Kademlia: A Peer-to-Peer Information System Based on the XOR Metric
IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Peer-to-peer botnets: overview and case study
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
The heisenbot uncertainty problem: challenges in separating bots from chaff
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
SS'08 Proceedings of the 17th conference on Security symposium
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts
Proceedings of the 26th Annual Computer Security Applications Conference
Boosting the scalability of botnet detection using adaptive traffic sampling
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
RatBot: anti-enumeration peer-to-peer botnets
ISC'11 Proceedings of the 14th international conference on Information security
Detecting malware's failover C&C strategies with squeeze
Proceedings of the 27th Annual Computer Security Applications Conference
Humans and bots in internet chat: measurement, analysis, and automated classification
IEEE/ACM Transactions on Networking (TON)
Computer Networks: The International Journal of Computer and Telecommunications Networking
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
Leveraging honest users: stealth command-and-control of botnets
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
Hi-index | 0.00 |
Modern advanced botnets may employ a decentralized peer-to-peer overlay network to bootstrap and maintain their command and control channels, making them more resilient to traditional mitigation efforts such as server incapacitation. As an alternative strategy, the malware defense community has been trying to identify the bot-infected hosts and enumerate the IP addresses of the participating nodes so that the list can be used by system administrators to identify local infections, block spam emails sent from bots, and configure firewalls to protect local users. Enumerating the infected hosts, however, has presented challenges. One cannot identify infected hosts behind firewalls or NAT devices by employing crawlers, a commonly used enumeration technique where recursive get-peerlist lookup requests are sent newly discovered IP addresses of infected hosts. As many bot-infected machines in homes or offices are behind firewall or NAT devices, these crawler-based enumeration methods would miss a large portions of botnet infections. In this paper, we present the Passive P2P Monitor (PPM), which can enumerate the infected hosts regardless whether or not they are behind a firewall or NAT. As an empirical study, we examined the Storm botnet and enumerated its infected hosts using the PPM. We also improve our PPM design by incorporating a FireWall Checker (FWC) to identify nodes behind a firewall. Our experiment with the peer-to-peer Storm botnet shows that more than 40% of bots that contact the PPM are behind firewall or NAT devices, implying that crawler-based enumeration techniques would miss out a significant portion of the botnet population. Finally, we show that the PPM's coverage is based on a probability-based coverage model that we derived from the empirical observation of the Storm botnet.