隨著網際網路使用者人數與日俱增加，更加速惡意的使用者運用各種方法從網路中進行破壞行動甚至藉此獲取非法利益。「殭屍網路(Botnet)」為眾多惡意攻擊方式的其中一種手段，甚至可視為一種地下化商業的駭客服務。殭屍網路的擁有者(BotMaster)控制數百台甚至數百萬台的受害電腦，藉由龐大數量的電腦進行惡意活動，如:散播垃圾郵件(Spam Mail)或發動分散式阻斷服務攻擊(Distributed Denial of Service attack)等非法行為。
為了降低殭屍網路帶來的威脅，本論文針對最新型態點對點(Peer-to-Peer)殭屍網路並且以其中著名的“暴風蠕蟲(Storm Worm)”進行專題研究。本文以阻斷殭屍網路通訊為研究基石，且加入新穎演算法概念的方法更有效抑制BotMaster能控制的殭屍電腦數量。本研究主要貢獻有以下兩點：(1) 將暴風蠕蟲殭屍網路及其行為進行分析後，首先為其定義出數學模型以利未來相關研究使用；(2)提出演算法計算殭屍網路中具有較高通訊效益的位置並視為高戰略點；將我方的間諜電腦滲透至於高戰略點，使間諜電腦處於高戰略點而藉此更有效進行抑制殭屍網路通訊能力。為了驗證戰略點演算法是否奏效，我們模擬出暴風蠕蟲的網路行為環境。利用我們提出的方法，進行高戰略點滲透對於暴風蠕蟲殭屍網路的抑制實驗。

The Internet has a constantly growing number of users. With this increase, also comes entities that wish to exploit this group in malicious ways. Botnets are one of the malicious methods and it can be viewed as an enabler for illicit commercial activity. The Botnet owner control hundreds, thousands or even millions of victim computers and harness their combines computing power to doing illegal actions. Some examples are spam mail trafficking or distributed denial of service attacks among other illegal acts.
To reduce the threat posed by botnets, this thesis focuses on the research of the newest type of the botnets which are Peer-to-Peer based. Our case study examines Storm worm, one of the most prolific botnets in the wild. Our research is based on how to disrupt botnet communications and we provide an approach to increase the effectiveness of botnet countermeasures. The primary contributions are: (1) We define a mathematical model for the Storm worm which can also be applied elsewhere. (2) We first provide an algorithm to find strategic high traffic communication points. Masquerading as these strategic points is advantageous for mitigating the storm worm. To validate our algorithm, we simulate a storm worm environment and use strategic nodes to impede the storm worm communication.

[1] M.A. Rajab, J. Zarfoss, F. Monrose, A. Terzis. “A multifaceted approach to understanding the botnet phenomenon,” In: Almeida JM, Almeida VAF, Barford P, eds. Proc. of the 6th ACM Internet Measurement Conf. (IMC 2006). Rio de Janeriro: ACM Press, 2006. 41-52.
[2] P. Baecher, M. Koetter, T. Holz, F. Freiling, and M. Dornseif, “The nepenthes platform: An efficient approach to collect malware,” In Proceedings of 9th International Symposium On Recent Advances in Intrusion Detection (RAID’06), 2006.
[3] P. Barford and V. Yegneswaran, “An inside look at botnets,” Advances in Information Security, 27:171–191, March 2007.
[4] U. Bayer, A. Moser, C. Kruegel, and E. Kirda. “Dynamic analysis of malicious code,” Journal in Computer Virology, 2:67–77, 2006.
[5] J. R. Binkley and S. Singh, “An algorithm for anomaly based botnet detection,” In Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’06), July 2006.
[6] S. Chang, L. Zhang, Y. Guan, T. E. Daniels, “A Framework for P2P Botnets,” Proceedings of the 2009 WRI International Conference on Communications and Mobile Computing, p.594-599, January 06-08, 2009 [doi>10.1109/CMC.2009.268]
[7] E. Cooke, F. Jahanian, and D. McPherson, “The Zombie Roundup:Understanding, Detecting, and Disrupting Botnets,” Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet, July 2005.
[8] D. Dagon, C. Zou, and W. Lee, “Modeling botnet propagation using time zones,” in Proceedings of 13th Annual Network and Distributed System Security Symposium (NDSS), Feburary 2006, pp. 235–249.
[9] C. R. Davis, J. M. Fernandez, S. Neville, and J. McHugh, “Sybil attacks as a mitigation strategy against the storm botnet,” in Proc. of the 3rd Int. Conf. on Malicious and Unwanted Software (Malware ’08), 2008.
