SlideShare uma empresa Scribd logo
1 de 8
Baixar para ler offline
Walowdac – Analysis of a Peer-to-Peer Botnet∗
    Ben Stock1 , Jan G¨bel1 , Markus Engelberth1 , Felix C. Freiling1 , and Thorsten Holz1,2
                      o
      1                                                                  2
          Laboratory for Dependable Distributed Systems                 Secure Systems Lab
                    University of Mannheim                          Technical University Vienna


Abstract                                               Denial of Service (DDoS) attacks threaten every
                                                       system connected to the Internet. Therefore, it
A botnet is a network of compromised machines          is crucial to explore ways of detecting and miti-
under the control of an attacker. Botnets are          gating current and new botnets.
the driving force behind several misuses on the           The first generation of botnets uses a central
Internet, for example spam mails or automated          Command & Control (C&C) server to dispatch
identity theft. In this paper, we study the most       commands. This type of botnet is rather well-
prevalent peer-to-peer botnet in 2009: Waledac.        understood [4, 7, 14] and the technique of botnet
We present our infiltration of the Waledac bot-         tracking [7] is now a standard method to miti-
net, which can be seen as the successor of the         gate this type of threat. The second generation
Storm Worm botnet. To achieve this we im-              of botnets tries to avoid a centralized infrastruc-
plemented a clone of the Waledac bot named             ture by using a peer-to-peer-based communica-
Walowdac. It implements the communication              tion mechanism [8]. The most prominent exam-
features of Waledac but does not cause any             ple for this class of botnets is the Storm Worm
harm, i.e., no spam emails are sent and no other       botnet that used a distributed hash table as com-
commands are executed. With the help of this           munication medium. This mechanism offered a
tool we observed a minimum daily population            rather centralized way to infiltrate and analyze
of 55,000 Waledac bots and a total of roughly          the botnet [10, 11].
390,000 infected machines throughout the world.           The Waledac botnet can be regarded as the
Furthermore, we gathered internal information          successor of Storm Worm. However, Waledac
about the success rates of spam campaigns and          uses a more decentralized store-and-forward
newly introduced features like the theft of cre-       communication paradigm and new communica-
dentials from victim machines.                         tion protocols so we had to develop novel tech-
                                                       niques to track this botnet.
1     Introduction
                                                       Related Work. The communication proto-
Botnets, i.e., networks of compromised under the       col used by Waledac was already studied by
control of an attacker, are nowadays one of the        Leder [12] and Sinclair [15]. Symantec [16] and
most severe threats in Internet security. With a       Trend Micro [1] recently released reports about
large number of participating bots, a tremendous       the implemented features of Waledac, including
number of spam emails can be send out to for           the spam template system, as well as attempts
example acquire new hosts, or to advertise a di-       to measure the size of the botnet. A study by
verse set of products. Additionally, Distributed       ESET [2] estimated the size of the Waledac bot-
   ∗
                                                       net around 20,000 bots.
     Thorsten Holz was supported by the WOMBAT and
FORWARD projects funded by the European Commis-
                                                         Another study focussing on Waledac was per-
sion, and the FIT-IT Trust in IT-Systems (Austria) un- formed by Borup [3]. The focus of this work is on
der the project TRUDIE (P820854).                      the C&C protocol, the binary obfuscation tech-

                                                   1
niques, as well as mitigation methods against the 2 Background
botnet. The author describes a Sybil attack [6]
that we also used to generate the statistical data In this section, we briefly describe the setup of
that we present in this paper.                     the Waledac botnet and its propagation mecha-
                                                   nism. More details of the botnet and the tech-
                                                   nical aspects of its implementation are available
Contributions. In this paper, we present the in different studies [1, 3, 12, 15, 16].
results of yet another analysis of Waledac. Our
focus was to try and verify previous measure-
                                                   2.1 Waledac Botnet Structure
ments as well as building and refining tools to
study the botnet efficiently. In contrast to the The botnet consists of (at least) four different
analysis of previous decentralized botnets, a sim- layers, that we describe in the following from
ple crawling of active peers was no solution to bottom to top. Figure 1 shows how these lay-
gather in-depth information like the size of the ers are connected and what kind of information
botnet. Instead, we implemented a bot clone is exchanged between them.
to infiltrate the network and capture all data
passing through this system. Furthermore, to
measure the size we actively interfered with the                    Mothership?
botnet to inject the IP addresses of our analysis
systems, a method not applied before.
  We collected data about the botnet for almost
one month between August 6 and September 1,
                                                                                     Commands
2009. Our measurement results reveal that the                 Backend-               Fast-Flux Traffic
actual size of the botnet is by far bigger than                Server               Repeaterlists

expected, rendering Waledac one of the most ef-
ficient spam botnets in the wild. We observed
a minimum population of 55,000 bots every day,
with almost 165,000 active bots on a typical day.
In total, we counted more than 390,000 individ-                            Repeater             Repeater

ual bots indicating a similar number of infected
machines during the measurement period.
  While investigating the botnet, we also wit-
nessed several changes the bot master applied
to the botnet to introduce new features like the            Spammer
                                                                                    Uninfected
theft of credentials. We started our research with                                     Host
version 33 of Waledac and finished our obser-
vation with version 46. Thus, the botnet is in
                                                   Figure 1: Schematic overview of the Waledac
active development with frequent updates and
                                                   botnet hierarchy.
changes to the core functionality.
                                                         At the lowest level of the botnet hierarchy are
Outline. This paper is organized as follows:           the so called Spammers. These systems are used
Section 2 gives a brief background on how the          to carry out the spam campaigns. The prop-
Waledac botnet is structured, the different roles       erty that distinguishes Spammers from the other
of a bot, and their tasks in the botnet. We            bots in the network, is that they do not have
present in Section 3 the different experiments we       a publicly reachable IP address. That means
performed while monitoring the botnet and the          Spammers are for example located behind NAT
results we achieved. Finally, we conclude this         routers and therefore cannot be accessed from
paper in Section 4.                                    the Internet directly. The benefit of this prop-

                                                   2
erty is that although Spammers generate the              to ensure that no attacker can insert his own
most attraction due to the massive sending of            Backend-Servers into the botnet.
spam emails, they cannot be easily tracked down.
   At the next level are the so called Repeaters.        2.2   Propagation Mechanisms
These are the entry points for any new bot join-
ing the network, as well as, the place to go for         The Waledac bots themselves do not own any
every running bot. For this reason only bots that        built-in propagation mechanisms. That means,
own a publicly reachable IP address can become           infected hosts do not scan their local network
a Repeater. A Repeater can be considered as              for vulnerable systems. Instead, Waledac propa-
a mediator between the first (lowest) and third           gates with the help of social engineering. Hence,
(backend) layer of the botnet. Spammers con-             Spammers are frequently instructed to send out
tact the Repeaters to acquire new tasks from             emails with URLs pointing to current version of
the bot master or report the success of previous         Waledac. To increase the probability of infect-
operations. These requests are relayed to the            ing new hosts, the self propagation emails are
next layer, the so called Backend-Servers. Ad-           usually masked as greeting cards that host the
ditionally, the Repeaters act as fast-flux agents         malicious binary, similar to Storm Worm [10].
for the different Waledac fast-flux domains [9].
That means they also relay HTTP requests of                                                                                             Backend-
uninfected hosts.                                                                                                                        Server

