Transcript A System Prototype for Data Leakage Monitoring in the Cloud

1
Walowdac:Analysis of a
Peer-to-Peer Botnet
7/21/2015
林佳宜
NTOU CSIE
[email protected]
2
7/21/2015
Reference
• Stock, B., Goebel, J., Engelberth, M., Freiling, F.,
and Holz, T. Walowdac:Analysis of a Peer-toPeer Botnet. In European Conference on
Computer Network Defense (November 2009)
3
7/21/2015
Outline
•
•
•
•
Introduction
Waledac Botnet Structure
Analysis of Waledac
Conclusions
4
7/21/2015
Introduction
• Present our inltration of the “Waledac” botnet
▫ Storm Worm botnet
▫ responsible spam emails
• Clone of the Waledac bot named Walowdac
▫ implements the communication features
▫ not cause any harm
• Collected data about the Waledac botnet
▫ one month (August 6 and September 1, 2009)
5
7/21/2015
Waledac Botnet Structure
• Consists of four layers
▫ Spammers:
 carry out the spam campaigns
 no publicly reachable IP address
▫ Repeaters:
 entry points for bot
 own publicly reachable IP address
▫ Backend-Servers
 answer Spammers 、the fast-flux queries
▫ Uninfected Host
6
7/21/2015
Contributions
• Present the results of yet another analysis of
Waledac
• In contrast to the analysis of previous
decentralized botnets
• Find out more about the actual size of the botnet
7
7/21/2015
Propagation Mechanisms
• Waledac not own any built-in
propagation mechanisms
▫ bot not scan their local network
• Instead, Waledac propagates
▫ social engineering
▫ Spammers send out emails
• Email masked as greeting cards
▫ URLs to malicious binary
8
7/21/2015
Infiltration Methodology
• Implemented a script to imitate a valid Waledac
Repeater
▫ Implements all communication
▫ push several IP addresses of hosts running
Walowdac
▫ repeaters do not validate the list
• Walowdac sends a list of its own IP addresses to
the Repeater
▫ Spammer systems start to connect to us.
9
7/21/2015
10
7/21/2015
Botnet Size
• Results reveal that the actual size of the botnet
▫ by far bigger than expected
▫ a minimum population of 55,000 bots every day
▫ almost 165,000 active bots on a typical day
• Several changes to the botnet version
▫ version number between 33~46
11
7/21/2015
Botnet Size
• Identify Waledac botnet
▫ by a node ID
• Exposing in dierent auto nomous systems
▫ same node ID!?
• Between August 6th and September 1, 2009
▫ 248,983 dierent node IDs
▫ single day was 102,748 on August 24th
• Recalculated using the node ID and AS
▫ 164,182 bots on August 24th
12
7/21/2015
Cumulative distribution of IP(1/2)
• IP uniqueness criteria
▫ node ID and AS
▫ 403,685 bots
• IP Majority located
▫ 58.*~99.*
▫ 186.*~222.*
 North America
 Europe
13
7/21/2015
Cumulative distribution of IP(2/2)
• Spammers and Repeaters most originated
▫ the US or in Central Europe
14
7/21/2015
Waledac Versions(1/2)
• Bot some informaiton
▫ sent at the bot's first packet
▫ label:
 campaigns identied
 birdie6 and swift, with 12,5 percent
 version 46 are called “spyware”
15
7/21/2015
Waledac Versions(2/2)
• Waledac bots lack a decent update mechanism
• The version is 34~36 At the end of July
• The beginning of September most is version 46
16
7/21/2015
OS Versions
• Windows XP still makes up most of all
monitored bots
17
7/21/2015
Spam Campaigns
• Spammer reports the status for each email
▫ ERR or OK
• Monitoring phase
▫ received a total of 662,611,078 notications
▫ 167,784,234 were OK (25.32%)
18
7/21/2015
Conclusions
• Show it is possible to inltrate the Waledac
• Measurement results reveal that the actual size
of the botnet is by far bigger than expected
• Spam emails emitted by Waledac is very high
• The rapid changes to the malware with new
versions showing up almost every two weeks
19
Thanks for Your Attention
Q&A
7/21/2015