Most cyber attacks are carried out using botnets, a collection of vulnerable machines infected with malware that are controlled by a botmaster via a Command and Control (C2) server. Traditional botnets utilize a centralized architecture for the communication between the botmaster and its bots. Hence, if such a C2 is taken down, the botmaster cannot communicate with its bots anymore. Recent P2P-based botnets, e.g., GameOver Zeus, Sality, and ZeroAccess, adopt a distributed architecture and establish a communication overlay between participating bots. All existing (counter)-attacks against P2P botnets require details such as the botnet population size and the connectivity graph among the bots. As a consequence, monitoring such botnets is an important task for analysts. However, botmasters often attempt to impede the performance of monitoring mechanisms. This is also the case with the introduction of an automated blacklisting mechanism in GameOver Zeus and a local reputation mechanism in Sality. However, some of the existing proposed and deployed anti-monitoring mechanisms are still in their infancy but it is just a matter of time before advanced countermeasures are introduced. This chapter provides an overview on the topic and the overall contribution as well as an outlook for this entire book.
- 1.Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient Peer-to-Peer botnets are here: an analysis of Gameover Zeus. In: International Conference on Malicious and Unwanted Software: The Americas (2013)Google Scholar
- 2.Falliere, N.: Sality: Story of a Peer-to-Peer Viral Network. Technical report, Symantec (2011)Google Scholar
- 3.Wyke, J.: The ZeroAccess BotnetMining and Fraud for Massive Financial Gain. Sophos Technical Paper (2012)Google Scholar
- 4.Rossow, C., Andriesse, D., Werner, T., Stone-gross, B., Plohmann, D., Dietrich, C.J., Bos, H., Secureworks, D.: P2PWNED: modeling and evaluating the resilience of Peer-to-Peer botnets. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
- 5.Stone-gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet : analysis of a botnet takeover. In: ACM CCS. ACM (2009)Google Scholar
- 6.Egevang, K., Francis, P.: The IP network address translator (NAT). Technical report, RFC 1631 (1994)Google Scholar