Skip to main content
SpringerLink
Log in

Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6201))

Abstract

Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adnkronos International. Italy: Govt probes suspected mafia use of Skype (February 2009), http://www.adnkronos.com/AKI/English/Security/?id=3.0.3031811578

  2. Anderson, N.: Is Skype a haven for criminals? (February 2006), http://arstechnica.com/old/content/2006/02/6206.ars

  3. Baset, S., Schulzrinne, H.: An analysis of the Skype peer-to-peer internet telephony protocol. In: CoRR (2004)

    Google Scholar 

  4. BBC. Italy police warn of Skype threat (February 2009), http://news.bbc.co.uk/2/hi/europe/7890443.stm

  5. Binkley, J.R.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006 (2006)

    Google Scholar 

  6. Biondi, P., Desclaux, F.: Silver Needle in the Skype (March 2006)

    Google Scholar 

  7. Blancher, C.: Fire in the Skype–Skype powered botnets (October 2006), http://sid.rstack.org/pres/0606_Recon_Skype_Botnet.pdf

  8. Bollobás, B.: Random Graphs. Cambridge University Press, Cambridge (January 2001)

    MATH  Google Scholar 

  9. Cavallaro, L., Kruegel, C., Vigna, G.: Mining the network behavior of bots. Tech. Rep. 2009-12, Department of Computer Science, University of California at Santa Barbara (UCSB), CA, USA (July 2009)

    Google Scholar 

  10. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, Oakland 2005 (2005)

    Google Scholar 

  11. Ciaccio, G.: Improving sender anonymity in a structured overlay with imprecise routing. LNCS. Springer, Heidelberg (2006)

    Google Scholar 

  12. CNET News. Hacking for dollars (July 2005), http://news.cnet.com/Hacking-for-dollars/2100-7349_3-5772238.html

  13. CNET News. Skype could provide botnet controls (January 2006), http://news.cnet.com/2100-7349_3-6031306.html

  14. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: SRUTI 2005: Proceedings of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (2005)

    Google Scholar 

  15. Danchev, D.: Skype to control botnets?! (January 2006), http://ddanchev.blogspot.com/2006/01/skype-to-control-botnets.html

  16. Dell’Amico, M.: Mapping small worlds. In: IEEE P2P 2007 (2007)

    Google Scholar 

  17. Desclaux, F., Kortchinsky, K.: Vanilla Skype part 2 (June 2006)

    Google Scholar 

  18. Ebay. Ebay, Paypak, Skype 2009, Q1 financial report (2009), http://ebayinkblog.com/wp-content/uploads/2009/04/ebay-q1-09-earnings-release.pdf

  19. Egele, M., Kruegel, C., Kirda, E., Yin, H.: Dynamic Spyware Analysis. In: Proceedings of the 2007 Usenix Annual Conference, Usenix 2007 (2007)

    Google Scholar 

  20. Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

  21. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Proceedings of 10 th European Symposium on Research in Computer Security, ESORICS (2005)

    Google Scholar 

  22. Gnutella Development Forum. Gnutella protocol specification, http://wiki.limewire.org/index.php?title=GDF

  23. Goebel, J., Holz, T.: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In: HotBots 2007: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (2007)

    Google Scholar 

  24. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  25. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)

    Google Scholar 

  26. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)

    Google Scholar 

  27. Gutmann, P.: The Commercial Malware Industry. In: Proceedings of the DEFCON conference (2007)

    Google Scholar 

  28. He, Q., Ammar, M.: Congestion control and message loss in Gnutella networks. In: Proceedings of SPIE (2003)

    Google Scholar 

  29. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case study on Storm Worm. In: USENIX Workshop on Large Scale Exploits and Emerging Threats (2008)

    Google Scholar 

  30. IT World: Making a PBX ’botnet’ out of Skype or Google Voice? (April 2009), http://www.itworld.com/internet/66280/making-pbx-botnet-out-skype-or-google-voice

