Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/2015 1

Reference Stock, B., Goebel, J., Engelberth, M., Freiling, F., and Holz, T. Walowdac:Analysis of a Peer-to- Peer Botnet. In European Conference on Computer Network Defense (November 2009) 11/19/2015 2

Outline Introduction Waledac Botnet Structure Analysis of Waledac Conclusions 11/19/2015 3

Introduction Present our inltration of the “Waledac” botnet ▫Storm Worm botnet ▫responsible spam s Clone of the Waledac bot named Walowdac ▫implements the communication features ▫not cause any harm Collected data about the Waledac botnet ▫one month (August 6 and September 1, 2009) 11/19/2015 4

Waledac Botnet Structure Consists of four layers ▫Spammers:  carry out the spam campaigns  no publicly reachable IP address ▫Repeaters:  entry points for bot  own publicly reachable IP address ▫Backend-Servers  answer Spammers 、 the fast-flux queries ▫Uninfected Host 11/19/2015 5

Contributions Present the results of yet another analysis of Waledac In contrast to the analysis of previous decentralized botnets Find out more about the actual size of the botnet 11/19/2015 6

Propagation Mechanisms Waledac not own any built-in propagation mechanisms ▫bot not scan their local network Instead, Waledac propagates ▫social engineering ▫Spammers send out s masked as greeting cards ▫URLs to malicious binary 11/19/2015 7

Infiltration Methodology Implemented a script to imitate a valid Waledac Repeater ▫Implements all communication ▫push several IP addresses of hosts running Walowdac ▫repeaters do not validate the list Walowdac sends a list of its own IP addresses to the Repeater ▫Spammer systems start to connect to us. 11/19/2015 8

9

Botnet Size Results reveal that the actual size of the botnet ▫by far bigger than expected ▫a minimum population of 55,000 bots every day ▫almost 165,000 active bots on a typical day Several changes to the botnet version ▫version number between 33~46 11/19/

Botnet Size Identify Waledac botnet ▫by a node ID Exposing in dierent auto nomous systems ▫same node ID!? Between August 6th and September 1, 2009 ▫248,983 dierent node IDs ▫single day was 102,748 on August 24 th Recalculated using the node ID and AS ▫164,182 bots on August 24 th 11/19/

Cumulative distribution of IP(1/2) IP uniqueness criteria ▫node ID and AS ▫403,685 bots IP Majority located ▫58.*~99.* ▫186.*~222.*  North America  Europe 11/19/

Cumulative distribution of IP(2/2) Spammers and Repeaters most originated ▫the US or in Central Europe 11/19/

Waledac Versions(1/2) Bot some informaiton ▫sent at the bot's first packet ▫label:  campaigns identied  birdie6 and swift, with 12,5 percent  version 46 are called “spyware” 11/19/

Waledac Versions(2/2) Waledac bots lack a decent update mechanism The version is 34~36 At the end of July The beginning of September most is version 46 11/19/

OS Versions Windows XP still makes up most of all monitored bots 11/19/

Spam Campaigns Spammer reports the status for each ▫ERR or OK Monitoring phase ▫received a total of 662,611,078 notications ▫167,784,234 were OK (25.32%) 11/19/

Conclusions Show it is possible to inltrate the Waledac Measurement results reveal that the actual size of the botnet is by far bigger than expected Spam s emitted by Waledac is very high The rapid changes to the malware with new versions showing up almost every two weeks 11/19/

Thanks for Your Attention Q & A 11/19/