基于P2P协议的僵尸网络研究
尸网络已成为网络安全领域最为关注的危害之一。目前,使用P2P协议的僵尸网络逐渐兴起。在分析
Slapper蠕虫的基础上,研究了P2P僵尸网络的拓扑结构、功能结构与控制机制,并指出了P2P僵尸网络的发展趋势。
My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challenging
As if fueled by its own fire, curiosity and speculation regarding botnet sizes abounds. Among researchers, in the press, and in the classroom—the questions regarding the widespread effect of botnets seem never-ending: what are they? how many are there? what are they used for? Yet, time and time again, one lingering question remains: how big are today’s botnets? We hear widely diverging answers. In fact, some may argue, contradictory. The root cause for this confusion is that the term botnet size is currently poorly defined. We elucidate this issue by presenting different metrics for counting botnet membership and show that they lead to widely different size estimates for a large number of botnets we tracked. In particular, we show how several issues, including cloning, temporary migration, and hidden structures significantly increase the difficulty of determining botnet size with any accuracy. Taken as a whole, this paper calls into question speculations about botnet size, and more so, questions whether size really matters.
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, businesses, and governments around the world. These systems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required. We conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
Evolutionary Proactive P2P Worm: Propagation Modeling and Simulation
Computer worms evolved continually, faster and smarter. Proactive P2P worms with new “gene” propagate over logical P2P overlay networks defined by peer relationship. Observations suggest that the node degrees of an unstructured P2P network are power law distributed thus we model it as a power law undirected graph. We study propagation process of proactive P2P worm using a dynamic epidemic model. Specifically, we adopt discrete-time to conduct recursive analysis and deterministic approximation to describe propagation of proactive P2P worm. Then we carry out extensive simulation studies, which prove that the mathematical model matches simulation results well.
Detecting peer-to-peer botnets
Spam, DDoS and phishing are common problems on the Internet nowadays. In the past, attackers tended to use centralized high bandwidth connections to accomplish their tasks. Now that home users have high bandwidth internet connections, attackers have started infecting and using these home computers instead to for their attacks. Attacking from distributed locations, attackers are harder to catch or stop and often have more bandwidth to abuse. New methods are required to detect the forming of these widespread networks of infected hosts, especially now that it seems attackers have discovered the peer-to-peer (P2P) technology.
As the Net Churns: Fast-Flux Botnet Observations
While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.
Evidence suggests that more attackers are adopting fastflux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime activities, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internetscale data continuously collected for hundreds of domain names over several months.
Analysis of the Storm and Nugache Trojans--P2P is here
Since the advent of distributed intruder tools in the late 1990s, defenders have striven to identify and take down as much of the attack network as possible, as fast as possible.This has never been an easy task, owing in large part to thewide distribution of attacking agents and command and control (C2) servers, often spread across thousands of individual networks, or Autonomous Systems in routing terms, around
the globe.Differentials in the abilities and capabilities of these sites, aswell as knowledge of what role the site plays in distributed attack networks (potentiallymany active at one time),makemitigation harder, as do differences in legal regimes, etc. [1]. Still, there has grown a huge population of researchers, security vendors, and organizations focused on identifying andmitigating distributed attack networks.
An analysis of the Slapper worm
During the past decade, security bugs’ impact on a society dependent on a seamless and secure flow of information has become painfully evident. We’ve all learned the implications of security bugs and breaches the hard way, in a defensive and after-the-fact manner that prompts us to plug holes quickly and then wait for the next big one to surface. With the overwhelming amount of bug reports and security threats made public every day, it is daunting and difficult to identify trends and have a reasonable expectation of adopting a proactive information security strategy that deals with possible future threats.
Measurements and Mitigation of Peer-to-Peer-based Botnets - A Case Study on Storm Worm
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.
僵尸网络,在一定公用控制机构下的一些计算机组成的网络,通常被攻击者使用控制中心服务器控制,网络中的机器连接到中心控制服务器并等待接收控制命令。
然而,第一个使用P2P网络来进行远程控制感染机器的僵尸网路确实最近才出现的。在本文中,我们介绍了分析和处理P2P僵尸网络的一种方法。在此研究中,我们深入检查了Storm Worm僵尸网络,它是现在网络上传播最广的P2P僵尸程序。我们能够深入渗透和分析僵尸网络,估计整个被感染控制机器的总体数量。此外,我们介绍了两种截断控制者和感染机器间的控制信道的方法来防范这个僵尸网络,同时评估了这些机制的有效性。
加州圣巴巴拉大学(UCSB)的计算机病毒科学家们对僵尸网络torpig
Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. While botnets have been “hijacked” before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This opens the possibility to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards.
Modeling Peer-to-Peer Botnets
Peer-to-peer botnets are a relatively new yet rapidly growing Internet threat. In the year since its introduction in January 2007, the Storm Worm peer-to-peer botnet has become the largest botnet on the Internet. Unlike previous botnets operating over IRC channels, the Storm Worm botnet uses a decentralized peer-to-peer network to communicate among the bots and to control their computing power. While a centralized control structure can be toppled relatively easily by finding and disconnecting the head, a decentralized control structure is much harder to dismantle. Given this reality, security researchers must find new ways to defend against peer-to-peer botnets. Toward that aim, we have developed a stochastic model of peer-to-peer botnet formation to provide insight on possible defense tactics. We use the stochastic model to examine how different factors impact the growth of the botnet. Simulation results from
the model evaluate the effectiveness both of prevention measures and of detection and disinfection methods. In this way, the simulation results from our peer-to-peer botnet model provide guidance for the design of future anti-malware systems.