   The next level consists of the Backend-Servers
that answer both the transmitted requests of


                                                                                                                                        8.) Waledac Binary
                                                                                                  7.) GET /binary.exe
                                                                 3.) Send Spam

the Spammers and the fast-flux queries of the                                     2.) Task?
Repeaters. As the Backend-Servers are per-
fectly synchronized and use a webserver software,
called nginx, that is mainly used for proxy pur-
poses, the assumption of a single server (mother-                                                                                       Repeater
ship) on top of the botnet is obvious. However,                                                                                                                     6.)
                                                                                                                                                                          GE                    Uninfected
only the analysis of one of the Backend-Servers                                                                                                              9.)
                                                                                                                                                                            T/
                                                                                                                                                                              bin
                                                                                                                                                                                      ary
                                                                                                                                                                                                   Host
                                                                                                                                                                   Wa                    .ex
                                                                                                                                                                      le
can prove this assumption right.
                                                                                                                        4.) Send Spam




                                                                                                                                                                          dac               e
                                                                                                                                                                                Bin
                                                                                                                                                                                     ary
                                                                                      1.) Task?




   Although in related works Waledac is referred
to as a pure peer-to-peer botnet, it uses a cen-
                                                                                                                                                                                  il?
tralized structure in the upper layers and only                                                                                                                                -Ma
                                                                                                                                                                   S      pam
the lower ones (Spammers and Repeaters) make                                                                                                                   5.)

up the peer-to-peer part. For this reason, the
Repeaters and the Spammers continuously ex-                                                                     Spammer

change lists of currently active Repeaters. This
ensures that any bot at any time has at least one        Figure 2: Schematic overview of the Waledac in-
currently running Repeater in his list to join the       fection cycle.
botnet. As an additional backup, each bot bi-
nary contains a hardcoded fail-over URL which              Figure 2 visualizes the infection cycle of the
itself is hosted within the fast-flux network of          Waledac botnet. The number at each line
Waledac. This URL points to another list of              indicates the order in which actions are per-
active Repeaters. Thus, if a bot is unable to            formed. The infection cycle can be summarized
contact ten Repeaters consecutively on its local         as follows: a Spammer frequently queries one
list, it downloads a new list from the fail-over         of the active Repeaters for new tasks to per-
URL. Additionally, Repeaters exchange lists of           form. These queries are relayed to one of the
the currently active Backend-Servers. This list is       Backend-Servers, that in turn replies with the
signed with the private key of the botnet herder,        current task. In this case, the task is to send

                                                     3
out spam messages for propagation. An unin-                            In order give a more precise lower bound of the
fected host that receives one of the emails and                     Waledac botnet, we push several IP addresses of
follows the embedded link issues a request for                      hosts running Walowdac into the botnet. This is
the current Waledac binary to one of the fast-                      possible as Repeaters do not validate the list of
flux agents currently assigned to this domain.                       Repeater IP addresses they receive. Thus, any-
Again, one of the Backend-Servers transmits the                     time our script connects to a Repeater, it sends a
requested content across the agent back to the                      list of its own IP addresses to the Repeater. As a
requesting host. Depending on the reachability                      result, the IP addresses of our Walowdac systems
of the freshly infected host, it will either show                   are propagated throughout the complete botnet
up as a new Repeater or Spammer.                                    and Spammer systems start to connect to us.
                                                                    Figure 3 depicts the single steps performed to
                                                                    distribute the IP addresses of our fake Repeater.
3     Measurements                                                     That way, we are able to measure not only the
For our measurements we ran multiple instances                      number of Repeaters, but also a large fraction
of Walowdac on computers at Mannheim univer-                        of Spammers. Among the information we store
sity. Considering the single location, all our re-                  while running our Waledac imitation are times-
sults for the size should be seen as lower bounds.                  tamps, IP addresses and identification numbers
                                                                    of connecting hosts, Windows and Waledac ver-
                                                                    sions, as well as Spam campaign data distributed
3.1   Methodology: Walowdac
                                                                    through the botnet. With the newer versions of
Our main objective while investigating Waledac                      Waledac we also captured stolen credentials of
was to find out more about the actual size of                        POP3, FTP, and HTTP accounts. During our
the botnet. As the Spammers are not reachable,                      monitoring period of one month, we collected
just crawling the Repeaters does not provide an                     login data for 128,271 FTP, 93,950 HTTP, and
accurate size of the botnet. To circumvent this                     39,051 POP3 accounts. We have not yet further
problem and to provide a much more accurate                         investigated the stolen credentials, as this is out
number of bots, we implemented a script to imi-                     of the scope of this paper.
tate a valid Waledac Repeater. The software im-                        All bots within the Waledac botnet can be
plements all communication parts of a Repeater,                     identified by a node ID. This node ID is gen-
but answers the requests directly instead of for-                   erated directly after an infection and does not
warding them. We refer to this script as Walow-                     change throughout the lifetime of a bot. Bots
dac, as it is a low-interaction Waledac clone.                      embed this node ID in every message they ex-
                                                                    change [16] so it is a good candidate to define a
                        1.) fake peerlist                           uniqueness criterion.
                                                Walowdac
        Repeater

                                                                    3.2   Results
                                                                    The results described in this section were gath-
                             3.
                             )f
                              ak




                                                                    ered between August 6th and September 1st,
                                  e
                                  pe
                                      er




                                                                    2009. For the allocation of IP addresses to
                                       lis




                                                        ac o
            2.




                                        t




                                                      wd ct t
             )n




                                                                    countries we used the free version of the GeoIP
                                                  alo e
               ew




                                                W onn
                   pe




                                                                    database maintained by MaxMind [13].
                                                    c
                    er




                                                4.)
                    lis
                        t?




