Peer to Peer Botnets
by
Mehedy Masud
Botnets
●
●
●
●
●
●
●
Introduction
History
Taxonomy
Overview
Case studies
New technique
Detection and
Prevention
Taxonomy
Peer2Peer Bots: Overview & Case
Studies
●
Jullian B Grizzard
–
●
Vikram Sharma, Chris Nunnery, and Brent
ByungHoon Kang
–
●
John Hopkins
North Carolina, Chappel Hill
David Dagon
–
Georgia Institute of Technology
HotBots - 2007
Peer2Peer BotNets: History
●
Napster: earliest Peer2Peer protocol
–
–
●
Gnutella
–
●
Not completely P2P
Shutdown because found illegal
Completely decentralized
Recent Protocols
–
–
Chord
Kademila
Botnet Goals
●
All kinds of botnet have the same goals
–
–
–
●
●
●
Information dispersion
Information harvesting
Information processing
Information dispersion
–
–
Spam, phishing, DOS etc.
Economic benefit
–
–
Identity data, password, relationship data etc
Direct economic benefit
–
Cracking passwords
Information harvesting
Information processing
Case Study: Trojan.Peacomm
●
●
●
●
Uses the Overnet p2p protocol
Overnet implements a distributed hash
table based on Kademila algorithm
After infection, secondary injections are
automatically downloaded from p2p net
This enables hacker to arbitrarily
upgrade, control, or command bots
Experimental Setup
●
Trojan.Peacomm was executed within a
honeypot in UNCC HoneyNet Lab
●
Honeypot was running VMWare virtual
machine running windows XP
●
Connections to the internet was
controlled by a HoneyWall
●
PerylEyez malware analysis tool was used
to detect changes in the system
●
Pcap logs were kept, speciment ran for
two weeks
Initial bot
●
●
●
●
●
The executable is installed
Connects to p2p and downloads
secondary injection
Distributed as a trojan horse email
PerilEyez tool is used to Capture system
state before and after infection (file
system/open port/services)
It adds system driver “wincomm32.sys” to
the host
–
Driver is injected into windows process
“services.exe”
Initial bot (continued)
–
–
●
●
Windows Firewall is disabled
Ports opened:
–
–
●
●
This service acts as a p2p client that
downloads secondary injection
Initial peer list saved in %system%\wincom.ini
TCP 139, 12474
UDP 123, 137 etc.
Initial Peer List is Hard-coded
This could be a central point-of failure
Communication Protocol
●
Protocol Summary
–
–
–
–
–
●
Overnet, implementing Kademila
128-bit numeric space is used
Values are mapped to numeric space with
keys
Key/value pairs are stored in the nearest
pair, computed by XOR function
List of nodes are kept for each bucket in the
numeric space
Steps
–
–
–
–
–
Connect to overnet
Download secondary injection URL
Decrypt secondary injection URL
Download secondary injection
Execute secondary injection
Secondary Injection
●
Types of secondary injection
–
–
–
–
–
●
●
●
Downloader and rootkit component
SMTP spamming component
Email address harvester
Email propagation component
DDoS tool
All of these can be rooted from one
injection
Can periodically update itself by
searching through the P2P net
This provides the basic Command and
Control functionality
Searching the Download URL
●
●
●
●
A search key is generated in the bot using
an algorithm that Uses system date and a
random number (0..31)
So the botmaster needs to publish a new
URL under 32 different keys on a particular
day
It searches for this key in its initial peer list
If it is not found in a peer, the request is
forwarded to other peers
Searching the Download URL
●
If a match is found, a result is returned:
●
●
●
●
The “result” hash is used as as decryption key, paired
with another key is hardcoded in bot
Also, the response packet contains a single meta-tag
named “id”
The body of the tag contains the encrypted URL
Index Poisoning
●
●
●
●
●
P2P networks contain indexes
corresponding to each content
Index poisoning means adding bogus
records to indexes
For example, adding a fake ip/port
corresponding to a file
Trojan.peacomm has index poisoning
capability
Possible motive: slowing down infection
or measuring number of bots
Network Trace Analysis
●
Number of Remote IPv4 Addresses
Contacted Over Time for Duration of
Infection
Slowing down
(saturation)
Steep slope
(initial connections)
Start of infection
Network Trace Analysis (Contd…)
●
●
●
●
●
●
Network traces are parsed
It is found that the bot searches for five
keys.
Key1 is the hash of its own IP
– It periodically searches key1 to find
the nearest peers
Key2 and Key4 are never found
Key3 and Key5 are found after small
search
Key3 is found in 6 seconds, key5 is
found in 3 seconds
Network Trace Analysis (Contd…)
●
●
●
●
This indicates that “command latency”
for P2P bots is low (but higher than
Centralized)
Number of unique hosts contacted
directly: 4200
Total unique IPs found in overnet
packets: 10,105
Same search requests appeared from
another machine
–
Possibly infected by Trojan.peacomm
Conclusion
●
●
●
This paper describes a case study of
Trojan.Peacomm – a p2p
Describes how it propagates and
contacts with C&C
Analysis of network trace presented
Detecting P2P Botnets
●
Reinier Schoof & Ralph Koning
–
University of Amsterdam
Appeared in a technical report. Feb 2007
●
Spreading
–
–
●
File sharing over P2P network
Uses popular filenames to entice download
Command and Control
–
–
–
●
Overview
Unlike IRC, bots do not wait for command
Botmaster joins the network as a peer
Passes command along its peers
Protocols
–
–
Phatbot uses WASTE protocol
Nugache and Spamthru uses home-made
protocols
Experiments
●
Two bots are analysed in a controlled
environment
–
–
●
Nugache
Sinit
Test environment consists of
–
–
–
Four computers
Three running Windows XP
One running FreeBSD. This runs softflowd to
act as a software router for connecting three
machines, collecting all netflows
●
Sinit
–
–
–
–
–
–
–
–
Bot analysis
Trojan horse
Uses P2P to spread itself
Tries to reach other Sinit infected hosts by
sending discovery packets to port 53 of
random IPs
Establishes connection when it receives a
discovery response packet
Two hosts exchange list of peers
Connects to those peers
Runs a web server to publish /kx.exe, which
is the Sinit binary
Random IP scan generates a lot of ICMP 3
(host unreachable)
Bot analysis (Contd…)
●
Nugache
–
–
–
–
–
–
–
–
–
Trojan horse
Opens TCP port 8, connects to hard-coded
list of peers
Exchange peer list after connection
Starts DDoS when commanded
Command is encrypted/obfuscated
Spreads over AIM
Installs initial peer list in windows registry
This list is updated dynamically
Uses obfuscated communication channel
Bot analysis (Contd…)
●
PhatBot
–
–
–
–
–
–
A cousin of AgoBot
Uses WASTE protocol
It is an encrypted Open-source P2P Network
Bot finds other peers by using cache servers
on Gnutella P2P network
Looks for clients identified by GNUT, a
gnutella client
Has a list of processes to kill when it runs
Consisting of antivirus and competing
malware
●
Open ports
–
–
–
–
●
A specific port/range of ports must be opened
Monitoring those ports may enable detection
May result in false positive (when other
applications use specific ports) or
False negative (when normal ports are used for
bot communication)
Connection failures
–
●
Detection
May result in a lot of ICMP 3 error
Peer Discovery
–
–
Static peer list may be central point of failure
Random scan is very inefficient
Conclusion
P2P botnets pose significant threat to future
internet community
Although current P2P protocols used by the
bots are inefficient, they are likely to be
made efficient
There are some detection techniques, but
none of them are too reliable