A Reputation-Based Resilient and Recoverable P2P Botnet

Centralized botnets inherently suffer the single point of failure problem. To resolve this, botmasters are generally designed with peer-to-peer architecture to harden the botnet infrastructures. In the last several years, hybrid P2P botnets relying on peer-list exchange represent one of the emerging trends in advanced botnets. Although these botnets are immune to index poisoning, they are still vulnerable to peer-list pollution attacks. Once the majority of the bots' peer-lists are polluted by defenders, these polluters subsequently refuse to forward any commands, therefore effectively starving real bots and ultimately disabling the botnet (e.g., Waledac). This paper introduces the TRBot, which we designed as a reputation-based resilient and recoverable P2P botnet. TRBot exploits a novel reputation-based peer-list construction mechanism to build trust amongst the bots, and a self-repairing mechanism to make peer-list maintenance completely automated. A two-step bootstrap procedure is also employed to prevent all initial peer-list items from being rendered ineffective in extreme cases. The proposed botnet is highly robust and effective against pollution attacks. In the end, we further suggest several possible defenses against TRBot.