Ross Gibb Symantec
Vikram Thakur Symantec
download slides (PDF)
Since 2012, one of the most prevalent botnets worldwide, with millions of infected computers, has used a UDP-based peer-to-peer protocol for updating peer IP addresses and for payload metadata communications. A number of flaws have been uncovered in this botnet's UDP-based peer-to-peer protocol, which has resulted in a novel way to sinkhole a significant number of the infected peers in the real world. Symantec's sinkhole scenario prevents individual peers from receiving and spreading malicious payloads.
The sinkhole operation was running in network simulation only. However, after an update to the botnet suddenly made about half the infected computers immune to the devised sinkholing method, the decision was made to immediately sinkhole the remaining botnet's UDP network. The Symantec Attack Investigation Team will describe the amount of effort required to successfully sinkhole the botnet and share the technical details of our sinkhole operation (development, deployment and measure of success). VB2013 participants will see internal Symantec data and statistics on the size of the botnet and the number of bots we successfully sinkholed.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.