Full Paper Accepted At IEEE ICDCS 2015

Title “ZeusMilker: Circumventing The P2P Zeus Neighbor List Restriction Mechanism”, authored by Shankar Karuppayah, Stefanie Roos, Christian Rossow, Max Mühlhäuser, and Mathias Fischer.

Abstract:

The emerging trend of highly-resilient P2P botnets poses a huge security threat to our modern society. The situation is further impaired by sophisticated P2P botnets like P2P Zeus, which drastically impede botnet monitoring by carefully designed countermeasures. These countermeasures reduce the accuracy of the monitored data, in particular, an exact reconstruction of the botnet's topology is hard to obtain efficiently. However, an accurate topology snapshot is crucial to execute effective botnet takedown operations. In this paper, we provide a detailed description and analysis of the P2P Zeus neighbor list restriction mechanism. As our main contribution, we propose ZeusMilker, a mechanism for circumventing the existing anti-monitoring countermeasure. In contrast to existing approaches, our mechanism deterministically reveals the complete neighbor lists of bots and hence can efficiently provide a reliable topology snapshot of P2P Zeus. We evaluated ZeusMilker on a real-world dataset and found that it outperforms state-of-the-art techniques for botnet monitoring with regard to the number of queries needed to retrieve a bot's neighbor list. Furthermore, ZeusMilker is provably optimal in retrieving the complete neighbor list, requiring at most 2n queries for an n-elemental list. As a result, we successfully designed and developed an efficient countermeasure against the P2P Zeus neighbor list restriction mechanism. Moreover, we also evaluated how the performance of ZeusMilker is impacted by various protocol changes designed to undermine its provable performance bounds.