A Case Study on Storm Worm.ppt

Search Activity Publish Activity in Stormnet * Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm WormT. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET08), 2008. Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/08/04 * Outline Introduction Botnet tracking adapted tp P2P botnets Class of botnets considered Botnet tracking extended Inside Storm Worm Propagation mechanism Network-level behavior Case study: tracking Storm Worm Conclusion * Introduction IRC based botnet Botnet tracking Acquire and analyze a copy of a bot Infiltrate the botnet Identify the central IRC server P2P botnet Storm Worm * Class of Botnets Considered Unauthenticated content-based publish/subscribe style communication Peer-to-peer network architecture Content-based publish/subscribe-style communication Unauthenticated communication * Botnet Tracking Extended Step 1: Exploiting the P2P bootstrapping process Getting hold of a bot by honetpot Step 2: Infiltration and analysis Join the botnet to retrieve connection information Step 3: Mitigation Can’t send information directly * Propagation Mechanism of Storm Worm Similar to mail worms Spamtraps: e-mail addresses not used for communication but to lure spam e-mails Client honeypots to exam the links Only webbrowers with a specific HTTP request header field will be exploited Send different exploits to install a copy of the Storm binary The exploit code changes periodically The binary itself is also polymorphic * Routing Lookup OVERNET and Stormnet DHT ID: randomly generated 128 bit ID XOR-distance: d (a ,b) = a ? b Query from a to b: To the node in its routing table that has the smallest XOR-distance with b Route requests to three peers Route responses containing new peers even closer to the DHT ID of b * Publishing and Searching Key: an identifier used to retrieve information A key is published on twenty different p