                                               Botnet Size. During the data collection pe-
                                      Spammer
                                               riod, we measured 248,983 different node IDs.
                                               The maximum number of node IDs on a sin-
Figure 3: Injecting fake Repeater IP addresses gle day was 102,748 on August 24th. Although
into the botnet.                               the node IDs are randomly generated and should

                                                                4
Figure 4: Distribution of running bots according to their location and time on August 24th.



be unique across the botnet, we also monitored
several hosts originating in different autonomous
                                                                                              160000 240000 320000 400000


systems (AS), using the same node ID. The rea-
son might be collisions in the node ID generation
                                                           Bots' IP addresses (accumulated)




algorithm used by Waledac. With this fact in
mind we recalculated the number of bots on Au-
gust 24th using the node ID and AS as unique-
ness criteria, resulting in a total of 164,182 bots.
The size of the Waledac botnet we obtained is                                                                                                                        188.0.0.0           223.0.0.0
                                                                                              80000




much higher than previous estimations published                                                                                       58.0.0.0          100.0.0.0

by Trend Micro [1] or ESET [2].
                                                                                              0




  Figure 4 shows the hourly number of bots run-
                                                                                                                            0.0.0.0     50.0.0.0   100.0.0.0    150.0.0.0    200.0.0.0     250.0.0.0
ning on August 24th worldwide. For comparison
                                                                                                                                                       IP address space
the figure also shows the number of bots located
in Central Europe and North America, at the
particular hours. The picture also shows the fluc-          Figure 5: Cumulative distribution of IP ad-
tuation (diurnal pattern) of running bots due to           dresses infected with Waledac.
the different time zones they are located in [5].
Throughout our measurement period, we moni-
tored at least 55,000 node IDs, i.e. active bots,
every day.                                                 prise, as most of these IP addresses are managed
                                                           by the Regional Internet Registries ARIN and
  A cumulative distribution of the bots’ IP ad-
                                                           RIPE NCC, which are responsible for the regions
dresses is shown in Figure 5. We counted all
                                                           North America and Europe, respectively.
bots monitored during the whole data collection
period and again used the node ID and AS as                  This fact is also reflected in Table 6a: Most of
uniqueness criteria. As a result, we counted               the Spammers originated in the US or in Central
a total of 403,685 bots. The distribution is               Europe. The distribution of the Repeaters (see
highly non-uniform: The majority of bots are lo-           Table 6b) is very similar and differs only in the
cated in the IP address ranges between 58.*–99.*           order of the countries. The main difference is
and 186.*–222.*. This does not come as a sur-              that there are more Repeaters in India than in

                                                       5
Table 6: Top countries in which Waledac bots are located.

          Country            # Bots   Percentage              Country                   # Bots       Percentage
          United States      67,805      17.34%               United States              5,048          19.50%
          United Kingdom     30,347       7.76%               India                      1,456           5.63%
          France             27,542       7.04%               France                     1,386           5.36%
          Spain              23,065       5.90%               United Kingdom             1,348           5.21%
          India              21,503       5.50%               Spain                      1,191           4.60%
          Other             220,807      56.46%               other                     15,452          59.70%
                       (a) Spammers                                             (b) Repeaters


the United Kingdom and more Spammers in the
                                            Listing 1: First packet sent after negotiating the
United Kingdom than in India.
                                            session key.
                                                          <lm>
Waledac Versions and Distribution Cam-                      <t>f i r s t </t>
paigns. At the beginning of our measurement                 <v>34</v>
phase most of the monitored bots were running               <i >4b 5 d a 6 1 f 8 d 1 4 e 5 3 f e 9 2 5 2 6 6 9 4 2 7 7 6 9 5 e </i >
                                                            <r >0</r>
Waledac version 34. The bot’s version number                <props>
is sent in all its communication packets.                      <p n=” l a b e l ”> m i r a b e l l a s i t e </p>
   An example of a so called first packet is shown              <p n=”winver ” >5.1.2600 </p>
in Listing 1. These kind of packets are only sent           </props>
                                                          </lm>
at the bot’s first start after negotiating the ses-
sion key. The version number is included in the
<v>-tag [1, 3, 12, 15, 16].
   On July 20, 2009, the botnet was ordered to              Next to the current version installed on a
download and run version 36 of Waledac. How-              Waledac bot, bots also send the name of the cam-
ever, the command was issued just for a couple of         paign which distributed the binary. For exam-
hours, thus, systems not online during this time          ple, this information is also included in the first
were unable to update. As a result, even two              packets (see Listing 1) – <p>-tag with attribute
weeks after the update was issued (July 31st),            n="label". At the beginning of July the biggest
still more than 30 percent of the bots we mon-            campaigns identified were birdie6 and swift, with
itored were running the old version 34. That              12,5 percent of all infected machines. The cur-
means, Waledac bots lack a decent update mech-            rent campaigns distributing version 46 are called
anism, since although bots propagate their run-           spyware.
ning version, they are not updated once the com-
mand is no longer issued. On July 25th, we
monitored the first version 39 bots connecting to          OS Version of Infected Machines. Al-
our fake Repeater script. The latest version we           though Waledac bots do not continuously send
monitored was 46, which indicates, that the bot-          their operating system version with every packet,
net is still actively developed. With version 36,         but only the first, we managed to capture few of
the collection of user credentials was introduced.        these first packets. However, only about 10 per-
Table 1 summarizes the distribution of Waledac            cent of all monitored bots established this initial
versions monitored on two different days. At the           connection to Walowdac. Thus, the results of
end of July, most bots are still running version 34       this measurement provide a coarse overview of
and 36. With the beginning of September this              the distribution of the operating systems run-
shifted to almost 60% of the bots running the             ning on infected machines. Table 2 summarizes
newest version 46.                                        the operating system codes found in initial pack-

                                                      6
Table 1: Distribution of Waledac version across all monitored bots at the end of July and beginning
of September.
                      Versionscode   31.7.2009 (65,924 Bots)   9.9.2009 (74,280 Bots)
                      < 33                       114 (0.17%)               86 (0.12%)
                      33                         440 (0.67%)              270 (0.36%)
                      34                  20,718 (31.43%)             9,344 (12.58%)
                      35                          51 (0.08%)               36 (0.05%)
                      36                  35,572 (53.96%)            10,547 (14.20%)
                      37                       2,658 (4.03%)              362 (0.49%)
                      39                       5,681 (8.62%)            1,650 (2.22%)
                      40                         689 (1.05%)               69 (0.09%)
                      41-45                        0 (0.00%)          8,174 (11.00%)
                      46                           0 (0.00%)       43,742 (58.89%)