A Taxonomy of Botnet Structures
We propose a taxonomy of botnet structures, based on their utility to the botmaster. We propose key metrics to measure their utility for various activities (e.g., spam, ddos). Using these performance metrics, we consider the ability of different response techniques to degrade or disrupt botnets.
In particular, our models show that targeted responses are particularly effective against scale free botnets and efforts to increase the robustness of scale free networks comes at a cost of diminished transitivity. Botmasters do not appear to have any structural solutions to this problem in scale free networks. We also show that random graph botnets (e.g., those using P2P formations) are highly resistant to both random and targeted responses.
We evaluate the impact of responses on different topologies using simulation and demonstrate the utility of our proposed metrics by performing novel measurements of a P2P network. Our analysis shows how botnets may be classified according to structure and given rank or priority using our proposed metrics. This may help direct responses and suggests which general remediation strategies are more likely to succeed.
A study of peer-to-peer botnets 国外的一片硕士论文
Botnets pose a great threat to all resources connected to the Internet. Systems not properly secured may potentially become part of a botnet army, while all systems are potential targets of a botnet attack. Two important facets in mitigating the threat are the detection of botnet structures and the monitoring of botnet communication. In order to successfully detect and monitor a botnet, it is important to understand the propagation and communication model of the botnet. As a defensive means against potential future bot net structures we propose the random decentralized peer-to-peer (RDP) botnet model. This model provides efficient and stealthy modes of propagation and communication, characteristics favorable to a malicious botnet controller. This model serves as a target for our investigation of detection and monitoring techniques of potential future botnets
Towards Next-Generation Botnets
In this paper, we introduce the design of an advanced bot called Rambot that is based on the weaknesses we found when tracking a diverse set of botnets over a period of several months. The main features of this bot are peer-to-peer communication, strong cryptography, a credit-point system to build bilateral trust amongst bots, and a proof-of-work scheme to protect against potential attacks. The goal of this work is to increase the understanding of more advanced botnet designs, such that more effcient detection and mitigation systems can be developed in the future.
在本文中我们介绍了一种名叫Rambot的先进的僵尸程序,这个程序是我们在几个月时间里跟踪各种僵尸网络,并分析它们的各种弱点之后设计的。这个僵尸程序的最主要的特点是基于P2P协议通信控制、使用健壮的加密算法、僵尸间使用信任点系统、使用工作校对来保护潜在攻击。本文的目的是增加对更先进僵尸程序设计的理解,以此希望在将来能够设计出更有效的检测和防范系统。
P2P as botnet command and control- A deeper insight
The research community is now focusing on the integration of peer-to-peer (P2P) concepts as incremental improvements to distributed malicious software networks (now generically referred to as botnets). While much research exists in the field of P2P in terms of protocols, scalability, and availability of content in P2P file sharing networks, less exists (until this last year) in terms of the shift in C&C from central C&C using clear-text protocols, such as IRC and HTTP, to distributed mechanisms for C&C where the botnet becomes the C&C, and is resilient to attempts to mitigate it.
研究机构都正关注整合P2P技术作为分布式恶意软件网络的提高手段(现在的统称为僵尸网络)。在P2P领域有许多关于协议、健壮性和P2P文件共享网络的内容有效性等的研究,但是很少有(直到去年)关于从类似IRC和HTTP等使用明文协议中心命令控制机制转移到分布式命令控制机制的研究,而僵尸网路转变为了分布式的命令控制,并且能有效对抗缓解其攻击的措施。
Deep Analysis of Intending Peer-to-Peer Botnet
Botnet has recently been identified as one of the most important security threats of the Internet. So we should study the new technology which may be used by botmaster in the near future. In this paper we predict the new feature of the next generation botnet and present the design of an advanced P2P botnet basing on our discussion.
An Advanced Hybrid Peer-to-Peer Botnet
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peer-to-peer botnet. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. Possible defenses against this advanced botnet are suggested.
Army of botnets
The trend toward smaller botnets may be more dangerous than large botnets, in terms of large-scale attacks like distributed denials of service. We examine the possibility of “super-botnets,” networks of independent botnets that can be coordinated for attacks of unprecedented scale. For an adversary, super-botnets would also be extremely versatile and resistant to countermeasures. As such, superbotnets must be examined by the research community, so that defenses against this threat can be developed proactively. Our simulation results shed light on the feasibility and structure of super-botnets and some properties of their command-and-control mechanism. New forms of attack that super-botnets can launch are explored, and possible defenses against the threat of super-botnets are suggested.
僵尸网络逐渐发展成更加危险的小型化网络,他带来像DDos一样的大规模网络攻击。我们分析了超级僵尸网络的可能性,超级僵尸可以超乎想象的大规模攻击。为了竞争生存,超级僵尸将会使用多种策略手段来对付防御手段。因此,超级僵尸必须被研究机构研究,只有这样,防御这个威胁的防御手段才会有效可行。我们的模拟结果描述了超级僵尸的结构和可能性与它们可能使用的C&C机制。研究了超级僵尸可能发动的新的攻击方式,并且对如何防御超级僵尸给出了一些见解.