Abstract
Botnets have historically used centralized architectures for their command and control systems.While deployment and logical construction of these systems is simplistic and efficient, a critical weak-point exists in the central server used to coordinate messages and route traffic. Recently, the introduction of decentralized architectures with peer-to-peer (P2P) routing has provided malware authors with increased resilience and location obfuscation for command distribution points. To date, botnets with these topologies have been difficult for the defenders to accurately enumerate and effectively remediate. In this chapter, we describe the architectures, capabilities, functional behaviors, and current mitigation efforts for the Nugache, Storm, and Mayday botnets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baecher, P., Koetter, M., Holz, T., Dorsneif, M., Freiling, F.: The Nepenthes platform: An efficient approach to collect malware (2006), http://honeyblog.org/junkyard/paper/collecting-malware-final.pdf
Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, detecting, and disrupting botnets. In: Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet, July 2006, pp. 39–44 (2006)
Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference. ACSA (December 2007)
Demers, A., Greene, D., Hauser, C., Irish, W., Larson, J., Shenker, S., Sturgis, H., Swinehart, D., Terry, D.: Epidemic algorithms for replicated database maintenance. In: PODC 1987: Proceedings of the sixth annual ACM Symposium on Principles of distributed computing, pp. 1–12. ACM Press, New York (1987)
Dittrich, D., Dietrich, S.: P2P as botnet command and control: a deeper insight. In: Proceedings of the 2008 3rd International Conference on Malicious and Unwated Software (MALWARE) (October 2008)
Florino, E., Cibotariu, M.: Peerbot: Catch me if you can. In: Symantec Security Response: Ireland, Virus Bulletin (March 2007)
Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Usenix First Workshop on Hot Topics in Understanding Botnets (April 2007)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of The 16th USENIX Security Symposium, August 2007. USENIX Association (2007)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In: Proceedings of the First USENIX Workshop on Large Scale Exploits and Emergent Threats, April 2008. USENIX Association (2008)
Kanich, C., Levchenko, K., Enright, B., Voelker, G., Savage, S.: The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In: Proceedings of the First USENIX Workshop on Large Scale Exploits and Emergent Threats, April 2008. USENIX Association (2008)
Maymounkov, P., Mazières, D.: Kademlia: A peer-to-peer information system based on the XOR metric. In: 1st International Workshop on Peer-to-Peer Systems, pp. 53–62 (2002)
Overnet, http://www.overnet.com
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the USENIX Internet Measurement Conference, October 2006. USENIX Association (2006)
Stewart, J.: Protocols and encryption of the storm botnet, http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf
Stewart, J.: Storm worm ddos attack (February 2007), http://www.secureworks.com/research/threats/view.html?threat=storm-worm
Stinson, E., Mitchell, J.: Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods. In: Workshop on Offensive Technologies, WOOT (2008)
Stover, S., Dittrich, D., Hernandez, J., Deitrich, S.: Analysis of the Storm and Nugache trojans - P2P is here. Login 32(6) (December 2007)
Wilson, T.: Competition may be driving surge in botnets, spam (January 2008), http://www.darkreading.com/security/management/showArticle.jhtml?articleID=208803799
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Kang, B.B., Nunnery, C. (2009). Decentralized Peer-to-Peer Botnet Architectures. In: Ras, Z.W., Ribarsky, W. (eds) Advances in Information and Intelligent Systems. Studies in Computational Intelligence, vol 251. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04141-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-04141-9_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04140-2
Online ISBN: 978-3-642-04141-9
eBook Packages: EngineeringEngineering (R0)