tailieunhanh - Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

Or, to be more circumspect, it is the object from which the name art cannot logically be withheld. The Readymade therefore proved that an arbitrary object can be designated as art and that there is no argument available to refute that designation. Depictions are works of art by definition. They may be popular art, amateur art, even entirely unskilled and unappealing art, but they are able to nominate themselves as art nonetheless. They are art because the depictive arts are founded on the mak- ing of depictions, and that making necessarily displays artistry. . | Measurements and Mitigation of Peer-to-Peer-based Botnets A Case Study on Storm Worm Thorsten Holz Moritz Steiner Frederic Dahl Ernst Biersack Felix Freiling University of Mannheim holz dahl freiling @ Abstract Botnets . networks of compromised machines under a common control infrastructure are commonly controlled by an attacker with the help of a central server all compromised machines connect to the central server and wait for commands. However the first botnets that use peer-to-peer P2P networks for remote control of the compromised machines appeared in the wild recently. In this paper we introduce a methodology to analyze and mitigate P2P botnets. In a case study we examine in detail the Storm Worm botnet the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet which allows us to estimate the total number of compromised machines. Furthermore we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms. 1 Introduction A bot is a computer program installed on a compromised machine which offers an attacker a remote control mechanism. Botnets . networks of such bots under a common control infrastructure pose a severe threat to today s Internet Botnets are commonly used for Distributed Denial-of-Service DDoS attacks sending of spam or other nefarious purposes 5 24 15 . The common control infrastructure of botnets in the past was based on Internet Relay Chat IRC The attacker sets up an IRC server and opens a specific channel in which he posts his commands. Bots connect to this channel and act upon the commands they observe. Today the standard technique to mitigate IRC-based botnets is called botnet tracking 11 15 14 and includes three steps. The first step consists of acquiring and analyzing a copy of a bot. This can be achieved for .