Exploring a P2P Transient Botnet – From Discovery to Enumeration

From DDoS attacks to malicious code propagation, Botnets continue to represent a strength threat to entities and users connected to the Internet and, due to this, continue to be an important research area. The power of those numerous networks proved us its power when they interrupted great part of the Internet causing impacts to companies like Twitter and Netflix when Mirai P2P Botnet targeted Dyn company’s DNS services back in 2016. In this paper, we present the study that allowed us to find out a “Mirai-like” botnet called Rakos – from our high interactivity honeypot recruitment to the detailed analysis and exploitation of this botnet C&C protocol using crawling and node-injection methods to enumerate and estimate its size. Our contribution includes also a comparison between two P2P botnet exploration methods used in our research and in which situations they may be better suitable in further analysis. Additionally, we propose the term “transient” to designate botnets formed by malware that does not use persistence on the compromised system as this tends to be usual amongst modern threats to IoT (Internet of Things) devices.


Renato Marinho is Chief of Research at Morphus Labs and Incident Handler at SANS Internet Storm Center. His journey in the area began in 2001, when he created Nettion, one of the first firewalls to use the contemporary UTM (Unified Threat Management) concept. Experienced in cyber security, Marinho was internationally recognized in 2016 by his research that unveiled Mamba, the first full disk encryption ransomware. At Morphus Labs, he oversees research, innovation and development of new products. Master and PhD student in Applied Informatics, he is also professor at University of Fortaleza teaching Computer Forensics in the post-graduate course. He is also a speaker having presented at Ignite Cybersecurity Conference Vancouver, BSides Delaware, BSides Vienna, WSKS Portugal and Brazilian CSIRTs Forum.
Raimir Holanda Filho is PhD in Computer Science from the Universitat Politecnica de Catalunya (Spain – 2005). He is currently a full professor at the University of Fortaleza – UNIFOR. He has experience in Computer Science, with emphasis on Teleinformatics, working mainly on the following topics: Wireless Sensor Networks, Ubiquitous Computing, Security, Internet of Things and Intelligent Cities. (Text informed by the author) Areas: Computer Science, Exact and Earth Sciences Terms: Learning *, Learning, Collaborative Learning, Didactics, Educa *, Distance Learning, Teaching-learning, Learning

Print Friendly, PDF & Email
Renato Marinho

Renato Marinho

Chief Research Officer at Morphus Labs
Renato Marinho

@renato_marinho

Cyber security researcher; SANS ISC Handler; PhD student; professor; writer; speaker.
RT @sans_isc: Auditing TLS Root Certs; How Google Accounts Are Hijacked; Battling E-Mail Phishing; Hacking Airplan #podcast #security #daily - 2 weeks ago
Renato Marinho
Renato Marinho

Latest posts by Renato Marinho (see all)