Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype

  • Antonio Nappa
  • Aristide Fattori
  • Marco Balduzzi
  • Matteo Dell’Amico
  • Lorenzo Cavallaro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6201)


Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.


Overlay Network Deep Breath Botnet Detection USENIX Security Symposium Gate Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adnkronos International. Italy: Govt probes suspected mafia use of Skype (February 2009),
  2. 2.
    Anderson, N.: Is Skype a haven for criminals? (February 2006),
  3. 3.
    Baset, S., Schulzrinne, H.: An analysis of the Skype peer-to-peer internet telephony protocol. In: CoRR (2004)Google Scholar
  4. 4.
    BBC. Italy police warn of Skype threat (February 2009),
  5. 5.
    Binkley, J.R.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006 (2006)Google Scholar
  6. 6.
    Biondi, P., Desclaux, F.: Silver Needle in the Skype (March 2006)Google Scholar
  7. 7.
    Blancher, C.: Fire in the Skype–Skype powered botnets (October 2006),
  8. 8.
    Bollobás, B.: Random Graphs. Cambridge University Press, Cambridge (January 2001)zbMATHGoogle Scholar
  9. 9.
    Cavallaro, L., Kruegel, C., Vigna, G.: Mining the network behavior of bots. Tech. Rep. 2009-12, Department of Computer Science, University of California at Santa Barbara (UCSB), CA, USA (July 2009)Google Scholar
  10. 10.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, Oakland 2005 (2005)Google Scholar
  11. 11.
    Ciaccio, G.: Improving sender anonymity in a structured overlay with imprecise routing. LNCS. Springer, Heidelberg (2006)Google Scholar
  12. 12.
    CNET News. Hacking for dollars (July 2005),
  13. 13.
    CNET News. Skype could provide botnet controls (January 2006),
  14. 14.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: SRUTI 2005: Proceedings of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (2005)Google Scholar
  15. 15.
    Danchev, D.: Skype to control botnets?! (January 2006),
  16. 16.
    Dell’Amico, M.: Mapping small worlds. In: IEEE P2P 2007 (2007)Google Scholar
  17. 17.
    Desclaux, F., Kortchinsky, K.: Vanilla Skype part 2 (June 2006)Google Scholar
  18. 18.
    Ebay. Ebay, Paypak, Skype 2009, Q1 financial report (2009),
  19. 19.
    Egele, M., Kruegel, C., Kirda, E., Yin, H.: Dynamic Spyware Analysis. In: Proceedings of the 2007 Usenix Annual Conference, Usenix 2007 (2007)Google Scholar
  20. 20.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)Google Scholar
  21. 21.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Proceedings of 10 th European Symposium on Research in Computer Security, ESORICS (2005)Google Scholar
  22. 22.
    Gnutella Development Forum. Gnutella protocol specification,
  23. 23.
    Goebel, J., Holz, T.: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In: HotBots 2007: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  24. 24.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th USENIX Security Symposium (2008)Google Scholar
  25. 25.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)Google Scholar
  26. 26.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)Google Scholar
  27. 27.
    Gutmann, P.: The Commercial Malware Industry. In: Proceedings of the DEFCON conference (2007)Google Scholar
  28. 28.
    He, Q., Ammar, M.: Congestion control and message loss in Gnutella networks. In: Proceedings of SPIE (2003)Google Scholar
  29. 29.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case study on Storm Worm. In: USENIX Workshop on Large Scale Exploits and Emerging Threats (2008)Google Scholar
  30. 30.
    IT World: Making a PBX ’botnet’ out of Skype or Google Voice? (April 2009),
  31. 31.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale Botnet Detection and Characterization. In: HotBots 2007: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  32. 32.
    Lanzi, A., Sharif, M., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. In: The 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)Google Scholar
  33. 33.
    Leiden, J.: Anti-mafia cops want Skype tapping (Feburary 2009),
  34. 34.
    Martignoni, L., Paleari, R.: WUSSTrace - a user-space syscall tracer for Microsoft Windows,
  35. 35.
    Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A Layered Architecture for Detecting Malicious Behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Microsoft. MSDN Library on developing Windows User Interfaces,
  37. 37.
    Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FLuXOR: Detecting and Monitoring Fast-Flux Service Networks. LNCS. Springer, Heidelberg (2008)Google Scholar
  38. 38.
    Pissny, B.: HotSanic, HTML overview to System and Network Information Center (July 2004),
  39. 39.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: IMC 2006: Proceedings of the 6th ACM SIGCOMM on Internet measurement (2006)Google Scholar
  40. 40.
    Sandberg, O.: Distributed routing in small-world networks. In: ALENEX 2006 (2006)Google Scholar
  41. 41.
    Schneier, B.: Bavarian government wants to intercept Skype calls,
  42. 42.
  43. 43.
    Starnberger, G., Kruegel, C., Kirda, E.: Overbot - A botnet protocol based on Kademlia. In: Proceedings of the International on Security and Privacy in Communication Networks, SecureComm., Istambul, Turkey (2008)Google Scholar
  44. 44.
    Stock, B., Goebel, J., Engelberth, M., Freiling, F., Holz, T.: Walowdac - Analysis of a Peer-to-Peer Botnet. In: European Conference on Computer Network Defense (EC2ND) (November 2009)Google Scholar
  45. 45.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proceedings of the 16th ACM conference on Computer and Communications Security, CCS 2009 (2009)Google Scholar
  46. 46.
    Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings of the 31st IEEE Conference on Local Computer Networks (2006)Google Scholar
  47. 47.
    TechWorld. Cambridge prof. warns of Skype botnet threat. VoIP traffic can cover a multitude of sins (January 2006),
  48. 48.
    TechWorld. How bad is the Skype botnet threat? Skype’s sneakiness leads to a security risk (January 2006),
  49. 49.
    EU Forward. Forward: Managing Emerging Threats in ICT Infrastructures (2008),
  50. 50.
    Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  51. 51.
    Yen, T.-F., Reiter, M.K.: Traffic Aggregation for Malware Detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  52. 52.
    Yin, H., Song, D., Egele, D.M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Antonio Nappa
    • 1
  • Aristide Fattori
    • 1
  • Marco Balduzzi
    • 2
  • Matteo Dell’Amico
    • 2
  • Lorenzo Cavallaro
    • 3
  1. 1.DICoUniversità degli Studi di MilanoItaly
  2. 2.Eurecom Sophia-AntipolisFrance
  3. 3.Faculty of SciencesVrije Universiteit AmsterdamNetherlands

Personalised recommendations