ModelingPeer-to-PeerBotnets资源-CSDN下载

需积分: 3 164 浏览量 2010-05-01 23:17:22 上传评论收藏 925KB PDF 举报

资源推荐

资源详情

资源评论

Modeling Peer-to-Peer Botnets

Elizabeth Van Ruitenbeek and William H. Sanders

Electrical and Computer Engineering Department,

Information Trust Institute, and

Coordinated Science Laboratory

University of Illinois at Urbana-Champaign

Urbana, IL, USA

{evanrui2,whs}@uiuc.edu

Abstract

Peer-to-peer botnets are a relatively new yet rapidly

growing Internet threat. In the year since its introduction

in January 2007, the Storm Worm peer-to-peer botnet has

become the largest botnet on the Internet. Unlike previous

botnets operating over IRC channels, the Storm Worm bot-

net uses a decentralized peer-to-peer network to communi-

cate among the bots and to control their computing power.

While a centralized control structure can be toppled rela-

tively easily by ﬁnding and disconnecting the head, a de-

centralized control structure is much harder to dismantle.

Given this reality, security researchers must ﬁnd new ways

to defend against peer-to-peer botnets. Toward that aim,

we have developed a stochastic model of peer-to-peer bot-

net formation to provide insight on possible defense tactics.

We use the stochastic model to examine how different fac-

tors impact the growth of the botnet. Simulation results from

the model evaluate the effectiveness both of prevention mea-

sures and of detection and disinfection methods. In this way,

the simulation results from our peer-to-peer botnet model

provide guidance for the design of future anti-malware sys-

tems.

1. Introduction

Botnets are “networks of compromised machines under

the control of an attacker” [11], and such networks are a

growing threat on the Internet. After the attacker gains con-

trol of compromised computers, the attacker is able to har-

ness the computing power of those compromised machines.

Attackers who operate botnets use the distributed com-

puting power for a variety of nefarious purposes. The com-

puters that comprise a botnet can be used to send and dis-

tribute spam email, to extort money from businesses wish-

ing to avoid distributed denial of service attacks against

their websites [14], and to commit click fraud [20]. The

collective computational power of a botnet could even have

the potential to shut down government agencies, utilities,

or ﬁnancial centers [9]. In short, there are mounting eco-

nomic incentives for creating and maintaining botnets, and

the threats posed by botnets cannot be ignored.

Most previous botnets have had a centralized command-

and-control structure using Internet Relay Chat (IRC) chan-

nels. In contrast, peer-to-peer botnets utilize a decentralized

command-and-control structure. While a centralized con-

trol structure can be toppled relatively easily by ﬁnding and

disconnecting the head, a decentralized control structure is

much harder to dismantle. Thus, peer-to-peer botnets rep-

resent an escalation in the increasingly sophisticated arms

race between attackers and defenders.

Therefore, security researchers must develop new meth-

ods to mitigate the threat posed by peer-to-peer botnets.

Currently, security experts simply recommend “basic com-

puter hygiene” [22] to minimize the spread of computer

malware including botnet infections. Such measures in-

clude avoiding infection from email attachments, using

rootkit-detection systems, and blocking all peer-to-peer

connections. However, blocking all peer-to-peer trafﬁc

may be too restrictive, and other mitigation techniques may

be ineffective. The growth in botnets cannot go unchal-

lenged, so more research on cost-efﬁcient and effective anti-

malware systems is necessary.

This paper presents a stochastic model of peer-to-peer

botnet formation to provide insight on possible defense tac-

tics. Section 2 discusses the evolution of the Storm Worm

peer-to-peer botnet, and Section 3 describes the peer-to-peer

functionality of that botnet. Then Section 4 describes our

peer-to-peer botnet model. Section 5 analyzes simulation

results from the model, and Section 6 discusses the impli-

cations of those results. The paper concludes with a discus-

sion on future uses of the peer-to-peer botnet model.

Quantitative Evaluation of SysTems

DOI 10.1109/QEST.2008.43

307

Authorized licensed use limited to: NATIONAL LIBRARY OF CHINA. Downloaded on August 29, 2009 at 21:27 from IEEE Xplore. Restrictions apply.

The contributions of this work include the following:

• A stochastic model of peer-to-peer botnet formation

• Insight on how anti-malware companies can target

their efforts to ﬁght botnet formation efﬁciently

• Insight on the necessary level of anti-malware perfor-

mance to ﬁght botnet formation effectively

2. History of the Storm Worm

The ﬁrst widespread peer-to-peer botnet appeared in Jan-

uary 2007 and is most commonly known as the Storm

Worm, even though the malware is more accurately labeled

a Trojan horse, not a worm. Antivirus ﬁrms have also

given the malware other names including Small.DAM, Pea-

comm, Nuware, and Zhelatin [7]. The probable attackers

are thought to be a well-organized group in Russia [17].

The Storm Worm has evolved signiﬁcantly in the ﬁrst

year after its initial appearance. The attack process relies

heavily on social engineering tactics. When the botnet was

originally created, the main attack vector was through in-

fected email attachments. Victims would receive an email

with a subject line such as “A killer at 11, he’s free at 21

and kill again,” “U.S. Secretary of State Condolezza Rice

has kicked German Chancellor Angela Merkel,” “Naked

teens attack home director,” “230 dead as storm batters Eu-

rope,” and others [12]. The Storm Worm name refers to the

weather-related subject in some of the emails. The body of

the email was empty.