[10] C.R. Davis, J.M. Fernandez, S. Neville, “Optimising sybil attacks against P2P-based botnets,” in Proc. of Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on Digital Object Identifier: 10.1109/MALWARE.2009.5403016 Publication Year: 2009, Page(s): 78 – 87
[11] J. R. Douceur, “The Sybil Attack,” Revised Papers from the First International Workshop on Peer-to-Peer Systems, p.251-260, March 07-08, 2002
[12] F. Freiling, T. Holz, and G. Wicherski, “Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks,” In Proceedings of 10th European Symposium On Research In Computer Security (ESORICS’05), July 2005.
[13] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon, “Peer-to-peer botnets: Overview and case study,” In First Workshop on Hot Topics in Understanding Botnets,2007.
[14] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. “Bothunter: Detecting malware infection through ids-driven dialog correlation,” In Proceedings of the 16th USENIX Security Symposium,2006.
[15] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA, February 2008.
[16] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and Mitigation of Peer-to-Peer based Botnets: A Case Study on Storm Worm,” In Proceedings of the First USENIX Workshop on Large- Scale Exploits and Emergent Threats (LEET ’08), 2008.
[17] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-sale: Surviving organized ddos attacks that mimic flash crowds,” in 2nd Symposium on Networked Systems Design and Implementation (NSDI), May 2005.
[18] C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, S. Savage, “The heisenbot uncertainty problem: challenges in separating bots from chaff,” Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
[19] C. Li, W. Jiang, X. Zou, “Botnet: Survey and Case Study”, icicic, pp.1184-1187, 2009 Fourth International Conference on Innovative Computing, Information and Control, 2009
[20] P. Mayamounkov, D. Mazieres, 2002. “Kademlia: A peer-to-peer information system based on the xor metric,” In Proceedings of the 1st International Workshop on Peer-to-Peer Systems (IPTPS’02). MIT Faculty Club, Cambridge, MA.
[21] A. Pathak, Y. C. Hu, and Z. M. Mao, “Peeking into spammer behavior from a unique vantage point,” in USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
[22] P. Porras, H. Saidi, and V. Yegneswaran, “A multi-perspective analysis of the storm (peacomm) worm,” Technical report Computer Science Laboratory, SRI Internatal, October 2007.
[23] N. Provos, Dean McNamee “The Ghost In The Browser Analysis of Web-based Malware,” In: Proc. of the 1st workshop on Hot Topics in Understanding Botnets (HotBots 2007).
[24] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing botnet membership using dnsbl counter-intelligence,” in USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.
[25] W. Strayer, R.Walsh, C. Livadas, and D. Lapsley, “Detecting botnets with tight command and control,” In Proceedings of the 31st IEEE Conference on Local Computer Networks, November 2006.
[26] D. Stutzbach, R. Rejaie, “Improving lookup performance over a widely-deployed DHT,” In Proceedings of IEEE INFOCOM 2006, May 2006.
[27] P. Wang, S. Sparks, C. Zou. “An advanced hybrid peer-to-peer botnet,” Hotbots'07 workshop program, School of Electrical Engineering and Computer Science, University of Central Florida, 2007
[29] C.Willems, T. Holz, and F. Freiling. “CWSandbox: Towards automated dynamic binary analysis,” IEEE Security and Privacy, 5(2), 2007.
[29] H.R. Zeidanloo, A.A. Manaf, ” Botnet Command and Control Mechanisms,” Fac. of Comput. Sci. & Inf. Syst., UTM Int. Campus, Kuala Lumpur, Malaysia This paper appears in: Computer and Electrical Engineering, 2009. ICCEE 09. Second International Conference on Publication Date: 28-30 Dec. 2009.
[30] DHT, Wikipedia. http://en.wikipedia.org/wiki/Distributed_hash_table
[31] Federal Bureau of Investigation (FBI). Operation Bot Roast. http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm.
[32] Kademlia: A Design Specification. http://xlattice.sourceforge.net/components/protocol/kademlia/specs.html
[33] Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/
[34] Valentine’s Day worm. http://www.snopes.com/computer/virus/valentine.asp
[35] No April Fools’—Storm worm is back. http://news.cnet.com/no-april-fools-storm-worm-is-back/
[36] Overnet, Wikipedia. http://en.wikipedia.org/wiki/Overnet.
[37] RFC-1459. http://www.faqs.org/rfcs/41.html
[38] Storm worm dwarfs world’s top supercomputers. http://blog.washingtonpost.com/securityfix/2007/08/storm_worm_dwarfs_worlds_top_s_1.html.
[39] THE ANTI-BOTNET PROJECT OF TANET (Taiwan Academic Network). http://anti-botnet.edu.tw/
[40] The worm that roared. http://www.time.com/time/magazine/article/0,9171,1666279,00.html
[41] 提醒：下周上網謹防“暴風一號蠕蟲”病毒http://big5.xinhuanet.com/gate/big5/www.xj.xinhuanet.com/2010-01/31/content_18918418.htm