< ADSandbox: Sandboxing JavaScript to fight Malicious Websites | Honeynet Project Forensic Challenge 2010 >

Walowdac – Analysis of a Peer-to-Peer Botnet

One of the most interesting botnets of 2009 was Waledac: the botnet implements a peer-to-peer-based communication channel and it can be seen as the successor of Storm Worm, since it implemented many similar ideas (e.g., a very similar language for spam templates was used). The researchers from Trend Micro had published an analysis of the botnet and we also examined the botnet. The result is a paper entitled "Walowdac - Analysis of a Peer-to-Peer Botnet": instead of passively observing the network, we implemented an active infiltration component. We emulate the protocol of a bot and are able to observe the inner communication aspects of the network. As a result, we obtain an in-depth overview of the botnet that enables us to study different aspects of the network, e.g., efficiency of the spam campaigns or number of active bots. As a small peak of the results, the following pictures shows the number of active bots in different countries on a specific day in August 2009. We can for example observe diurnal patterns and clearly see the effects of timezones on the size of the botnet:


Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

The paper was joint work with Ben Stock, Jan Göbel, Markus Engelberth, and Felix C. Freiling. The full paper is available at http://honeyblog.org/junkyard/paper/waledac-ec2nd09.pdf and it was published at EC2ND 2009.

This entry was posted by Thorsten Holz on Sunday, January 3. 2010 at 12:26. and is filed under malware, paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry
  1. PingBack

    Weblog: honeyblog.org
    Tracked: Feb 25, 15:58
  2. Tramadol.

    Congratulations guys! Thanks a lot for taking down this botnet, greatly appreciated!

    Weblog: Ben
    Tracked: May 31, 06:06

Comments

Display comments as (Linear | Threaded)

  1. SEO Chicago says:
    #1 2011-05-13 10:06 (Reply)

    Security issues with our computer network keep our IT department very busy. We even had a few people access restricted files. I really hope that we can avoid online issues in the future.

  2. Przeczytaj says:
    #1.1 2012-07-17 18:08 (Reply)

    I know exactly what you mean, security issued can be very time consuming to fix. Very interesting analysis by the way.

  3. Juicer Reviews says:
    #1.1.1 2013-04-03 15:05 (Reply)

    I get a lot of great information here and this is what I am searching for. Thank you for your sharing. I have bookmark this page for my future reference.

    Thanks again once more.

  4. replica designer sunglasses says:
    #1.1.1.1 2013-05-21 13:50 (Reply)

    Extraordinarily glad initially to discover The following!

  5. smart card says:
    #2 2011-07-18 15:47 (Reply)

    We always are dealing with security issues on our computer network due to the business industry we are in. I guess botnets help keep IT people employed so that they have something to fix. I wish we could find a way to stop botnets altogether though. I'm tired of the risk of identity theft and other security threats.

  6. wenger says:
    #3 2011-08-25 03:23 (Reply)

    Thanks for sharing such informative post. Like reading this post. Thanks http://www.backpackunion.com wenger backpack

  7. used car sales says:
    #4 2011-10-13 13:47 (Reply)

    Here is the good description about botnet which is a network of compromised machines under the control of an attacker.Thanku for this news.

  8. Patio furniture orange county says:
    #5 2011-10-29 12:27 (Reply)

    Great article. You did a great job :)

  9. emergency seed bank says:
    #6 2012-02-18 08:04 (Reply)

    How easy is it to get computer viruses using peer to peer file transfers? I don't want to have spyware on my computer.

  10. High Page Rank Backlinks says:
    #7 2012-04-02 15:20 (Reply)

    Interesting read, although I wish he'd told you more of his coming games. As much as I like Sid's old games, I am not sure he still can deliver something entirely new. Let's wait and see.

  11. kratom says:
    #8 2012-06-11 03:23 (Reply)

    Do bot-net viruses attack bank servers? I wonder if my herb and kratom website is going to be attacked in the future?

  12. Jami Seal says:
    #9 2012-08-26 19:52 (Reply)

    Thanks for this. Great post

  13. Tight Line Productions says:
    #10 2012-08-27 16:30 (Reply)

    Solid information, although is there going to be a sequel or an update to this?