The Storm Worm email contained an attachment

with names such as “FullVideo.exe,” “Full Story.exe,”

“Video.exe,” “Read More.exe,” or “FullClip.exe”; however,

the attachment was a Trojan horse program, not a video

clip [12]. When victims attempted to open the attached

ﬁle, the executable inserted a kernel mode driver compo-

nent called wincom32.sys and an initialization ﬁle compo-

nent called peers.ini [4]. The malware also inserted itself

into the services.exe process [12]. After the initial Trojan

had been installed, it attempted to connect with peers in the

Storm Worm botnet and, subsequently, to download the full

payload and begin executing code under the control of the

botnet. Section 3 will further describe the role of peer-to-

peer networking in the Storm Worm.

For the antivirus ﬁrms, one of the most challenging as-

pects of the Storm Worm is the sheer number of vari-

ants. Titillating new email subject lines and attachment ﬁle

names are added sometimes daily [16]. In addition, the

back-end servers for Storm Worm re-encode the malware

binary twice per hour using polymorphic techniques to min-

imize effectiveness of signature-based detection [16].

Over the course of the year, Storm Worm has also ex-

panded its infection mechanisms from email attachments

to email with links to infected sites and e-card spam that

installs rootkits in the infected computer [10]. The links

to infected sites are sometimes disguised as fake log-in

links [15].

In response to the Storm Worm, antivirus ﬁrms have

worked diligently on detection and removal. The biggest

improvement occurred when the Microsoft Malicious Soft-

ware Removal tool issued a patch in September 2007 that

was correlated with a signiﬁcant 20% drop in the Storm

Worm botnet size [19]. This shows that efforts to remove

machines from a botnet can make progress in reducing the

size of the botnet.

Estimates of the size of the Storm Worm botnet vary

widely. Reports in March 2007 claimed that the size of

the Storm Worm botnet was between 20,000 and 100,000

computers [16]. In September 2007, others claimed the

size of the Storm Worm botnet was between one and

two million machines, although only 10% of the compro-

mised machines were active at one time [9]. In November

2007, Storm was considered the world’s largest botnet with

230,000 active members per 24-hour period [13]. The high-

est estimates say that the Storm Worm botnet could contain

as many as 50 million compromised machines [9].

Regardless of its exact size, researchers agree that the

Storm Worm botnet is currently the world’s largest botnet.

Due to its size, the Storm Worm botnet contributes signiﬁ-

cantly to the malware trafﬁc on the Internet. On August 22,

2007, 57 million virus-infected messages crossed the Inter-

net, and 99% were from the Storm Worm [9].

The most recent reports show that the Storm Worm bot-

net is being divided up because it may be more economi-

cally viable for the operators of the Storm Worm botnet to

run several smaller botnets [13]. Larger botnets are more

conspicuous and easier to detect. The Storm Worm botnet

has begun the use of 40-bit encryption keys, which could

be used to segment the botnet [23]. According to security

researcher Joe Stewart, “This could be a precursor to sell-

ing Storm to other spammers, as an end-to-end spam botnet

system” [23].

The threat of peer-to-peer botnets does not stop with the

Storm Worm. Researchers indicate that a new peer-to-peer

botnet is emerging that could some day surpass the size and

sophistication of the Storm Worm botnet [13].

3. Peer-to-Peer Functionality in the Storm

Worm Botnet

The Storm Worm botnet is the ﬁrst major botnet to use

peer-to-peer networking for command and control of the

bots. As described earlier in Section 2, the initial infection

involves a Trojan installing some ﬁles onto a vulnerable ma-

chine. However, a compromised machine is not part of the

botnet until it joins the peer-to-peer network that controls

the botnet.

308

Authorized licensed use limited to: NATIONAL LIBRARY OF CHINA. Downloaded on August 29, 2009 at 21:27 from IEEE Xplore. Restrictions apply.

剩余9页未读，继续阅读

评论收藏

内容反馈

borelist

粉丝: 1

Modeling Peer-to-Peer Botnets

Statistical-Modeling-of-Peer-Review-Process:使用统计模型分析会议同行评审各个方面对同行评审有效性和准确性的影响

Modeling Peer-Peer File Sharing Systems.pdf

Measurements and Mitigation of Peer-to-Peer-based Botnets - A Case Study on Storm Worm

Detecting peer-to-peer botnets

Peer-to-Peer Simulators

Sip2Peer的示例程序

A LIGHTWEIGHT FRAMEWORK FOR PEER-TO-PEER programming

Peer-to-peer-Network

MODELING MULTI-SPEAKER LATENT SPACE

Modeling Air-to-Ground Path loss

Modeling Continuous-time Event Data with Neural Temporal Point P

Handbook of Modeling High-Frequency Data in Finance英文版

A study of peer-to-peer botnets 国外的一片硕士论文

P2P优秀论文_Peer-to-Peer网络模型研究

Peer-to-peer communication

peer to peer

Meta Universe modeling Project-大创资源

eclipse-modeling-2021-03-R-win32-x86_64.zip

Modeling-Dynamics-and-Control-of-Electrified-Vehicles_2018

Modeling Creativity - Case Studies in Python 无水印原版pdf

Modeling-high-frequency-limit-order-book.pdf

eclipse-modeling-2022-06-R-win32-x86_64.zip

1-billion-word-language-modeling-benchmark-r13output

Applied Survival Analysis Regression Modeling Of Time To Event Data

changfeng98-Mathematical-modeling-algorithm-72044-1749447139430.zip

Mathematical-modeling-information-美赛资源

tantansir_Multimodal-Deep-Learning-for-Modeling-ATCO-Command-Lifecycle-in-

【Android】短信验证码输入框（80/100）

我的自动投票器

最新资源