Last-minute paper: Lessons learned: sinkholing a peer-to-peer botnet

Ross Gibb Symantec
Vikram Thakur Symantec

Since 2012, one of the most prevalent botnets worldwide, with millions of infected computers, has used a UDP-based peer-to-peer protocol for updating peer IP addresses and for payload metadata communications. A number of flaws have been uncovered in this botnet's UDP-based peer-to-peer protocol, which has resulted in a novel way to sinkhole a significant number of the infected peers in the real world. Symantec's sinkhole scenario prevents individual peers from receiving and spreading malicious payloads.

The sinkhole operation was running in network simulation only. However, after an update to the botnet suddenly made about half the infected computers immune to the devised sinkholing method, the decision was made to immediately sinkhole the remaining botnet's UDP network. The Symantec Attack Investigation Team will describe the amount of effort required to successfully sinkhole the botnet and share the technical details of our sinkhole operation (development, deployment and measure of success). VB2013 participants will see internal Symantec data and statistics on the size of the botnet and the number of bots we successfully sinkholed.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference or register online.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

Jobs Recruit Sidebar

VB2014
VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,303 registered users.