< April Fool's Day & Storm | WOMBAT / FORWARD >

LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

Next week at the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), I will present our work on Storm Worm and the measurement results. The full paper is now available. See you at LEET next week!

Abstract:
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.

However, the first botnets that use peer-to-peer networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate peer-to-peer botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread peer-to-peer botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.
This entry was posted by Thorsten Holz on Friday, April 11. 2008 at 11:24. and is filed under malware, paper. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry
  1. Storm Worm Dead?

    The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within th

    Weblog: honeyblog
    Tracked: Jun 03, 13:09

Comments

Display comments as (Linear | Threaded)

  1. Mike says:
    #1 2008-04-20 10:28 (Reply)

    Nice article and great work!

  2. Anonymous says:
    #2 2008-04-21 20:25 (Reply)

    Great work! Will you be posting slides again?


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.