Zeus Milker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism

The emerging trend of highly-resilient P2P botnets poses a huge security threat to our modern society. Carefully designed countermeasures as applied in sophisticated P2P botnets such as P2P Zeus impede botnet monitoring and successive takedown. These countermeasures reduce the accuracy of the monitored data, such that an exact reconstruction of the botnet´s topology is hard to obtain efficiently. However, an accurate topology snapshot, revealing particularly the identities of all bots, is crucial to execute effective botnet takedown operations. With the goal of obtaining the required snapshot in an efficient manner, we provide a detailed description and analysis of the P2P Zeus neighbor list restriction mechanism. As our main contribution, we propose ZeusMilker, a mechanism for circumventing the existing anti-monitoring countermeasures of P2P Zeus. In contrast to existing approaches, our mechanism deterministically reveals the complete neighbor lists of bots and hence can efficiently provide a reliable topology snapshot of P2P Zeus. We evaluated ZeusMilker on a real-world dataset and found that it outperforms state-of-the-art techniques for botnet monitoring with regard to the number of queries needed to retrieve a bot´s complete neighbor list. Furthermore, ZeusMilker is provably optimal in retrieving the complete neighbor list, requiring at most 2n queries for an n-elemental list. Moreover, we also evaluated how the performance of ZeusMilker is impacted by various protocol changes designed to undermine its provable performance bounds.