Overbot - A botnet protocol based on Kademlia

One crucial point in the implementation of botnets is the command and control channel, which is used by botmasters to distribute commands to compromised machines and to obtain results from previous commands. While the first botnets were mainly controlled by central IRC servers, recent developments have shown the advantages of a more decentralized approach using peer-to-peer (P2P) networks. Interestingly, even though some botnets already use P2P networks, they do so in a naive fashion. As a result, most existing botnet implementations allow attackers to disrupt messages from the botmaster and to learn IP addresses of other nodes within the botnet. This paper introduces Overbot, a botnet communication protocol based on a peer-to-peer architecture. More precisely, Overbot leverages Kademlia, an existing P2P protocol, to implement a stealth command and control channel. An attacker can neither learn the IP addresses of other nodes in the botnet nor disrupt the message exchange between the botmaster and the bots, even when the attacker is able to capture some of the nodes within the network. Overbot demonstrates the threats that may result when future botnet generations utilize more advanced communication structures. We believe that it is important to outline these threats to allow the research community to develop solutions before such botnets appear in the wild. To help the search for effective countermeasures, we also discuss possible directions where future research seems promising.