Skip to main content
SpringerLink
Log in

RatBot: Anti-enumeration Peer-to-Peer Botnets

  • Conference paper
Information Security (ISC 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7001))

Included in the following conference series:

Abstract

As evidenced by the recent botnet turf war between SpyEye and Zeus, the cyber space has been witnessing an increasing number of battles or wars involving botnets among different groups, organizations, or even countries. One important aspect of a cyber war is accurately estimating the attack capacity of the enemy. Particularly, each party in a botnet war would be interested in knowing how many compromised machines his adversaries possess. Towards this end, a technique often adopted is to infiltrate into an adversary’s botnet and enumerate observed bots through active crawling or passive monitoring methods.

In this work, we study potential tactics that a botnet can deploy to protect itself from being enumerated. More specifically, we are interested in how a botnet owner can bluff the botnet size in order to intimidate the adversary, gain media attention, or win a contract. We introduce RatBot, a P2P botnet that is able to defeat existing botnet enumeration methods. The key idea of RatBot is the existence of a fraction of bots that are indistinguishable from their fake identities. RatBot prevents adversaries from inferring its size even after its executables are fully exposed. To study the practical feasibility of RatBot, we implement it based on KAD, and use large-scale high-fidelity simulation to quantify the estimation errors under diverse settings. The results show that a naive enumeration technique can significantly overestimate the sizes of P2P botnets. We further present a few countermeasures that can potentially defeat RatBot’s anti-enumeration scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. http://www.ip2location.com/

  2. http://www.amule.org

  3. http://asert.arbornetworks.com/2010/12/the-internet-goes-to-war/

  4. Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Malware Detection. Advances in Information Security, vol. 27. Springer, US (2007)

    Chapter  Google Scholar 

  5. Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Proceedings of ACM IMC 2009 (2009)

    Google Scholar 

  6. http://isisblogs.poly.edu/2008/05/19/storm-worm-ip-list-and-country-distribution-statistics

  7. http://www.net-security.org/secworld.php?id=8858

  8. Dagon, D., Zou, C.C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of NDSS 2006 (2006)

    Google Scholar 

  9. Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: Proceedings of HotBots 2007 (2007)

    Google Scholar 

  10. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of USENIX Security 2008 (2008)

    Google Scholar 

  11. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: USENIX Security 2007 (2007)

    Google Scholar 

  12. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET 2008 (2008)

    Google Scholar 

  13. Kang, B.B., Chan-Tin, E., Lee, C.P., Tyra, J., Kang, H.J., Nunnery, C., Wadler, Z., Sinclair, G., Hopper, N., Dagon, D., Kim, Y.: Towards complete node enumeration in a peer-to-peer botnet. In: Proceedings of ACM ASIACCS 2009 (2009)

    Google Scholar 

  14. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of HotBots 2007 (2007)

    Google Scholar 

  15. Maymounkov, P., Mazières, D.: Kademlia: A peer-to-peer information system based on the XOR metric. In: Proceedings of IPTPS 2001 (2001)

    Google Scholar 

  16. Pietrzyk, M., Urvoy-Keller, G., Costeux, J.-L.: Digging into kad users’ shared folders. In: Posters of ACM SIGCOMM 2008 (2008)

    Google Scholar 

  17. Porras, P., Saidi, H., Yegneswaran, V.: Conficker C P2P protocol and implementation (September 2009), http://mtc.sri.com/Conficker/P2P/

  18. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: HotBots 2007 (2007)

    Google Scholar 

  19. Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: Proceedings of SRUTI 2006 (2006)

    Google Scholar 

  20. Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet protocol based on kademlia. In: Proceedings of SecureComm 2008 (2008)

    Google Scholar 

  21. Steiner, M., En-Najjary, T., Biersack, E.W.: A global view of kad. In: IMC 2007 (2007)

    Google Scholar 

  22. Steiner, M., En-Najjary, T., Biersack, E.W.: Analyzing peer behavior in kad. Technical Report EURECOM+2358, Institut Eurecom, France (October 2007)

    Google Scholar 

  23. Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac - analysis of a peer-to-peer botnet. In: Proceedings of the 2009 European Conference on Computer Network Defense (2009)

    Google Scholar 

  24. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover. In: Proceedings of the ACM CCS 2009 (2009)

    Google Scholar 

  25. http://www.neoseeker.com/news/7103-worm-storm-gathers-strength/

  26. Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the storm and nugache trojans: P2p is here. Login 32(6) (December 2007)

    Google Scholar 

  27. Vogt, R., Aycock, J., Jacobson, M.J.: Army of botnets. In: NDSS 2007 (2007)

    Google Scholar 

  28. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of HotBots 2007 (2007)

    Google Scholar 

  29. Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are ip addresses? In: Proceedings of ACM SIGCOMM 2007 (2007)

    Google Scholar 

  30. Yan, G., Ha, D.T., Eidenbenz, S.: AntBot: Anti-pollution peer-to-peer botnets. Computer Networks 55(8) (June 2011)

    Google Scholar 

  31. Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Sciences (CCS-3), Los Alamos National Laboratory, USA

    Guanhua Yan & Stephan Eidenbenz

  2. Department of Computer Science, George Mason University, USA

    Songqing Chen

Authors
  1. Guanhua Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Songqing Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stephan Eidenbenz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dongchuan Road, 200240, Min Hang Shanghai, China

    Xuejia Lai

  2. Cryptography and Security Department, Institute for Infocomm Research, Singapore

    Jianying Zhou

  3. Key Laboratory of Computer Networks and Information, Security Xidian University, 2 South Taibai Road, Xi’an, 710071, Shaanxi, China

    Hui Li

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yan, G., Chen, S., Eidenbenz, S. (2011). RatBot: Anti-enumeration Peer-to-Peer Botnets. In: Lai, X., Zhou, J., Li, H. (eds) Information Security. ISC 2011. Lecture Notes in Computer Science, vol 7001. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24861-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24861-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24860-3

  • Online ISBN: 978-3-642-24861-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation