On the Robustness of the Botnet Topology Formed by Worm Infection

Peer-to-peer botnets formed by worm infection have become a real threat to the Internet and are expected to become rampant in the near future. In our previous work, we have analyzed the underlying botnet topology formed by worm infection, without considering potential user defenses. In this paper, we extend the study to characterize the evolution of the botnet structure when users patch or clean part of infected hosts after all vulnerable machines are compromised. Specifically, we examine the number of peers of an infected host and the size of disconnected botnets under random node removal through simulation. We find that when part of infected hosts are patched or cleaned, the distribution of the number of peers follows closely an exponential distribution, whereas the distribution of the size of isolated botnets is power-law. Moreover, we also evaluate a simple countermeasure by botnets that enhances topology robustness through worm re-infection, and show that re-infection can significantly mitigate the effectiveness of patching and cleaning on the botnet structure. We believe that such a study can not only provide better understandings on both the strength and the weakness of botnets, but also better prepare us for future attacks.