Presentation is loading. Please wait.

Presentation is loading. Please wait.

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/2015 1.

Published byElizabeth Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/2015 1."— Presentation transcript:

1 Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE m98570015@ntou.edu.tw 11/19/2015 1

2 Reference Stock, B., Goebel, J., Engelberth, M., Freiling, F., and Holz, T. Walowdac:Analysis of a Peer-to- Peer Botnet. In European Conference on Computer Network Defense (November 2009) 11/19/2015 2

3 Outline Introduction Waledac Botnet Structure Analysis of Waledac Conclusions 11/19/2015 3

4 Introduction Present our inltration of the “Waledac” botnet ▫Storm Worm botnet ▫responsible spam emails Clone of the Waledac bot named Walowdac ▫implements the communication features ▫not cause any harm Collected data about the Waledac botnet ▫one month (August 6 and September 1, 2009) 11/19/2015 4

5 Waledac Botnet Structure Consists of four layers ▫Spammers:  carry out the spam campaigns  no publicly reachable IP address ▫Repeaters:  entry points for bot  own publicly reachable IP address ▫Backend-Servers  answer Spammers 、 the fast-flux queries ▫Uninfected Host 11/19/2015 5

6 Contributions Present the results of yet another analysis of Waledac In contrast to the analysis of previous decentralized botnets Find out more about the actual size of the botnet 11/19/2015 6

7 Propagation Mechanisms Waledac not own any built-in propagation mechanisms ▫bot not scan their local network Instead, Waledac propagates ▫social engineering ▫Spammers send out emails Email masked as greeting cards ▫URLs to malicious binary 11/19/2015 7

8 Infiltration Methodology Implemented a script to imitate a valid Waledac Repeater ▫Implements all communication ▫push several IP addresses of hosts running Walowdac ▫repeaters do not validate the list Walowdac sends a list of its own IP addresses to the Repeater ▫Spammer systems start to connect to us. 11/19/2015 8

9 9

10 Botnet Size Results reveal that the actual size of the botnet ▫by far bigger than expected ▫a minimum population of 55,000 bots every day ▫almost 165,000 active bots on a typical day Several changes to the botnet version ▫version number between 33~46 11/19/2015 10

11 Botnet Size Identify Waledac botnet ▫by a node ID Exposing in dierent auto nomous systems ▫same node ID!? Between August 6th and September 1, 2009 ▫248,983 dierent node IDs ▫single day was 102,748 on August 24 th Recalculated using the node ID and AS ▫164,182 bots on August 24 th 11/19/2015 11

12 Cumulative distribution of IP(1/2) IP uniqueness criteria ▫node ID and AS ▫403,685 bots IP Majority located ▫58.*~99.* ▫186.*~222.*  North America  Europe 11/19/2015 12

13 Cumulative distribution of IP(2/2) Spammers and Repeaters most originated ▫the US or in Central Europe 11/19/2015 13

14 Waledac Versions(1/2) Bot some informaiton ▫sent at the bot's first packet ▫label:  campaigns identied  birdie6 and swift, with 12,5 percent  version 46 are called “spyware” 11/19/2015 14

15 Waledac Versions(2/2) Waledac bots lack a decent update mechanism The version is 34~36 At the end of July The beginning of September most is version 46 11/19/2015 15

16 OS Versions Windows XP still makes up most of all monitored bots 11/19/2015 16

17 Spam Campaigns Spammer reports the status for each email ▫ERR or OK Monitoring phase ▫received a total of 662,611,078 notications ▫167,784,234 were OK (25.32%) 11/19/2015 17

18 Conclusions Show it is possible to inltrate the Waledac Measurement results reveal that the actual size of the botnet is by far bigger than expected Spam emails emitted by Waledac is very high The rapid changes to the malware with new versions showing up almost every two weeks 11/19/2015 18

19 Thanks for Your Attention Q & A 11/19/2015 19

Download ppt "Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/2015 1."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.

Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.

Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Information & Communication Technology

Information & Communication Technology
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Similar presentations

Ads by Google