            Table 2: Distribution of Windows version codes (June 28th till July 18th.)
                    code       belongs to                      number    percent of bots
                    5.1.2600   XP (32 Bit)                      10,899            90.2%
                    6.0.6001   Vista (SP1), Server 2008            678             5.6%
                    6.0.6000   Vista                               353             2.9%
                    6.0.6002   Vista SP2, Server 2008 (SP2)         78             0.6%
                    5.2.3790   XP (64 Bit), Server 2003             39             0.3%
                    5.0.2195   2000                                 27             0.2%


ets. Windows XP still makes up most of all mon- end up in a user’s inbox. A recent experiment
itored bots, to no surprise.                        by ESET [2] revealed that on average a Spam-
                                                    mer using a normal dial-up account sends about
                                                    6,500 emails per hour, resulting in about 150,000
Spam Campaigns. Throughout the analysis
                                                    spam mails per day.
time we monitored different pharmacy and email
                                                      Taking into account that we monitored at least
harvesting campaigns. The harvesting emails
                                                    10,000 bots online at any time of day, gives
advertised cheap watches with the invitation to
                                                    Waledac a spam capacity of
contact certain emails if interested. Additionally,
several Waledac propagation campaigns were ob-         6, 500 ∗ 24 ∗ 10, 000 ∗ 0.2532 = 394, 992, 000
served. For this purpose, the botnet herder used
special events, like Valentines or Independence delivered mails per day. This number is only a
Day, to send out masses of spam messages con- rough estimation and corresponds to the emails
taining links to Waledac binaries. The same be- actually accepted by the receiving mailservers –
havior was already observed with Storm.             theoretically Waledac is able to send more than
   After each spam run a Spammer reports the 1.5 billion spam mails per day. However, this also
status of the transaction for each email. The sta- is only valid for 10,000 bots each hour with our
tus can either be ERR or OK. Thus, it is possible monitoring showing up to 30,000 bots per hour
to determine which mail servers did actually ac- during the daytime. Thus, this number might
cept the incoming email and for which addresses very well be tripled.
it was rejected. During our monitoring phase
we received a total of 662,611,078 notifications, 4 Conclusion
of which 167,784,234 were OK. This gives us an
average of 25.32% for the delivery of mails to In this paper, we showed that it is possible to in-
the recipient’s mailserver. In this scope we did filtrate the Waledac botnet by distributing spe-
not try to determine how many emails actually cially crafted peerlists to other Repeaters. As

                                                    7
a result, we were able to also collect data from      European Symposium On Research In Com-
Spammers connecting to our fake system. That          puter Security (ESORICS), 2005.
way we were able to capture few of the first pack-
                                                  [8] Julian B. Grizzard, Vikram Sharma, Chris
ets send by freshly infected systems. The anal-
                                                      Nunnery, Brent ByungHoon Kang, and
ysis of these packets revealed that most of the       David Dagon.        Peer-to-Peer Botnets:
compromised hosts are running Windows XP as           Overview and Case Study. In Hot Topics
an operating system.                                  in Understanding Botnets (HotBots), 2007.
  We showed that current estimations about
the size of the Waledac botnet are far too low. [9] Thorsten Holz, Christian Gorecki, Konrad
At peaks we measured more than 160,000 bots,          Rieck, and Felix Freiling. Measuring and
whereas ESET [2] for example counted just             Detecting Fast-Flux Service Networks. In
20,000 bots. With this in mind, we can esti-          15th Network & Distributed System Security
                                                      Symposium (NDSS), 2008.
mate that the number of spam emails emitted
by Waledac is very high, rendering Waledac one [10] Thorsten Holz, Moritz Steiner, Frederic
of the most efficient spam botnets currently in         Dahl, Ernst Biersack, and Felix Freiling.
the wild. The rapid changes to the malware with       Measurements and Mitigation of Peer-to-
new versions showing up almost every two weeks        Peer-based Botnets: A Case Study on
shows that Waledac is still actively developed.       Storm Worm.       In First Workshop on
                                                      Large-Scale Exploits and Emergent Threats
                                                      (LEET), 2008.
References
                                                [11] Chris Kanich, Kirill Levchenko, Brandon
 [1] Jonell Baltazar, Joey Costoya, and Ryan         Enright, Geoffrey M. Voelker, and Stefan
     Flores. Trend Micro: Infiltrating Waledac        Savage. The Heisenbot Uncertainty Prob-
     Botnet’s Covert Operations, July 2009.          lem: Challenges in Separating Bots from
                                                     Chaff. In First Workshop on Large-Scale
 [2] Sebasti´n Bortnik.
             a                How much spam
                                                     Exploits and Emergent Threats (LEET),
     does waledac send?, 2009.            Blog:
                                                     2008.
     http://www.eset.com/.
                                                [12] Felix Leder. Speaking waledac, 2009. Blog:
 [3] Lasse Trolle Borup. Peer-to-peer botnets:
                                                     http://www.honeynet.org/node/348.
     A case study on waledac. Master’s thesis,
     Technical University of Denmark, 2009.     [13] Maxmind. Geolocation and Online Fraud
 [4] Evan Cooke, Farnam Jahanian, and Danny          Prevention. http://www.maxmind.com/.
     McPherson. The Zombie Roundup: Under- [14] Moheeb Abu Rajab, Jay Zarfoss, Fabian
     standing, Detecting, and Disrupting Bot-        Monrose, and Andreas Terzis. A Mul-
     nets. In Steps to Reducing Unwanted Traffic       tifaceted Approach to Understanding the
     on the Internet (SRUTI), 2005.                  Botnet Phenomenon. In 6th Internet Mea-
 [5] David Dagon, Cliff Zou, and Wenke Lee.            surement Conference (IMC), 2006.
     Modeling Botnet Propagation Using Time [15] Greg Sinclair. Waledac’s communcation
     Zones. In 13th Network and Distributed Sys-      protocol, 2009. Blog: http://bit.ly/
     tem Security Symposium (NDSS), 2006.             MWOA2.
 [6] John R. Douceur. The Sybil Attack. In
                                                 [16] Gilou Tenebro. W32.Waledac Threat Anal-
     First International Workshop on Peer-to-
                                                      ysis. Technical report, Symantec, 2009.
     Peer Systems (IPTPS), 2002.
 [7] Felix Freiling, Thorsten Holz, and Georg
     Wicherski. Botnet Tracking: Exploring a
     Root-Cause Methodology to Prevent Dis-
     tributed Denial-of-Service Attacks. In 10th

                                                   8

Mais conteúdo relacionado

Destaque

Teknoaula 4 - Conceptos generales sobre internet y redes sociales
Teknoaula 4 - Conceptos generales sobre internet y redes socialesTeknoaula 4 - Conceptos generales sobre internet y redes sociales
Teknoaula 4 - Conceptos generales sobre internet y redes socialesDiagonal M&P
 
TweenJS for Everything
TweenJS for EverythingTweenJS for Everything
TweenJS for Everythingyomotsu
 
HTML5 exam : checking answers
HTML5 exam : checking answersHTML5 exam : checking answers
HTML5 exam : checking answersyomotsu
 
Taller formativo - base de datos de visitantes
Taller formativo - base de datos de visitantesTaller formativo - base de datos de visitantes
Taller formativo - base de datos de visitantesDiagonal M&P
 
Teknoaula 5 - novedades 2015
Teknoaula 5 - novedades 2015Teknoaula 5 - novedades 2015
Teknoaula 5 - novedades 2015Diagonal M&P
 
Taller Formativo - diseño de mapas para google maps
Taller Formativo - diseño de mapas para google mapsTaller Formativo - diseño de mapas para google maps
Taller Formativo - diseño de mapas para google mapsDiagonal M&P
 
