: Trojan.Peacomm ● Uses the Overnet p2p protocol ● Overnet implements a distributed hash table based on Kademila algorithm ● After infection, secondary injections are automatically downloaded from p2p net ● This enables hacker to arbitrarily upgrade, control, or command bots

Experimental Setup ● Trojan.Peacomm was executed within a honeypot in UNCC HoneyNet Lab ● Honeypot was running VMWare virtual machine running windows XP ● Connections to the internet was controlled by a HoneyWall ● PerylEyez malware analysis tool was used to detect changes in the system ● Pcap logs were kept, speciment ran for two weeks

Initial bot ● The executable is installed ● Connects to p2p and downloads secondary injection ● Distributed as a trojan horse ● PerilEyez tool is used to Capture system state before and after infection (file system/open port/services) ● It adds system driver “wincomm32.sys” to the host – Driver is injected into windows process “services.exe”

Initial bot (continued) – This service acts as a p2p client that downloads secondary injection – Initial peer list saved in %system%\wincom.ini ● Windows Firewall is disabled ● Ports opened: – TCP 139, – UDP 123, 137 etc. ● Initial Peer List is Hard-coded ● This could be a central point-of failure

Communication Protocol ● Protocol Summary – Overnet, implementing Kademila – 128-bit numeric space is used – Values are mapped to numeric space with keys – Key/value pairs are stored in the nearest pair, computed by XOR function – List of nodes are kept for each bucket in the numeric space ● Steps – Connect to overnet – Download secondary injection URL – Decrypt secondary injection URL – Download secondary injection – Execute secondary injection

Secondary Injection ● Types of secondary injection – Downloader and rootkit component – SMTP spamming component – address harvester – propagation component – DDoS tool ● All of these can be rooted from one injection ● Can periodically update itself by searching through the P2P net ● This provides the basic Command and Control functionality

Searching the Download URL ● A search key is generated in the bot using an algorithm that Uses system date and a random number (0..31) ● So the botmaster needs to publish a new URL under 32 different keys on a particular day ● It searches for this key in its initial peer list ● If it is not found in a peer, the request is forwarded to other peers

Searching the Download URL ● If a match is found, a result is returned: ● The “result” hash is used as as decryption key, paired with another key is hardcoded in bot ● Also, the response packet contains a single meta-tag named “id” ● The body of the tag contains the encrypted URL

Index Poisoning ● P2P networks contain indexes corresponding to each content ● Index poisoning means adding bogus records to indexes ● For example, adding a fake ip/port corresponding to a file ● Trojan.peacomm has index poisoning capability ● Possible motive: slowing down infection or measuring number of bots

Network Trace Analysis ● Number of Remote IPv4 Addresses Contacted Over Time for Duration of Infection Slowing down (saturation) Steep slope (initial connections) Start of infection

Network Trace Analysis (Contd…) ● Network traces are parsed ● It is found that the bot searches for five keys. ● Key1 is the hash of its own IP – It periodically searches key1 to find the nearest peers ● Key2 and Key4 are never found ● Key3 and Key5 are found after small search ● Key3 is found in 6 seconds, key5 is found in 3 seconds

Network Trace Analysis (Contd…) ● This indicates that “command latency” for P2P bots is low (but higher than Centralized) ● Number of unique hosts contacted directly: 4200 ● Total unique IPs found in overnet packets: 10,105 ● Same search requests appeared from another machine – Possibly infected by Trojan.peacomm

Conclusion ● This paper describes a case study of Trojan.Peacomm – a p2p ● Describes how it propagates and contacts with C&C ● Analysis of network trace presented

Detecting P2P Botnets ● Reinier Schoof & Ralph Koning – University of Amsterdam Appeared in a technical report. Feb 2007

Overview ● Spreading – File sharing over P2P network – Uses popular filenames to entice download ● Command and Control – Unlike IRC, bots do not wait for command – Botmaster joins the network as a peer – Passes command along its peers ● Protocols – Phatbot uses WASTE protocol – Nugache and Spamthru uses home-made protocols

Experiments ● Two bots are analysed in a controlled environment – Nugache – Sinit ● Test environment consists of – Four computers – Three running Windows XP – One running FreeBSD. This runs softflowd to act as a software router for connecting three machines, collecting all netflows

Bot analysis ● Sinit – Trojan horse – Uses P2P to spread itself – Tries to reach other Sinit infected hosts by sending discovery packets to port 53 of random IPs – Establishes connection when it receives a discovery response packet – Two hosts exchange list of peers – Connects to those peers – Runs a web server to publish /kx.exe, which is the Sinit binary – Random IP scan generates a lot of ICMP 3 (host unreachable)

Bot analysis (Contd…) ● Nugache – Trojan horse – Opens TCP port 8, connects to hard-coded list of peers – Exchange peer list after connection – Starts DDoS when commanded – Command is encrypted/obfuscated – Spreads over AIM – Installs initial peer list in windows registry – This list is updated dynamically – Uses obfuscated communication channel

Bot analysis (Contd…) ● PhatBot – A cousin of AgoBot – Uses WASTE protocol – It is an encrypted Open-source P2P Network – Bot finds other peers by using cache servers on Gnutella P2P network – Looks for clients identified by GNUT, a gnutella client – Has a list of processes to kill when it runs Consisting of antivirus and competing malware

Detection ● Open ports – A specific port/range of ports must be opened – Monitoring those ports may enable detection – May result in false positive (when other applications use specific ports) or – False negative (when normal ports are used for bot communication) ● Connection failures – May result in a lot of ICMP 3 error ● Peer Discovery – Static peer list may be central point of failure – Random scan is very inefficient

Conclusion P2P botnets pose significant threat to future internet community Although current P2P protocols used by the bots are inefficient, they are likely to be made efficient There are some detection techniques, but none of them are too reliable