Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention.

Published byHilda McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention."— Presentation transcript:

1 Peer to Peer Botnets by Mehedy Masud

2 Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention

3 Taxonomy

4 Peer2Peer Bots: Overview & Case Studies ● Jullian B Grizzard – John Hopkins ● Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang – North Carolina, Chappel Hill ● David Dagon – Georgia Institute of Technology HotBots - 2007

5 Peer2Peer BotNets: History ● Napster: earliest Peer2Peer protocol – Not completely P2P – Shutdown because found illegal ● Gnutella – Completely decentralized ● Recent Protocols – Chord – Kademila

6 Botnet Goals ● All kinds of botnet have the same goals – Information dispersion – Information harvesting – Information processing ● Information dispersion – Spam, phishing, DOS etc. – Economic benefit ● Information harvesting – Identity data, password, relationship data etc – Direct economic benefit ● Information processing – Cracking passwords

7 Case Study: Trojan.Peacomm ● Uses the Overnet p2p protocol ● Overnet implements a distributed hash table based on Kademila algorithm ● After infection, secondary injections are automatically downloaded from p2p net ● This enables hacker to arbitrarily upgrade, control, or command bots

8 Experimental Setup ● Trojan.Peacomm was executed within a honeypot in UNCC HoneyNet Lab ● Honeypot was running VMWare virtual machine running windows XP ● Connections to the internet was controlled by a HoneyWall ● PerylEyez malware analysis tool was used to detect changes in the system ● Pcap logs were kept, speciment ran for two weeks

9 Initial bot ● The executable is installed ● Connects to p2p and downloads secondary injection ● Distributed as a trojan horse email ● PerilEyez tool is used to Capture system state before and after infection (file system/open port/services) ● It adds system driver “wincomm32.sys” to the host – Driver is injected into windows process “services.exe”

10 Initial bot (continued) – This service acts as a p2p client that downloads secondary injection – Initial peer list saved in %system%\wincom.ini ● Windows Firewall is disabled ● Ports opened: – TCP 139, 12474 – UDP 123, 137 etc. ● Initial Peer List is Hard-coded ● This could be a central point-of failure

11 Communication Protocol ● Protocol Summary – Overnet, implementing Kademila – 128-bit numeric space is used – Values are mapped to numeric space with keys – Key/value pairs are stored in the nearest pair, computed by XOR function – List of nodes are kept for each bucket in the numeric space ● Steps – Connect to overnet – Download secondary injection URL – Decrypt secondary injection URL – Download secondary injection – Execute secondary injection

12 Secondary Injection ● Types of secondary injection – Downloader and rootkit component – SMTP spamming component – Email address harvester – Email propagation component – DDoS tool ● All of these can be rooted from one injection ● Can periodically update itself by searching through the P2P net ● This provides the basic Command and Control functionality

13 Searching the Download URL ● A search key is generated in the bot using an algorithm that Uses system date and a random number (0..31) ● So the botmaster needs to publish a new URL under 32 different keys on a particular day ● It searches for this key in its initial peer list ● If it is not found in a peer, the request is forwarded to other peers

14 Searching the Download URL ● If a match is found, a result is returned: ● The “result” hash is used as as decryption key, paired with another key is hardcoded in bot ● Also, the response packet contains a single meta-tag named “id” ● The body of the tag contains the encrypted URL

15 Index Poisoning ● P2P networks contain indexes corresponding to each content ● Index poisoning means adding bogus records to indexes ● For example, adding a fake ip/port corresponding to a file ● Trojan.peacomm has index poisoning capability ● Possible motive: slowing down infection or measuring number of bots

16 Network Trace Analysis ● Number of Remote IPv4 Addresses Contacted Over Time for Duration of Infection Slowing down (saturation) Steep slope (initial connections) Start of infection

17 Network Trace Analysis (Contd…) ● Network traces are parsed ● It is found that the bot searches for five keys. ● Key1 is the hash of its own IP – It periodically searches key1 to find the nearest peers ● Key2 and Key4 are never found ● Key3 and Key5 are found after small search ● Key3 is found in 6 seconds, key5 is found in 3 seconds

18 Network Trace Analysis (Contd…) ● This indicates that “command latency” for P2P bots is low (but higher than Centralized) ● Number of unique hosts contacted directly: 4200 ● Total unique IPs found in overnet packets: 10,105 ● Same search requests appeared from another machine – Possibly infected by Trojan.peacomm

19 Conclusion ● This paper describes a case study of Trojan.Peacomm – a p2p ● Describes how it propagates and contacts with C&C ● Analysis of network trace presented

20 Detecting P2P Botnets ● Reinier Schoof & Ralph Koning – University of Amsterdam Appeared in a technical report. Feb 2007

21 Overview ● Spreading – File sharing over P2P network – Uses popular filenames to entice download ● Command and Control – Unlike IRC, bots do not wait for command – Botmaster joins the network as a peer – Passes command along its peers ● Protocols – Phatbot uses WASTE protocol – Nugache and Spamthru uses home-made protocols

22 Experiments ● Two bots are analysed in a controlled environment – Nugache – Sinit ● Test environment consists of – Four computers – Three running Windows XP – One running FreeBSD. This runs softflowd to act as a software router for connecting three machines, collecting all netflows

23 Bot analysis ● Sinit – Trojan horse – Uses P2P to spread itself – Tries to reach other Sinit infected hosts by sending discovery packets to port 53 of random IPs – Establishes connection when it receives a discovery response packet – Two hosts exchange list of peers – Connects to those peers – Runs a web server to publish /kx.exe, which is the Sinit binary – Random IP scan generates a lot of ICMP 3 (host unreachable)

24 Bot analysis (Contd…) ● Nugache – Trojan horse – Opens TCP port 8, connects to hard-coded list of peers – Exchange peer list after connection – Starts DDoS when commanded – Command is encrypted/obfuscated – Spreads over AIM – Installs initial peer list in windows registry – This list is updated dynamically – Uses obfuscated communication channel

25 Bot analysis (Contd…) ● PhatBot – A cousin of AgoBot – Uses WASTE protocol – It is an encrypted Open-source P2P Network – Bot finds other peers by using cache servers on Gnutella P2P network – Looks for clients identified by GNUT, a gnutella client – Has a list of processes to kill when it runs Consisting of antivirus and competing malware

26 Detection ● Open ports – A specific port/range of ports must be opened – Monitoring those ports may enable detection – May result in false positive (when other applications use specific ports) or – False negative (when normal ports are used for bot communication) ● Connection failures – May result in a lot of ICMP 3 error ● Peer Discovery – Static peer list may be central point of failure – Random scan is very inefficient

27 Conclusion P2P botnets pose significant threat to future internet community Although current P2P protocols used by the bots are inefficient, they are likely to be made efficient There are some detection techniques, but none of them are too reliable

Download ppt "Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention."

Similar presentations

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Wide-area cooperative storage with CFS

Wide-area cooperative storage with CFS
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Similar presentations

Ads by Google