Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/2015 1
Reference Stock, B., Goebel, J., Engelberth, M., Freiling, F., and Holz, T. Walowdac:Analysis of a Peer-to- Peer Botnet. In European Conference on Computer Network Defense (November 2009) 11/19/2015 2
Outline Introduction Waledac Botnet Structure Analysis of Waledac Conclusions 11/19/2015 3
Introduction Present our inltration of the “Waledac” botnet ▫Storm Worm botnet ▫responsible spam s Clone of the Waledac bot named Walowdac ▫implements the communication features ▫not cause any harm Collected data about the Waledac botnet ▫one month (August 6 and September 1, 2009) 11/19/2015 4
Waledac Botnet Structure Consists of four layers ▫Spammers: carry out the spam campaigns no publicly reachable IP address ▫Repeaters: entry points for bot own publicly reachable IP address ▫Backend-Servers answer Spammers 、 the fast-flux queries ▫Uninfected Host 11/19/2015 5
Contributions Present the results of yet another analysis of Waledac In contrast to the analysis of previous decentralized botnets Find out more about the actual size of the botnet 11/19/2015 6
Propagation Mechanisms Waledac not own any built-in propagation mechanisms ▫bot not scan their local network Instead, Waledac propagates ▫social engineering ▫Spammers send out s masked as greeting cards ▫URLs to malicious binary 11/19/2015 7
Infiltration Methodology Implemented a script to imitate a valid Waledac Repeater ▫Implements all communication ▫push several IP addresses of hosts running Walowdac ▫repeaters do not validate the list Walowdac sends a list of its own IP addresses to the Repeater ▫Spammer systems start to connect to us. 11/19/2015 8
9
Botnet Size Results reveal that the actual size of the botnet ▫by far bigger than expected ▫a minimum population of 55,000 bots every day ▫almost 165,000 active bots on a typical day Several changes to the botnet version ▫version number between 33~46 11/19/
Botnet Size Identify Waledac botnet ▫by a node ID Exposing in dierent auto nomous systems ▫same node ID!? Between August 6th and September 1, 2009 ▫248,983 dierent node IDs ▫single day was 102,748 on August 24 th Recalculated using the node ID and AS ▫164,182 bots on August 24 th 11/19/
Cumulative distribution of IP(1/2) IP uniqueness criteria ▫node ID and AS ▫403,685 bots IP Majority located ▫58.*~99.* ▫186.*~222.* North America Europe 11/19/
Cumulative distribution of IP(2/2) Spammers and Repeaters most originated ▫the US or in Central Europe 11/19/
Waledac Versions(1/2) Bot some informaiton ▫sent at the bot's first packet ▫label: campaigns identied birdie6 and swift, with 12,5 percent version 46 are called “spyware” 11/19/
Waledac Versions(2/2) Waledac bots lack a decent update mechanism The version is 34~36 At the end of July The beginning of September most is version 46 11/19/
OS Versions Windows XP still makes up most of all monitored bots 11/19/
Spam Campaigns Spammer reports the status for each ▫ERR or OK Monitoring phase ▫received a total of 662,611,078 notications ▫167,784,234 were OK (25.32%) 11/19/
Conclusions Show it is possible to inltrate the Waledac Measurement results reveal that the actual size of the botnet is by far bigger than expected Spam s emitted by Waledac is very high The rapid changes to the malware with new versions showing up almost every two weeks 11/19/
Thanks for Your Attention Q & A 11/19/