  14. coffee beans wholesale says:
    #10.1 2013-06-06 10:18 (Reply)

    I agree with you. This post is truly inspiring. I like your post and everything you share with us is current and very informative, I want to bookmark the page so I can return here from you that you have done a fantastic job

  15. Dr. Arthur Stember says:
    #11 2012-09-19 16:26 (Reply)

    Great information here. Do you update your blog frequently?

  16. seo melbourne fl says:
    #12 2012-09-29 20:23 (Reply)

    Way to present everything in a professional manner. Truly a great job.

  17. Fountain of You says:
    #13 2012-10-11 16:12 (Reply)

    I found this indexed in Google -- was it intentional?

  18. Creep Tee Shirts says:
    #14 2012-12-22 14:25 (Reply)

    Wonderful post. I am searching awesome news and idea. What I have found from your site, it is actually highly content. You have spent long time for this post. It's a very useful and interesting site. Thanks!

  19. Yellow Dog Cafe says:
    #15 2013-01-07 21:09 (Reply)

    Great content, post, and truly inspirational stuff here.

  20. Dubstep says:
    #16 2013-02-06 00:41 (Reply)

    I love Dubstep Music !

  21. Extreme Air and Electric says:
    #17 2013-02-14 19:52 (Reply)

    Thanks a lot for the positive post. You really put things into perspective. Thank you.

  22. Lipozene Reviews says:
    #18 2013-02-19 20:02 (Reply)

    I am very much overwhelmed by your thoughts for this particular story. A more deeper and staged knowledge would be good for me

  23. steel trusses says:
    #19 2013-03-09 15:22 (Reply)

    There are so many different aspects when it comes to this topic. Thank you so much for sharing your knowledge on this particular aspect.

  24. Ray Ban says:
    #20 2013-03-28 02:26 (Reply)

    If this is the case, and I get a message around the order of bit wrong identification Wan money, but also that there is new material, boredom

  25. http://mbtshoesukmidland.blog.co.uk/ says:
    #21 2013-04-15 06:22 (Reply)

    Recently there is a news report: henan XinMiShi Zhang Haichao workers, in June 2004 to zhengzhou cooperates wear-resistant materials co.

  26. Vista problems says:
    #22 2013-04-29 14:17 (Reply)

    It is true that One of the most interesting botnets of 2009 was Waledac. I was actually in search of this topic because I have to conduct a seminar regarding the same. I have book marked your page for further updates. Keep up the good work. Regards

  27. Mont Blanc Pens UK says:
    #23 2013-05-06 13:45 (Reply)

    Fabulous internet page you possess these. Extraordinarily glad initially to discover The following!

  28. new homes melbourne florida says:
    #24 2013-05-06 20:07 (Reply)

    Cool stuff -- your website and blog are really unique, and that's really evident by all of the comments. Keep up the great work!

  29. saffron extract reviews says:
    #25 2013-05-14 12:49 (Reply)

    I found the call for silence, the best you can save site advertising information. Keep it up!

  30. appointment setting services says:
    #26 2013-05-16 12:36 (Reply)

    As much as I like Sid's old games, I am not sure he still can deliver something entirely new. Let's wait and see.

  31. obat kuat says:
    #27 2013-05-19 22:07 (Reply)

    Great things you’ve always shared with us. Just keep writing this kind of posts.The time which was wasted in traveling for tuition now it can be used for studies.

  32. xbox one hard drive says:
    #28 2013-05-30 15:00 (Reply)

    Thanks for your info on botnets!

  33. alen says:
    #29 2013-06-06 01:21 (Reply)

    Thanks for posting!

  34. Sun Plumbing says:
    #30 2013-06-12 19:52 (Reply)

    Really good stuff here. I must say, you're an extremely talented blogger and writer. Way to keep the topics relevant and stay connected with your readers.

  35. Xbox One says:
    #31 2013-06-14 19:24 (Reply)

    Great info got sure. Thanks for posting.


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5