Dive Into SVG
Dive Into SVGDive Into SVG
Dive Into SVGyomotsu
 
新しい IE と JavaScriptで動く 最近のWebアプリケーション
新しい IE と JavaScriptで動く 最近のWebアプリケーション新しい IE と JavaScriptで動く 最近のWebアプリケーション
新しい IE と JavaScriptで動く 最近のWebアプリケーションyomotsu
 
なぜなに?ユーザエクスペリエンスマップ(概要編)
なぜなに?ユーザエクスペリエンスマップ(概要編)なぜなに?ユーザエクスペリエンスマップ(概要編)
なぜなに?ユーザエクスペリエンスマップ(概要編)Naoki Hashimoto
 
WebGL and Three.js
WebGL and Three.jsWebGL and Three.js
WebGL and Three.jsyomotsu
 

Destaque (17)

Teknoaula 4 - Conceptos generales sobre internet y redes sociales
Teknoaula 4 - Conceptos generales sobre internet y redes socialesTeknoaula 4 - Conceptos generales sobre internet y redes sociales
Teknoaula 4 - Conceptos generales sobre internet y redes sociales
 
sistemes econòmics
sistemes econòmicssistemes econòmics
sistemes econòmics
 
This week in mcfp 27 aug 2010
This week in mcfp 27 aug 2010This week in mcfp 27 aug 2010
This week in mcfp 27 aug 2010
 
TweenJS for Everything
TweenJS for EverythingTweenJS for Everything
TweenJS for Everything
 
Our navy 1949
Our navy 1949Our navy 1949
Our navy 1949
 
This week in mcfp june 11 2010
This week in mcfp june 11 2010This week in mcfp june 11 2010
This week in mcfp june 11 2010
 
Don guidance for_unofficial_posts_-_explained
Don guidance for_unofficial_posts_-_explainedDon guidance for_unofficial_posts_-_explained
Don guidance for_unofficial_posts_-_explained
 
HTML5 exam : checking answers
HTML5 exam : checking answersHTML5 exam : checking answers
HTML5 exam : checking answers
 
Force weekly 11 march 2011
Force weekly 11 march 2011Force weekly 11 march 2011
Force weekly 11 march 2011
 
Taller formativo - base de datos de visitantes
Taller formativo - base de datos de visitantesTaller formativo - base de datos de visitantes
Taller formativo - base de datos de visitantes
 
Teknoaula 5 - novedades 2015
Teknoaula 5 - novedades 2015Teknoaula 5 - novedades 2015
Teknoaula 5 - novedades 2015
 
Pts step by step guide
Pts step by step guidePts step by step guide
Pts step by step guide
 
Taller Formativo - diseño de mapas para google maps
Taller Formativo - diseño de mapas para google mapsTaller Formativo - diseño de mapas para google maps
Taller Formativo - diseño de mapas para google maps
 
Dive Into SVG
Dive Into SVGDive Into SVG
Dive Into SVG
 
新しい IE と JavaScriptで動く 最近のWebアプリケーション
新しい IE と JavaScriptで動く 最近のWebアプリケーション新しい IE と JavaScriptで動く 最近のWebアプリケーション
新しい IE と JavaScriptで動く 最近のWebアプリケーション
 
なぜなに?ユーザエクスペリエンスマップ(概要編)
なぜなに?ユーザエクスペリエンスマップ(概要編)なぜなに?ユーザエクスペリエンスマップ(概要編)
なぜなに?ユーザエクスペリエンスマップ(概要編)
 
WebGL and Three.js
WebGL and Three.jsWebGL and Three.js
WebGL and Three.js
 

Semelhante a Walowdac Botnet Whitepaper

Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Blueliv
 
network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2Manel Marco
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxsmile790243
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Botnet detection by Imitation method
Botnet detection  by Imitation methodBotnet detection  by Imitation method
Botnet detection by Imitation methodAcad
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer   Clustering Analysis Of Network Traffic For Protocol  And Structure...Botminer   Clustering Analysis Of Network Traffic For Protocol  And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
Computer Crime Report
Computer Crime ReportComputer Crime Report
Computer Crime ReportCarolina Fox
 

Semelhante a Walowdac Botnet Whitepaper (20)

Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Network Insights into Vawtrak v2
Network Insights into Vawtrak v2
 
network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Paper(edited)
Paper(edited)Paper(edited)
Paper(edited)
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
about botnets
about botnetsabout botnets
about botnets
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Botnet detection by Imitation method
Botnet detection  by Imitation methodBotnet detection  by Imitation method
Botnet detection by Imitation method
 
Botnets
BotnetsBotnets
Botnets
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer   Clustering Analysis Of Network Traffic For Protocol  And Structure...Botminer   Clustering Analysis Of Network Traffic For Protocol  And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
Computer Crime Report
Computer Crime ReportComputer Crime Report
Computer Crime Report
 

Último

PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Último (20)

PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

Walowdac Botnet Whitepaper

  • 1. Walowdac – Analysis of a Peer-to-Peer Botnet∗ Ben Stock1 , Jan G¨bel1 , Markus Engelberth1 , Felix C. Freiling1 , and Thorsten Holz1,2 o 1 2 Laboratory for Dependable Distributed Systems Secure Systems Lab University of Mannheim Technical University Vienna Abstract Denial of Service (DDoS) attacks threaten every system connected to the Internet. Therefore, it A botnet is a network of compromised machines is crucial to explore ways of detecting and miti- under the control of an attacker. Botnets are gating current and new botnets. the driving force behind several misuses on the The first generation of botnets uses a central Internet, for example spam mails or automated Command & Control (C&C) server to dispatch identity theft. In this paper, we study the most commands. This type of botnet is rather well- prevalent peer-to-peer botnet in 2009: Waledac. understood [4, 7, 14] and the technique of botnet We present our infiltration of the Waledac bot- tracking [7] is now a standard method to miti- net, which can be seen as the successor of the gate this type of threat. The second generation Storm Worm botnet. To achieve this we im- of botnets tries to avoid a centralized infrastruc- plemented a clone of the Waledac bot named ture by using a peer-to-peer-based communica- Walowdac. It implements the communication tion mechanism [8]. The most prominent exam- features of Waledac but does not cause any ple for this class of botnets is the Storm Worm harm, i.e., no spam emails are sent and no other botnet that used a distributed hash table as com- commands are executed. With the help of this munication medium. This mechanism offered a tool we observed a minimum daily population rather centralized way to infiltrate and analyze of 55,000 Waledac bots and a total of roughly the botnet [10, 11]. 390,000 infected machines throughout the world. The Waledac botnet can be regarded as the Furthermore, we gathered internal information successor of Storm Worm. However, Waledac about the success rates of spam campaigns and uses a more decentralized store-and-forward newly introduced features like the theft of cre- communication paradigm and new communica- dentials from victim machines. tion protocols so we had to develop novel tech- niques to track this botnet. 1 Introduction Related Work. The communication proto- Botnets, i.e., networks of compromised under the col used by Waledac was already studied by control of an attacker, are nowadays one of the Leder [12] and Sinclair [15]. Symantec [16] and most severe threats in Internet security. With a Trend Micro [1] recently released reports about large number of participating bots, a tremendous the implemented features of Waledac, including number of spam emails can be send out to for the spam template system, as well as attempts example acquire new hosts, or to advertise a di- to measure the size of the botnet. A study by verse set of products. Additionally, Distributed ESET [2] estimated the size of the Waledac bot- ∗ net around 20,000 bots. Thorsten Holz was supported by the WOMBAT and FORWARD projects funded by the European Commis- Another study focussing on Waledac was per- sion, and the FIT-IT Trust in IT-Systems (Austria) un- formed by Borup [3]. The focus of this work is on der the project TRUDIE (P820854). the C&C protocol, the binary obfuscation tech- 1
  • 2. niques, as well as mitigation methods against the 2 Background botnet. The author describes a Sybil attack [6] that we also used to generate the statistical data In this section, we briefly describe the setup of that we present in this paper. the Waledac botnet and its propagation mecha- nism. More details of the botnet and the tech- nical aspects of its implementation are available Contributions. In this paper, we present the in different studies [1, 3, 12, 15, 16]. results of yet another analysis of Waledac. Our focus was to try and verify previous measure- 2.1 Waledac Botnet Structure ments as well as building and refining tools to study the botnet efficiently. In contrast to the The botnet consists of (at least) four different analysis of previous decentralized botnets, a sim- layers, that we describe in the following from ple crawling of active peers was no solution to bottom to top. Figure 1 shows how these lay- gather in-depth information like the size of the ers are connected and what kind of information botnet. Instead, we implemented a bot clone is exchanged between them. to infiltrate the network and capture all data passing through this system. Furthermore, to measure the size we actively interfered with the Mothership? botnet to inject the IP addresses of our analysis systems, a method not applied before. We collected data about the botnet for almost one month between August 6 and September 1, Commands 2009. Our measurement results reveal that the Backend- Fast-Flux Traffic actual size of the botnet is by far bigger than Server Repeaterlists expected, rendering Waledac one of the most ef- ficient spam botnets in the wild. We observed a minimum population of 55,000 bots every day, with almost 165,000 active bots on a typical day. In total, we counted more than 390,000 individ- Repeater Repeater ual bots indicating a similar number of infected machines during the measurement period. While investigating the botnet, we also wit- nessed several changes the bot master applied to the botnet to introduce new features like the Spammer Uninfected theft of credentials. We started our research with Host version 33 of Waledac and finished our obser- vation with version 46. Thus, the botnet is in Figure 1: Schematic overview of the Waledac active development with frequent updates and botnet hierarchy. changes to the core functionality. At the lowest level of the botnet hierarchy are Outline. This paper is organized as follows: the so called Spammers. These systems are used Section 2 gives a brief background on how the to carry out the spam campaigns. The prop- Waledac botnet is structured, the different roles erty that distinguishes Spammers from the other of a bot, and their tasks in the botnet. We bots in the network, is that they do not have present in Section 3 the different experiments we a publicly reachable IP address. That means performed while monitoring the botnet and the Spammers are for example located behind NAT results we achieved. Finally, we conclude this routers and therefore cannot be accessed from paper in Section 4. the Internet directly. The benefit of this prop- 2
  • 3. erty is that although Spammers generate the to ensure that no attacker can insert his own most attraction due to the massive sending of Backend-Servers into the botnet. spam emails, they cannot be easily tracked down. At the next level are the so called Repeaters. 2.2 Propagation Mechanisms These are the entry points for any new bot join- ing the network, as well as, the place to go for The Waledac bots themselves do not own any every running bot. For this reason only bots that built-in propagation mechanisms. That means, own a publicly reachable IP address can become infected hosts do not scan their local network a Repeater. A Repeater can be considered as for vulnerable systems. Instead, Waledac propa- a mediator between the first (lowest) and third gates with the help of social engineering. Hence, (backend) layer of the botnet. Spammers con- Spammers are frequently instructed to send out tact the Repeaters to acquire new tasks from emails with URLs pointing to current version of the bot master or report the success of previous Waledac. To increase the probability of infect- operations. These requests are relayed to the ing new hosts, the self propagation emails are next layer, the so called Backend-Servers. Ad- usually masked as greeting cards that host the ditionally, the Repeaters act as fast-flux agents malicious binary, similar to Storm Worm [10]. for the different Waledac fast-flux domains [9]. That means they also relay HTTP requests of Backend- uninfected hosts. Server The next level consists of the Backend-Servers that answer both the transmitted requests of 8.) Waledac Binary 7.) GET /binary.exe 3.) Send Spam the Spammers and the fast-flux queries of the 2.) Task? Repeaters. As the Backend-Servers are per- fectly synchronized and use a webserver software, called nginx, that is mainly used for proxy pur- poses, the assumption of a single server (mother- Repeater ship) on top of the botnet is obvious. However, 6.) GE Uninfected only the analysis of one of the Backend-Servers 9.) T/ bin ary Host Wa .ex le can prove this assumption right. 4.) Send Spam dac e Bin ary 1.) Task? Although in related works Waledac is referred to as a pure peer-to-peer botnet, it uses a cen- il? tralized structure in the upper layers and only -Ma S pam the lower ones (Spammers and Repeaters) make 5.) up the peer-to-peer part. For this reason, the Repeaters and the Spammers continuously ex- Spammer change lists of currently active Repeaters. This ensures that any bot at any time has at least one Figure 2: Schematic overview of the Waledac in- currently running Repeater in his list to join the fection cycle. botnet. As an additional backup, each bot bi- nary contains a hardcoded fail-over URL which Figure 2 visualizes the infection cycle of the itself is hosted within the fast-flux network of Waledac botnet. The number at each line Waledac. This URL points to another list of indicates the order in which actions are per- active Repeaters. Thus, if a bot is unable to formed. The infection cycle can be summarized contact ten Repeaters consecutively on its local as follows: a Spammer frequently queries one list, it downloads a new list from the fail-over of the active Repeaters for new tasks to per- URL. Additionally, Repeaters exchange lists of form. These queries are relayed to one of the the currently active Backend-Servers. This list is Backend-Servers, that in turn replies with the signed with the private key of the botnet herder, current task. In this case, the task is to send 3
  • 4. out spam messages for propagation. An unin- In order give a more precise lower bound of the fected host that receives one of the emails and Waledac botnet, we push several IP addresses of follows the embedded link issues a request for hosts running Walowdac into the botnet. This is the current Waledac binary to one of the fast- possible as Repeaters do not validate the list of flux agents currently assigned to this domain. Repeater IP addresses they receive. Thus, any- Again, one of the Backend-Servers transmits the time our script connects to a Repeater, it sends a requested content across the agent back to the list of its own IP addresses to the Repeater. As a requesting host. Depending on the reachability result, the IP addresses of our Walowdac systems of the freshly infected host, it will either show are propagated throughout the complete botnet up as a new Repeater or Spammer. and Spammer systems start to connect to us. Figure 3 depicts the single steps performed to distribute the IP addresses of our fake Repeater. 3 Measurements That way, we are able to measure not only the For our measurements we ran multiple instances number of Repeaters, but also a large fraction of Walowdac on computers at Mannheim univer- of Spammers. Among the information we store sity. Considering the single location, all our re- while running our Waledac imitation are times- sults for the size should be seen as lower bounds. tamps, IP addresses and identification numbers of connecting hosts, Windows and Waledac ver- sions, as well as Spam campaign data distributed 3.1 Methodology: Walowdac through the botnet. With the newer versions of Our main objective while investigating Waledac Waledac we also captured stolen credentials of was to find out more about the actual size of POP3, FTP, and HTTP accounts. During our the botnet. As the Spammers are not reachable, monitoring period of one month, we collected just crawling the Repeaters does not provide an login data for 128,271 FTP, 93,950 HTTP, and accurate size of the botnet. To circumvent this 39,051 POP3 accounts. We have not yet further problem and to provide a much more accurate investigated the stolen credentials, as this is out number of bots, we implemented a script to imi- of the scope of this paper. tate a valid Waledac Repeater. The software im- All bots within the Waledac botnet can be plements all communication parts of a Repeater, identified by a node ID. This node ID is gen- but answers the requests directly instead of for- erated directly after an infection and does not warding them. We refer to this script as Walow- change throughout the lifetime of a bot. Bots dac, as it is a low-interaction Waledac clone. embed this node ID in every message they ex- change [16] so it is a good candidate to define a 1.) fake peerlist uniqueness criterion. Walowdac Repeater 3.2 Results The results described in this section were gath- 3. )f ak ered between August 6th and September 1st, e pe er 2009. For the allocation of IP addresses to lis ac o 2. t wd ct t )n countries we used the free version of the GeoIP alo e ew W onn pe database maintained by MaxMind [13]. c er 4.) lis t? Botnet Size. During the data collection pe- Spammer riod, we measured 248,983 different node IDs. The maximum number of node IDs on a sin- Figure 3: Injecting fake Repeater IP addresses gle day was 102,748 on August 24th. Although into the botnet. the node IDs are randomly generated and should 4
  • 5. Figure 4: Distribution of running bots according to their location and time on August 24th. be unique across the botnet, we also monitored several hosts originating in different autonomous 160000 240000 320000 400000 systems (AS), using the same node ID. The rea- son might be collisions in the node ID generation Bots' IP addresses (accumulated) algorithm used by Waledac. With this fact in mind we recalculated the number of bots on Au- gust 24th using the node ID and AS as unique- ness criteria, resulting in a total of 164,182 bots. The size of the Waledac botnet we obtained is 188.0.0.0 223.0.0.0 80000 much higher than previous estimations published 58.0.0.0 100.0.0.0 by Trend Micro [1] or ESET [2]. 0 Figure 4 shows the hourly number of bots run- 0.0.0.0 50.0.0.0 100.0.0.0 150.0.0.0 200.0.0.0 250.0.0.0 ning on August 24th worldwide. For comparison IP address space the figure also shows the number of bots located in Central Europe and North America, at the particular hours. The picture also shows the fluc- Figure 5: Cumulative distribution of IP ad- tuation (diurnal pattern) of running bots due to dresses infected with Waledac. the different time zones they are located in [5]. Throughout our measurement period, we moni- tored at least 55,000 node IDs, i.e. active bots, every day. prise, as most of these IP addresses are managed by the Regional Internet Registries ARIN and A cumulative distribution of the bots’ IP ad- RIPE NCC, which are responsible for the regions dresses is shown in Figure 5. We counted all North America and Europe, respectively. bots monitored during the whole data collection period and again used the node ID and AS as This fact is also reflected in Table 6a: Most of uniqueness criteria. As a result, we counted the Spammers originated in the US or in Central a total of 403,685 bots. The distribution is Europe. The distribution of the Repeaters (see highly non-uniform: The majority of bots are lo- Table 6b) is very similar and differs only in the cated in the IP address ranges between 58.*–99.* order of the countries. The main difference is and 186.*–222.*. This does not come as a sur- that there are more Repeaters in India than in 5
