walowdac:analysis of a peer-to-peer botnet 林佳宜 ntou csie m98570015@ntou.edu.tw 11/19/2015 1

Walowdac:Analysis of a Peer-to-Peer Botnet

林佳宜NTOU CSIEm98570015@ntou.edu.tw

04/20/23

1

Reference

•Stock, B., Goebel, J., Engelberth, M., Freiling, F., and Holz, T. Walowdac:Analysis of a Peer-to-Peer Botnet. In European Conference on Computer Network Defense (November 2009)

04/20/23

2

Outline

•Introduction•Waledac Botnet Structure•Analysis of Waledac•Conclusions

04/20/23

3

Introduction•Present our inltration of the “Waledac”

botnet▫Storm Worm botnet▫responsible spam emails

•Clone of the Waledac bot named Walowdac▫implements the communication features▫not cause any harm

•Collected data about the Waledac botnet▫one month (August 6 and September 1, 2009)

04/20/23

4

Waledac Botnet Structure

•Consists of four layers▫Spammers:

carry out the spam campaigns no publicly reachable IP address

▫Repeaters: entry points for bot own publicly reachable IP address

▫Backend-Servers answer Spammers 、 the fast-flux queries

▫Uninfected Host

04/20/23

5

Contributions

•Present the results of yet another analysis of Waledac

•In contrast to the analysis of previous decentralized botnets

•Find out more about the actual size of the botnet

04/20/23

6

Propagation Mechanisms

•Waledac not own any built-in propagation mechanisms

▫bot not scan their local network•Instead, Waledac propagates

▫social engineering▫Spammers send out emails

•Email masked as greeting cards ▫URLs to malicious binary

04/20/23

7

Infiltration Methodology

•Implemented a script to imitate a valid Waledac Repeater▫Implements all communication▫push several IP addresses of hosts running

Walowdac▫repeaters do not validate the list

•Walowdac sends a list of its own IP addresses to the Repeater▫Spammer systems start to connect to us.

04/20/23

8

04/20/23

9

Botnet Size

•Results reveal that the actual size of the botnet ▫by far bigger than expected▫a minimum population of 55,000 bots every

day▫almost 165,000 active bots on a typical day

•Several changes to the botnet version▫version number between 33~46

04/20/23

10

Botnet Size

• Identify Waledac botnet ▫by a node ID

•Exposing in dierent auto nomous systems▫same node ID!?

•Between August 6th and September 1, 2009▫248,983 dierent node IDs▫single day was 102,748 on August 24th

•Recalculated using the node ID and AS▫164,182 bots on August 24th

04/20/23

11

Cumulative distribution of IP(1/2)•IP uniqueness criteria

▫node ID and AS▫403,685 bots

•IP Majority located▫58.*~99.*▫186.*~222.*

North America Europe

04/20/23

12

Cumulative distribution of IP(2/2)•Spammers and Repeaters most originated

▫the US or in Central Europe

04/20/23

13

Waledac Versions(1/2)

•Bot some informaiton▫sent at the bot's first packet▫label:

campaigns identied birdie6 and swift, with 12,5 percent version 46 are called “spyware”

04/20/23

14

Waledac Versions(2/2)

•Waledac bots lack a decent update mechanism

•The version is 34~36 At the end of July •The beginning of September most is

version 46

04/20/23

15

OS Versions

•Windows XP still makes up most of all monitored bots

04/20/23

16

Spam Campaigns

•Spammer reports the status for each email▫ERR or OK

•Monitoring phase▫received a total of 662,611,078 notications▫167,784,234 were OK (25.32%)

04/20/23

17

Conclusions•Show it is possible to inltrate the Waledac

•Measurement results reveal that the actual size of the botnet is by far bigger than expected

•Spam emails emitted by Waledac is very high

•The rapid changes to the malware with new versions showing up almost every two weeks

04/20/23

18

Thanks for Your AttentionQ & A

04/20/23

19