Reliable Recon in Adversarial Peer-to-Peer Botnets

The decentralized nature of Peer-to-Peer (P2P) botnets precludes traditional takedown strategies, which target dedicated command infrastructure. P2P botnets replace this infrastructure with command channels distributed across the full infected population. Thus, mitigation strongly relies on accurate reconnaissance techniques which map the botnet population. While prior work has studied passive disturbances to reconnaissance accuracy ---such as IP churn and NAT gateways---, the same is not true of active anti-reconnaissance attacks. This work shows that active attacks against crawlers and sensors occur frequently in major P2P botnets. Moreover, we show that current crawlers and sensors in the Sality and Zeus botnets produce easily detectable anomalies, making them prone to such attacks. Based on our findings, we categorize and evaluate vectors for stealthier and more reliable P2P botnet reconnaissance.

[1]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[2]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[3]  Dawn Xiaodong Song,et al.  Distributed Evasive Scan Techniques and Countermeasures , 2007, DIMVA.

[4]  Thomas F. La Porta,et al.  Limiting Sybil Attacks in Structured P2P Networks , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[5]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[6]  Max Mühlhäuser,et al.  On advanced monitoring in resilient and unstructured P2P botnets , 2014, 2014 IEEE International Conference on Communications (ICC).

[7]  Dennis Andriesse,et al.  P 2 PWNED : Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013 .

[8]  T. Holz,et al.  Towards Next-Generation Botnets , 2008, 2008 European Conference on Computer Network Defense.

[9]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[10]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Andriy Panchenko,et al.  Performance Analysis of Anonymous Communication Channels Provided by Tor , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[12]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[13]  Yongdae Kim,et al.  Towards complete node enumeration in a peer-to-peer botnet , 2009, ASIACCS '09.

[14]  Guofei Gu,et al.  CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers , 2014, NDSS.

[15]  Guanhua Yan,et al.  RatBot: Anti-enumeration Peer-to-Peer Botnets , 2011, ISC.

[16]  Hannes Hartenstein,et al.  Defending the Sybil attack in P2P networks: taxonomy, challenges, and a proposal for self-registration , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[18]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[19]  Christopher Krügel,et al.  Overbot: a botnet protocol based on Kademlia , 2008, SecureComm.

[20]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[21]  John McHugh,et al.  Sybil attacks as a mitigation strategy against the Storm botnet , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[22]  Chris Kanich,et al.  The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff , 2008, LEET.