Exploring a P2P Transient Botnet - From Discovery to Enumeration

  • Renato Marinho Morphus Labs
  • Raimir Holanda University of Fortaleza
DOI: https://doi.org/10.18464/cybin.v3i1.16
Keywords: botnet, transient, IoT, DDoS

Abstract

From DDoS attacks to malicious code propagation, Botnets continue to represent a strength threat to entities and users connected to the Internet and, due to this, continue to be an important research area. The power of those numerous networks proved us its power when they interrupted great part of the Internet causing impacts to companies like Twitter and Netflix when Mirai P2P Botnet targeted Dyn company’s DNS services back in 2016. In this paper, we present the study that allowed us to find out a “Mirai-like” botnet called Rakos - from our high interactivity honeypot recruitment to the detailed analysis and exploitation of this botnet C&C protocol using crawling and node-injection methods to enumerate and estimate its size. Our contribution includes also a comparison between two P2P botnet exploration methods used in our research and in which situations they may be better suitable in further analysis. Additionally, we propose the term “transient” to designate botnets formed by malware that does not use persistence on the compromised system as this tends to be usual amongst modern threats to IoT (Internet of Things) devices.

References

P. KÁLNAI, 20 Dec 2016. [Online]. Available: http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/
D. Bekerman, 29 March 2017. [Online]. Available: https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html
C. Rossow, “Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets.,” em Security and Privacy (SP) IEEE Symposium, 2013.
J. Kang e J. Y. Zhang, “Application Entropy Theory to Detect New Peer-to-Peer Botnets with Multi-chart CUSUM,” em 2nd International Symposium on Electronic.
S. Karuppayah, “On advanced monitoring in resilient and unstructured P2P botnets.,” em Communications (ICC), IEEE International Conference on. IEEE, 2014.
Elasticsearch, “Elastic,” Elasticsearch, [Online]. Available: https://www.elastic.co/. [Acesso em 17 April 2017].
Gephi, “Gephi,” [Online]. Available: https://gephi.org/
Maxmind, Maxmind, [Online]. Available: http://dev.maxmind.com/geoip/geoip2/geolite2/
OpenELEC, “OpenELEC,” [Online]. Available: http://wiki.openelec.tv/index.php?title=
OpenELEC_FAQ#SSH_Password_change
The Internet Society (2000), “Best Current Practice 38,” [Online]. Available: https://tools.ietf.org/html/bcp38
Botconf 2017 proceedings cover
Published
2017-12-31
Issue
Vol 3 No 1 (2017): Botconf 2017
Section
Conference proceedings

Copyright (c) 2017 Renato Marinho

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.