  • 6. Table 6: Top countries in which Waledac bots are located. Country # Bots Percentage Country # Bots Percentage United States 67,805 17.34% United States 5,048 19.50% United Kingdom 30,347 7.76% India 1,456 5.63% France 27,542 7.04% France 1,386 5.36% Spain 23,065 5.90% United Kingdom 1,348 5.21% India 21,503 5.50% Spain 1,191 4.60% Other 220,807 56.46% other 15,452 59.70% (a) Spammers (b) Repeaters the United Kingdom and more Spammers in the Listing 1: First packet sent after negotiating the United Kingdom than in India. session key. <lm> Waledac Versions and Distribution Cam- <t>f i r s t </t> paigns. At the beginning of our measurement <v>34</v> phase most of the monitored bots were running <i >4b 5 d a 6 1 f 8 d 1 4 e 5 3 f e 9 2 5 2 6 6 9 4 2 7 7 6 9 5 e </i > <r >0</r> Waledac version 34. The bot’s version number <props> is sent in all its communication packets. <p n=” l a b e l ”> m i r a b e l l a s i t e </p> An example of a so called first packet is shown <p n=”winver ” >5.1.2600 </p> in Listing 1. These kind of packets are only sent </props> </lm> at the bot’s first start after negotiating the ses- sion key. The version number is included in the <v>-tag [1, 3, 12, 15, 16]. On July 20, 2009, the botnet was ordered to Next to the current version installed on a download and run version 36 of Waledac. How- Waledac bot, bots also send the name of the cam- ever, the command was issued just for a couple of paign which distributed the binary. For exam- hours, thus, systems not online during this time ple, this information is also included in the first were unable to update. As a result, even two packets (see Listing 1) – <p>-tag with attribute weeks after the update was issued (July 31st), n="label". At the beginning of July the biggest still more than 30 percent of the bots we mon- campaigns identified were birdie6 and swift, with itored were running the old version 34. That 12,5 percent of all infected machines. The cur- means, Waledac bots lack a decent update mech- rent campaigns distributing version 46 are called anism, since although bots propagate their run- spyware. ning version, they are not updated once the com- mand is no longer issued. On July 25th, we monitored the first version 39 bots connecting to OS Version of Infected Machines. Al- our fake Repeater script. The latest version we though Waledac bots do not continuously send monitored was 46, which indicates, that the bot- their operating system version with every packet, net is still actively developed. With version 36, but only the first, we managed to capture few of the collection of user credentials was introduced. these first packets. However, only about 10 per- Table 1 summarizes the distribution of Waledac cent of all monitored bots established this initial versions monitored on two different days. At the connection to Walowdac. Thus, the results of end of July, most bots are still running version 34 this measurement provide a coarse overview of and 36. With the beginning of September this the distribution of the operating systems run- shifted to almost 60% of the bots running the ning on infected machines. Table 2 summarizes newest version 46. the operating system codes found in initial pack- 6
  • 7. Table 1: Distribution of Waledac version across all monitored bots at the end of July and beginning of September. Versionscode 31.7.2009 (65,924 Bots) 9.9.2009 (74,280 Bots) < 33 114 (0.17%) 86 (0.12%) 33 440 (0.67%) 270 (0.36%) 34 20,718 (31.43%) 9,344 (12.58%) 35 51 (0.08%) 36 (0.05%) 36 35,572 (53.96%) 10,547 (14.20%) 37 2,658 (4.03%) 362 (0.49%) 39 5,681 (8.62%) 1,650 (2.22%) 40 689 (1.05%) 69 (0.09%) 41-45 0 (0.00%) 8,174 (11.00%) 46 0 (0.00%) 43,742 (58.89%) Table 2: Distribution of Windows version codes (June 28th till July 18th.) code belongs to number percent of bots 5.1.2600 XP (32 Bit) 10,899 90.2% 6.0.6001 Vista (SP1), Server 2008 678 5.6% 6.0.6000 Vista 353 2.9% 6.0.6002 Vista SP2, Server 2008 (SP2) 78 0.6% 5.2.3790 XP (64 Bit), Server 2003 39 0.3% 5.0.2195 2000 27 0.2% ets. Windows XP still makes up most of all mon- end up in a user’s inbox. A recent experiment itored bots, to no surprise. by ESET [2] revealed that on average a Spam- mer using a normal dial-up account sends about 6,500 emails per hour, resulting in about 150,000 Spam Campaigns. Throughout the analysis spam mails per day. time we monitored different pharmacy and email Taking into account that we monitored at least harvesting campaigns. The harvesting emails 10,000 bots online at any time of day, gives advertised cheap watches with the invitation to Waledac a spam capacity of contact certain emails if interested. Additionally, several Waledac propagation campaigns were ob- 6, 500 ∗ 24 ∗ 10, 000 ∗ 0.2532 = 394, 992, 000 served. For this purpose, the botnet herder used special events, like Valentines or Independence delivered mails per day. This number is only a Day, to send out masses of spam messages con- rough estimation and corresponds to the emails taining links to Waledac binaries. The same be- actually accepted by the receiving mailservers – havior was already observed with Storm. theoretically Waledac is able to send more than After each spam run a Spammer reports the 1.5 billion spam mails per day. However, this also status of the transaction for each email. The sta- is only valid for 10,000 bots each hour with our tus can either be ERR or OK. Thus, it is possible monitoring showing up to 30,000 bots per hour to determine which mail servers did actually ac- during the daytime. Thus, this number might cept the incoming email and for which addresses very well be tripled. it was rejected. During our monitoring phase we received a total of 662,611,078 notifications, 4 Conclusion of which 167,784,234 were OK. This gives us an average of 25.32% for the delivery of mails to In this paper, we showed that it is possible to in- the recipient’s mailserver. In this scope we did filtrate the Waledac botnet by distributing spe- not try to determine how many emails actually cially crafted peerlists to other Repeaters. As 7
  • 8. a result, we were able to also collect data from European Symposium On Research In Com- Spammers connecting to our fake system. That puter Security (ESORICS), 2005. way we were able to capture few of the first pack- [8] Julian B. Grizzard, Vikram Sharma, Chris ets send by freshly infected systems. The anal- Nunnery, Brent ByungHoon Kang, and ysis of these packets revealed that most of the David Dagon. Peer-to-Peer Botnets: compromised hosts are running Windows XP as Overview and Case Study. In Hot Topics an operating system. in Understanding Botnets (HotBots), 2007. We showed that current estimations about the size of the Waledac botnet are far too low. [9] Thorsten Holz, Christian Gorecki, Konrad At peaks we measured more than 160,000 bots, Rieck, and Felix Freiling. Measuring and whereas ESET [2] for example counted just Detecting Fast-Flux Service Networks. In 20,000 bots. With this in mind, we can esti- 15th Network & Distributed System Security Symposium (NDSS), 2008. mate that the number of spam emails emitted by Waledac is very high, rendering Waledac one [10] Thorsten Holz, Moritz Steiner, Frederic of the most efficient spam botnets currently in Dahl, Ernst Biersack, and Felix Freiling. the wild. The rapid changes to the malware with Measurements and Mitigation of Peer-to- new versions showing up almost every two weeks Peer-based Botnets: A Case Study on shows that Waledac is still actively developed. Storm Worm. In First Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. References [11] Chris Kanich, Kirill Levchenko, Brandon [1] Jonell Baltazar, Joey Costoya, and Ryan Enright, Geoffrey M. Voelker, and Stefan Flores. Trend Micro: Infiltrating Waledac Savage. The Heisenbot Uncertainty Prob- Botnet’s Covert Operations, July 2009. lem: Challenges in Separating Bots from Chaff. In First Workshop on Large-Scale [2] Sebasti´n Bortnik. a How much spam Exploits and Emergent Threats (LEET), does waledac send?, 2009. Blog: 2008. http://www.eset.com/. [12] Felix Leder. Speaking waledac, 2009. Blog: [3] Lasse Trolle Borup. Peer-to-peer botnets: http://www.honeynet.org/node/348. A case study on waledac. Master’s thesis, Technical University of Denmark, 2009. [13] Maxmind. Geolocation and Online Fraud [4] Evan Cooke, Farnam Jahanian, and Danny Prevention. http://www.maxmind.com/. McPherson. The Zombie Roundup: Under- [14] Moheeb Abu Rajab, Jay Zarfoss, Fabian standing, Detecting, and Disrupting Bot- Monrose, and Andreas Terzis. A Mul- nets. In Steps to Reducing Unwanted Traffic tifaceted Approach to Understanding the on the Internet (SRUTI), 2005. Botnet Phenomenon. In 6th Internet Mea- [5] David Dagon, Cliff Zou, and Wenke Lee. surement Conference (IMC), 2006. Modeling Botnet Propagation Using Time [15] Greg Sinclair. Waledac’s communcation Zones. In 13th Network and Distributed Sys- protocol, 2009. Blog: http://bit.ly/ tem Security Symposium (NDSS), 2006. MWOA2. [6] John R. Douceur. The Sybil Attack. In [16] Gilou Tenebro. W32.Waledac Threat Anal- First International Workshop on Peer-to- ysis. Technical report, Symantec, 2009. Peer Systems (IPTPS), 2002. [7] Felix Freiling, Thorsten Holz, and Georg Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Dis- tributed Denial-of-Service Attacks. In 10th 8