Decentralized Peer-to-Peer Botnet Architectures

Botnets have historically used centralized architectures for their command and control systems.While deployment and logical construction of these systems is simplistic and efficient, a critical weak-point exists in the central server used to coordinate messages and route traffic. Recently, the introduction of decentralized architectures with peer-to-peer (P2P) routing has provided malware authors with increased resilience and location obfuscation for command distribution points. To date, botnets with these topologies have been difficult for the defenders to accurately enumerate and effectively remediate. In this chapter, we describe the architectures, capabilities, functional behaviors, and current mitigation efforts for the Nugache, Storm, and Mayday botnets.

[1]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[2]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[3]  Dawn Stover Never fear, Bear is here to help , 2007 .

[4]  Chris Kanich,et al.  The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff , 2008, LEET.

[5]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[6]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[7]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[8]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[9]  Scott Shenker,et al.  Epidemic algorithms for replicated database maintenance , 1988, OPSR.

[10]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[11]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[12]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[13]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[14]  Sven Dietrich,et al.  P2P as botnet command and control: A deeper insight , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[15]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.