A botnet is a network of machines that are infected and controlled by a malicious attacker. Botnets are by far the most serious security threat across the internet today. Even though most botnets rely on a central command and control (C&C) server, peer-to-peer (P2P) botnets have recently emerged as more dangerous forms of botnets. P2P botnets are more resistant to security defensive measures as they lack C&C servers of conventional botnets.
Centralized Vs P2P Botnets:
A botnet is comprised of a network of infected machines (bots) that run malicious software, which has been silently installed via a myriad of techniques including worms, trojan horses and viruses. These compromised machines, or zombie computers, are controlled remotely by the attacker, or the “botmaster”. When a botnet is composed of a large number of machines, it has a huge cumulative bandwidth and robust computing capabilities. Botnets are exploited by their botmasters for launching various forms of malicious activities including email spamming, keylogging, password cracking and distributed denial of service (DDoS) attacks.
Nowadays, centralized botnets are widely used by cybercriminals. Of those are Internet Relay Chat (IRC)-based botnets which are by far the most widely used to promote communications between botnets’ bots and their botmasters. As shown in Figure (1), within a centralized botnet, bots are connected to one or more server to receive commands. This framework is simple to design and very effective in distributing the commands of the botmaster, yet is has a major point of failure; the command and control (C&C) server. If the IRC server is shut down, all bots will lose all communications with their botmaster. Additionally, defenders can monitor a given botnet via creation of a decoy to join its matching IRC channel.
Figure (1): Centralized Botnets
More recently, peer-to-peer (P2P) botnets, e.g. Stormnet and Trojan.Peacomm botnet, have been innovated when attackers realized the limitations of conventional centralized botnets. Similarly to P2P networks, which are compatible with dynamic churn (i.e. peers join and leave the network at a high rate), communication across a P2P botnet won’t be disrupted if a number of bots lose communication with the botnet . Across a P2P botnet, as shown in figure (2), no centralized server exists and bots communicate with each other in a topological manner and they act both as a client and C&C server. P2P botnets have proven to be far more efficient than conventional centralized botnets. Representing a novel era of botnets, P2P botnets are inarguably more powerful and difficult to counteract by security professionals.
Figure (2): Peer-to-peer (P2P) Botnet
Researchers have recently paid attention to various P2P botnets. Stormnet and Trojan.Peacomm botnet were studied extensively as they represent the most commonly encountered P2P botnets. Nevertheless, to effectively counteract these new forms of botnets, analyzing every single P2P botnet available is not enough. Alternatively, P2P botnets have to be systematically studied to defend them properly.
Peer-to-peer (P2P) Botnet Framework:
Building a P2P botnet is a process that is comprised of two steps:
1. The attacker has to infect as many machines as possible across the internet, so that he/she can remotely control them. To accomplish this, all kinds of malware vectors can be used such as viruses, trojan horses, worms and instant message (IM) malware.
2. The compromised machines will perform specific actions determined by the botmasters. Depending on the target of the attacker, this step could be different with each of attack e.g. DDoS attacks, keylogging, spamming…etc. Throughout this step, bots act as both clients, performing the actions predefined by the botmaster, and C&C servers that convey communication to other bots.
There are two ways for new peers to join a P2P network such as that of a P2P botnet:
1. An initial set of peers are hard coded within each P2P client. When a new peer shows up, it will try to communicate with each peer within that initial set to update information from neighbor peers.
2. A shared web cache, e.g. Gnutella web cache, that is saved somewhere online, and this location is inserted into the bot’s code. Accordingly, new peers can update its list of neighbor peers by accessing the web cache and obtaining the latest updates.
For example, Trojan.Peacomm is a malware that builds a P2P botnet that utilizes the Overnet P2P protocol for C&C communications. The bot’s code will include a group of Overnet nodes that are most likely to be online. When a machine is infected and the Trojan.Peacomm code is executed, it will try to communicate with the group of peers listed within the bot’s code. Stormnet, another P2P botnet, uses a similar mechanism; information regarding peers with which newly infected machines communicate after the bot’s code is executed, is coded within a configuration file that is saved onto the victim’s machine by the Storm worm.