Towards Accurate Node-Based Detection of P2P Botnets
Table 1
Sample bot analysis and behavior.
Name
Host behavior
Network behavior
Remark
Bot 1. Phatbot
(1) Modify the registry (2) Add startup item (3) Modify a file (4) Terminate antivirus thread
(1) Start the IRC thread (2) Start the P2P server thread (3) Start the P2P client thread
(1) Modify a file named host in system directory (2) Start the thread of IRC client, and connect to IRC server. (3) In order to improve the communication of p2p, start both client thread and server thread
Bot 2. Zhelatin .zy
(1) Modify the registry (2) Add a startup item (3) Copy file
(1) Connect to SMTP server (2) UDP connection
(1) In order to a bot’s propagation, copy the bot itself to the shared directory (2) Connect to SMTP Server by SMTP thread (3) A lot of UDP connections with both the same source port and the random target port
Bot 3. Sinit
(1) UDP protocol (2) A high ICMP traffic (3) Sending packets to port 53
(1) Sending special discovery packets to port 53 of random IP addresses on the Internet.
Bot 4. Nugache
(1) Modify the registry
(1) Open TCP port 8 (2) Encrypted data transmission
(1) Modify the registry and install the list with hosts into Windows’s registry. (2) Has a static list of IP addresses (20 initial peers) to which it will try to connect on TCP port 8. (3) The exchanged data is encrypted.