  31. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale Botnet Detection and Characterization. In: HotBots 2007: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (2007)

    Google Scholar 

  32. Lanzi, A., Sharif, M., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. In: The 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)

    Google Scholar 

  33. Leiden, J.: Anti-mafia cops want Skype tapping (Feburary 2009), http://www.theregister.co.uk/2009/02/24/eurojust_voip_wiretap_probe/

  34. Martignoni, L., Paleari, R.: WUSSTrace - a user-space syscall tracer for Microsoft Windows, http://security.dico.unimi.it/projects.shtml

  35. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A Layered Architecture for Detecting Malicious Behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  36. Microsoft. MSDN Library on developing Windows User Interfaces, http://msdn.microsoft.com/en-us/library/ms632587.VS.85.aspx

  37. Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FLuXOR: Detecting and Monitoring Fast-Flux Service Networks. LNCS. Springer, Heidelberg (2008)

    Google Scholar 

  38. Pissny, B.: HotSanic, HTML overview to System and Network Information Center (July 2004), http://hotsanic.sourceforge.net

  39. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: IMC 2006: Proceedings of the 6th ACM SIGCOMM on Internet measurement (2006)

    Google Scholar 

  40. Sandberg, O.: Distributed routing in small-world networks. In: ALENEX 2006 (2006)

    Google Scholar 

  41. Schneier, B.: Bavarian government wants to intercept Skype calls, http://www.schneier.com/blog/archives/2008/02/bavarian_govern.html

  42. Sissel, J.: xdotool, http://www.semicomplete.com/projects/xdotool/

  43. Starnberger, G., Kruegel, C., Kirda, E.: Overbot - A botnet protocol based on Kademlia. In: Proceedings of the International on Security and Privacy in Communication Networks, SecureComm., Istambul, Turkey (2008)

    Google Scholar 

  44. Stock, B., Goebel, J., Engelberth, M., Freiling, F., Holz, T.: Walowdac - Analysis of a Peer-to-Peer Botnet. In: European Conference on Computer Network Defense (EC2ND) (November 2009)

    Google Scholar 

  45. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proceedings of the 16th ACM conference on Computer and Communications Security, CCS 2009 (2009)

    Google Scholar 

  46. Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings of the 31st IEEE Conference on Local Computer Networks (2006)

    Google Scholar 

  47. TechWorld. Cambridge prof. warns of Skype botnet threat. VoIP traffic can cover a multitude of sins (January 2006), http://news.techworld.com/security/5232/cambridge-prof-warns-of-skype-botnet-threat/

  48. TechWorld. How bad is the Skype botnet threat? Skype’s sneakiness leads to a security risk (January 2006), http://features.techworld.com/security/2199/how-bad-is-the-skype-botnet-threat/

  49. EU Forward. Forward: Managing Emerging Threats in ICT Infrastructures (2008), http://www.ict-forward.eu

  50. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  51. Yen, T.-F., Reiter, M.K.: Traffic Aggregation for Malware Detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  52. Yin, H., Song, D., Egele, D.M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DICo, Università degli Studi di Milano, Italy

    Antonio Nappa & Aristide Fattori

  2. Eurecom Sophia-Antipolis, France

    Marco Balduzzi & Matteo Dell’Amico

  3. Faculty of Sciences, Vrije Universiteit Amsterdam, Netherlands

    Lorenzo Cavallaro

Authors
  1. Antonio Nappa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aristide Fattori
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marco Balduzzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Matteo Dell’Amico
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lorenzo Cavallaro
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. International Computer Science Institute, Berkeley, USA

    Christian Kreibich

  2. Research Establishment for Applied Science (FGAN), Research Institute for Communication, Information Processing and Ergonomics (FKIE), Wachtberg, Germany

    Marko Jahnke

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nappa, A., Fattori, A., Balduzzi, M., Dell’Amico, M., Cavallaro, L. (2010). Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14215-4_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14214-7

  • Online ISBN: 978-3-642-14215-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation