基于P2P协议的僵尸网络研究

尸网络已成为网络安全领域最为关注的危害之一。目前，使用P2P协议的僵尸网络逐渐兴起。在分析 Slapper蠕虫的基础上，研究了P2P僵尸网络的拓扑结构、功能结构与控制机制，并指出了P2P僵尸网络的发展趋势。

My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challenging

As if fueled by its own fire, curiosity and speculation regarding botnet sizes abounds. Among researchers, in the press, and in the classroom—the questions regarding the widespread effect of botnets seem never-ending: what are they? how many are there? what are they used for? Yet, time and time again, one lingering question remains: how big are today’s botnets? We hear widely diverging answers. In fact, some may argue, contradictory. The root cause for this confusion is that the term botnet size is currently poorly defined. We elucidate this issue by presenting different metrics for counting botnet membership and show that they lead to widely different size estimates for a large number of botnets we tracked. In particular, we show how several issues, including cloning, temporary migration, and hidden structures significantly increase the difficulty of determining botnet size with any accuracy. Taken as a whole, this paper calls into question speculations about botnet size, and more so, questions whether size really matters.

The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, businesses, and governments around the world. These systems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required. We conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.

Evolutionary Proactive P2P Worm: Propagation Modeling and Simulation

Computer worms evolved continually, faster and smarter. Proactive P2P worms with new “gene” propagate over logical P2P overlay networks defined by peer relationship. Observations suggest that the node degrees of an unstructured P2P network are power law distributed thus we model it as a power law undirected graph. We study propagation process of proactive P2P worm using a dynamic epidemic model. Specifically, we adopt discrete-time to conduct recursive analysis and deterministic approximation to describe propagation of proactive P2P worm. Then we carry out extensive simulation studies, which prove that the mathematical model matches simulation results well.

Detecting peer-to-peer botnets

Spam, DDoS and phishing are common problems on the Internet nowadays. In the past, attackers tended to use centralized high bandwidth connections to accomplish their tasks. Now that home users have high bandwidth internet connections, attackers have started infecting and using these home computers instead to for their attacks. Attacking from distributed locations, attackers are harder to catch or stop and often have more bandwidth to abuse. New methods are required to detect the forming of these widespread networks of infected hosts, especially now that it seems attackers have discovered the peer-to-peer (P2P) technology.

As the Net Churns: Fast-Flux Botnet Observations

While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins. Evidence suggests that more attackers are adopting fastflux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime activities, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internetscale data continuously collected for hundreds of domain names over several months.

Analysis of the Storm and Nugache Trojans--P2P is here

Since the advent of distributed intruder tools in the late 1990s, defenders have striven to identify and take down as much of the attack network as possible, as fast as possible.This has never been an easy task, owing in large part to thewide distribution of attacking agents and command and control (C2) servers, often spread across thousands of individual networks, or Autonomous Systems in routing terms, around the globe.Differentials in the abilities and capabilities of these sites, aswell as knowledge of what role the site plays in distributed attack networks (potentiallymany active at one time),makemitigation harder, as do differences in legal regimes, etc. [1]. Still, there has grown a huge population of researchers, security vendors, and organizations focused on identifying andmitigating distributed attack networks.

An analysis of the Slapper worm

During the past decade, security bugs’ impact on a society dependent on a seamless and secure flow of information has become painfully evident. We’ve all learned the implications of security bugs and breaches the hard way, in a defensive and after-the-fact manner that prompts us to plug holes quickly and then wait for the next big one to surface. With the overwhelming amount of bug reports and security threats made public every day, it is daunting and difficult to identify trends and have a reasonable expectation of adopting a proactive information security strategy that deals with possible future threats.

Measurements and Mitigation of Peer-to-Peer-based Botnets - A Case Study on Storm Worm

Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands. However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms. 僵尸网络，在一定公用控制机构下的一些计算机组成的网络，通常被攻击者使用控制中心服务器控制，网络中的机器连接到中心控制服务器并等待接收控制命令。 然而，第一个使用P2P网络来进行远程控制感染机器的僵尸网路确实最近才出现的。在本文中，我们介绍了分析和处理P2P僵尸网络的一种方法。在此研究中，我们深入检查了Storm Worm僵尸网络，它是现在网络上传播最广的P2P僵尸程序。我们能够深入渗透和分析僵尸网络，估计整个被感染控制机器的总体数量。此外，我们介绍了两种截断控制者和感染机器间的控制信道的方法来防范这个僵尸网络，同时评估了这些机制的有效性。

加州圣巴巴拉大学（UCSB）的计算机病毒科学家们对僵尸网络torpig

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. While botnets have been “hijacked” before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This opens the possibility to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards.