Abstract
P2P botnets represent another escalation level in the race of arms between criminals and the research community. By utilizing a distributed P2P architecture they are resilient against random failures and attacks and overcome the limitations of a central command and control server. For this reason, it is important to monitor them to gather information for potential takedown attempts. In this paper, we introduce our high-frequency crawling tool Strobo-Crawler that can carry out a fine-grained node enumeration. Furthermore, we propose mechanisms to derive accurate snapshots of the botnet graph on the basis of restricted monitoring data. We applied Strobo-Crawler in a two week crawling campaign in the P2P botnets Sality and ZeroAccess and describe the results along with a careful evaluation of our graph reconstruction. Furthermore, we provide a thorough analysis of the resulting botnet graphs and also provide these graphs to the public. Our results indicate that they are highly resilient against node churn, but also against targeted attacks. Bots are highly interconnected and the graphs are characterized by a high clustering coefficient, high density, and low diameter.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
