Towards complete node enumeration in a peer-to-peer botnet

Authors:
Brent ByungHoon Kang;Eric Chan-Tin;Christopher P. Lee;James Tyra;Hun Jeong Kang;Chris Nunnery;Zachariah Wadler;Greg Sinclair;Nicholas Hopper;David Dagon;Yongdae Kim
Affiliations:
University of North Carolina at Charlotte;University of Minnesota;Georgia Institute of Technology;University of Minnesota;University of Minnesota;University of North Carolina at Charlotte;University of North Carolina at Charlotte;University of North Carolina at Charlotte;University of Minnesota;Georgia Institute of Technology;University of Minnesota
Venue:
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Year:
2009

Citing 11
Cited 10

Kademlia: A Peer-to-Peer Information System Based on the XOR Metric

IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
The Sybil Attack

IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
How dynamic are IP addresses?

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
A global view of kad

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Peer-to-peer botnets: overview and case study

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
The heisenbot uncertainty problem: challenges in separating bots from chaff

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium

Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure

LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts

Proceedings of the 26th Annual Computer Security Applications Conference
Boosting the scalability of botnet detection using adaptive traffic sampling

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
RatBot: anti-enumeration peer-to-peer botnets

ISC'11 Proceedings of the 14th international conference on Information security
Detecting malware's failover C&C strategies with squeeze

Proceedings of the 27th Annual Computer Security Applications Conference
Humans and bots in internet chat: measurement, analysis, and automated classification

IEEE/ACM Transactions on Networking (TON)
Botnets: A survey

Computer Networks: The International Journal of Computer and Telecommunications Networking
Survey and taxonomy of botnet research through life-cycle

ACM Computing Surveys (CSUR)
Leveraging honest users: stealth command-and-control of botnets

WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

Modern advanced botnets may employ a decentralized peer-to-peer overlay network to bootstrap and maintain their command and control channels, making them more resilient to traditional mitigation efforts such as server incapacitation. As an alternative strategy, the malware defense community has been trying to identify the bot-infected hosts and enumerate the IP addresses of the participating nodes so that the list can be used by system administrators to identify local infections, block spam emails sent from bots, and configure firewalls to protect local users. Enumerating the infected hosts, however, has presented challenges. One cannot identify infected hosts behind firewalls or NAT devices by employing crawlers, a commonly used enumeration technique where recursive get-peerlist lookup requests are sent newly discovered IP addresses of infected hosts. As many bot-infected machines in homes or offices are behind firewall or NAT devices, these crawler-based enumeration methods would miss a large portions of botnet infections. In this paper, we present the Passive P2P Monitor (PPM), which can enumerate the infected hosts regardless whether or not they are behind a firewall or NAT. As an empirical study, we examined the Storm botnet and enumerated its infected hosts using the PPM. We also improve our PPM design by incorporating a FireWall Checker (FWC) to identify nodes behind a firewall. Our experiment with the peer-to-peer Storm botnet shows that more than 40% of bots that contact the PPM are behind firewall or NAT devices, implying that crawler-based enumeration techniques would miss out a significant portion of the botnet population. Finally, we show that the PPM's coverage is based on a probability-based coverage model that we derived from the empirical observation of the Storm botnet.