Peer to Peer BotnetsBotnetsTaxonomyPeer2Peer Bots: Overview & Case StudiesPeer2Peer BotNets: HistoryBotnet GoalsCase Study: Trojan.PeacommExperimental SetupInitial botInitial bot (continued)Communication ProtocolSecondary InjectionSearching the Download URLSlide 14Index PoisoningNetwork Trace AnalysisNetwork Trace Analysis (Contd…)Slide 18ConclusionDetecting P2P BotnetsOverviewExperimentsBot analysisBot analysis (Contd…)Slide 25DetectionSlide 27Peer to Peer BotnetsbyMehedy MasudBotnets●Introduction●History●Taxonomy●Overview●Case studies●New technique●Detection and PreventionTaxonomyPeer2Peer Bots: Overview & Case Studies●Jullian B Grizzard–John Hopkins●Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang–North Carolina, Chappel Hill●David Dagon–Georgia Institute of TechnologyHotBots - 2007Peer2Peer BotNets: History●Napster: earliest Peer2Peer protocol–Not completely P2P–Shutdown because found illegal●Gnutella–Completely decentralized●Recent Protocols–Chord –KademilaBotnet Goals●All kinds of botnet have the same goals–Information dispersion–Information harvesting–Information processing●Information dispersion–Spam, phishing, DOS etc.–Economic benefit●Information harvesting–Identity data, password, relationship data etc–Direct economic benefit●Information processing–Cracking passwordsCase Study: Trojan.Peacomm●Uses the Overnet p2p protocol●Overnet implements a distributed hash table based on Kademila algorithm●After infection, secondary injections are automatically downloaded from p2p net●This enables hacker to arbitrarily upgrade, control, or command botsExperimental Setup●Trojan.Peacomm was executed within a honeypot in UNCC HoneyNet Lab●Honeypot was running VMWare virtual machine running windows XP●Connections to the internet was controlled by a HoneyWall●PerylEyez malware analysis tool was used to detect changes in the system●Pcap logs were kept, speciment ran for two weeksInitial bot●The executable is installed ●Connects to p2p and downloads secondary injection●Distributed as a trojan horse email●PerilEyez tool is used to Capture system state before and after infection (file system/open port/services)●It adds system driver “wincomm32.sys” to the host–Driver is injected into windows process “services.exe”Initial bot (continued)–This service acts as a p2p client that downloads secondary injection–Initial peer list saved in %system%\wincom.ini●Windows Firewall is disabled●Ports opened: –TCP 139, 12474 –UDP 123, 137 etc.●Initial Peer List is Hard-coded●This could be a central point-of failureCommunication Protocol●Protocol Summary–Overnet, implementing Kademila–128-bit numeric space is used–Values are mapped to numeric space with keys–Key/value pairs are stored in the nearest pair, computed by XOR function–List of nodes are kept for each bucket in the numeric space●Steps–Connect to overnet–Download secondary injection URL–Decrypt secondary injection URL–Download secondary injection–Execute secondary injectionSecondary Injection●Types of secondary injection–Downloader and rootkit component–SMTP spamming component–Email address harvester–Email propagation component–DDoS tool●All of these can be rooted from one injection●Can periodically update itself by searching through the P2P net●This provides the basic Command and Control functionalitySearching the Download URL●A search key is generated in the bot using an algorithm that Uses system date and a random number (0..31)●So the botmaster needs to publish a new URL under 32 different keys on a particular day●It searches for this key in its initial peer list●If it is not found in a peer, the request is forwarded to other peersSearching the Download URL●If a match is found, a result is returned:●●The “result” hash is used as as decryption key, paired with another key is hardcoded in bot●Also, the response packet contains a single meta-tag named “id” ●The body of the tag contains the encrypted URLIndex Poisoning●P2P networks contain indexes corresponding to each content●Index poisoning means adding bogus records to indexes●For example, adding a fake ip/port corresponding to a file●Trojan.peacomm has index poisoning capability●Possible motive: slowing down infection or measuring number of botsNetwork Trace Analysis●Number of Remote IPv4 Addresses Contacted Over Time for Duration of Infection Slowing down(saturation)Steep slope(initial connections)Start of infectionNetwork Trace Analysis (Contd…)●Network traces are parsed●It is found that the bot searches for five keys.●Key1 is the hash of its own IP–It periodically searches key1 to find the nearest peers●Key2 and Key4 are never found●Key3 and Key5 are found after small search●Key3 is found in 6 seconds, key5 is found in 3 secondsNetwork Trace Analysis (Contd…)●This indicates that “command latency” for P2P bots is low (but higher than Centralized) ●Number of unique hosts contacted directly: 4200●Total unique IPs found in overnet packets: 10,105●Same search requests appeared from another machine–Possibly infected by Trojan.peacommConclusion●This paper describes a case study of Trojan.Peacomm – a p2p●Describes how it propagates and contacts with C&C●Analysis of network trace presentedDetecting P2P Botnets●Reinier Schoof & Ralph Koning–University of AmsterdamAppeared in a technical report. Feb 2007Overview●Spreading–File sharing over P2P network–Uses popular filenames to entice download●Command and Control–Unlike IRC, bots do not wait for command–Botmaster joins the network as a peer–Passes command along its peers●Protocols–Phatbot uses WASTE protocol–Nugache and Spamthru uses home-made protocolsExperiments●Two bots are analysed in a controlled environment–Nugache–Sinit●Test environment consists of–Four computers–Three running Windows XP–One running FreeBSD. This runs softflowd to act as a software router for connecting three machines, collecting all netflowsBot analysis●Sinit–Trojan horse–Uses P2P to spread itself–Tries to reach other Sinit infected hosts by sending discovery packets to port 53 of random IPs–Establishes connection when it receives a discovery response packet–Two hosts exchange list of peers–Connects to those peers–Runs a web server to publish /kx.exe, which is the Sinit
View Full Document
Unlocking...