< ADSandbox: Sandboxing JavaScript to fight Malicious Websites | Honeynet Project Forensic Challenge 2010 >

Walowdac – Analysis of a Peer-to-Peer Botnet

One of the most interesting botnets of 2009 was Waledac: the botnet implements a peer-to-peer-based communication channel and it can be seen as the successor of Storm Worm, since it implemented many similar ideas (e.g., a very similar language for spam templates was used). The researchers from Trend Micro had published an analysis of the botnet and we also examined the botnet. The result is a paper entitled "Walowdac - Analysis of a Peer-to-Peer Botnet": instead of passively observing the network, we implemented an active infiltration component. We emulate the protocol of a bot and are able to observe the inner communication aspects of the network. As a result, we obtain an in-depth overview of the botnet that enables us to study different aspects of the network, e.g., efficiency of the spam campaigns or number of active bots. As a small peak of the results, the following pictures shows the number of active bots in different countries on a specific day in August 2009. We can for example observe diurnal patterns and clearly see the effects of timezones on the size of the botnet:


Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

The paper was joint work with Ben Stock, Jan Göbel, Markus Engelberth, and Felix C. Freiling. The full paper is available at http://honeyblog.org/junkyard/paper/waledac-ec2nd09.pdf and it was published at EC2ND 2009.

This entry was posted by Thorsten Holz on Sunday, January 3. 2010 at 12:26. and is filed under malware, paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry
  1. PingBack

    Weblog: honeyblog.org
    Tracked: Feb 25, 15:58
  2. Tramadol.

    Congratulations guys! Thanks a lot for taking down this botnet, greatly appreciated!

    Weblog: Ben
    Tracked: May 31, 06:06

Comments

Display comments as (Linear | Threaded)

  1. SEO Chicago says:
    #1 2011-05-13 10:06 (Reply)

    Security issues with our computer network keep our IT department very busy. We even had a few people access restricted files. I really hope that we can avoid online issues in the future.

  2. smart card says:
    #2 2011-07-18 15:47 (Reply)

    We always are dealing with security issues on our computer network due to the business industry we are in. I guess botnets help keep IT people employed so that they have something to fix. I wish we could find a way to stop botnets altogether though. I'm tired of the risk of identity theft and other security threats.

  3. wenger says:
    #3 2011-08-25 03:23 (Reply)

    Thanks for sharing such informative post. Like reading this post. Thanks http://www.backpackunion.com wenger backpack

  4. used car sales says:
    #4 2011-10-13 13:47 (Reply)

    Here is the good description about botnet which is a network of compromised machines under the control of an attacker.Thanku for this news.

  5. Patio furniture orange county says:
    #5 2011-10-29 12:27 (Reply)

    Great article. You did a great job :)


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5