detection of peer-to-peer botnets · outlineintroduction & theoryresearch questionpeacomm case...
TRANSCRIPT
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Detection of peer-to-peer botnets
Matthew Steggink, Igor Idziejczak
February 6, 2008
1 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Introduction & theory
Research question
Peacomm case study
Detection
Conclusion & future work
2 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Peer-to-peer botnets
I What are botnets . . . and peer-to-peer botnets?
I What’s the purpose of bots and botnets?
3 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Botnet topology
4 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Research question?in cooperation with SURFnet
Detection of peer-to-peer botnetsI Why this research
I Goal of this research
I Previous work . . .
5 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Peacomm
PeacommI What is Peacomm
I DHT: Usage of the Overnet protocol
6 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
How do users get infected?
7 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Peacomm experimental setupI Peer to peer botnet studyI Test environmentI Experimenting (CW Sandbox, PerilEyez, Rootkit Unhooker,
Wireshark)
8 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Infection
I Executable copy (noskrnl.exe)
I Time configuration
I Initial peer list (noskrnl.config)
I Creates a rule in the Windows Firewall
I Rootkit noskrnl.sys
9 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Secondary injections
I Duplicate on the desktop
I Update malware through TCP connection
I Updates peer list and downloads spam message
10 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Network analysisUDP
I Very noisy: 55 %
I Always same high numbered port (different on every host)
I Packet length (40-79): 98 %, in total: 51 %
11 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Network analysisSMTP
I 5 % of total traffic → < 0,5% [1]
I 33 packets / second
ipoque.com, Internet Study 2007, August - September 2007
12 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Network analysisMX queries
I 1 % of total traffic
I 4 packets / second → isolated case?
I Host MX queries are suspicious
13 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Detection
I Protocol traffic
I SMTP
I MX queries
I Connection
14 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Detection
Figure: Comparison between all traffic (black), Peacomm traffic (red)and other traffic (blue) (generated with Wireshark)
15 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Conclusion & future work
I Unique characteristics
I Hard to predict the future?
I Future Peacomm developments: less noisy, what now?
I New bots in the future: Agobot?
16 / 17
Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work
Questions?
I Matthew Steggink: [email protected]
I Igor Idziejczak: [email protected]
17 / 17