Botnets and command and control mechanisms
Approximately 5% of PCs around the world might be infected right now by a malicious code, so at least, 50 million. This significant rate can be explained by many factors like the lack of application and system updates, the lack of users’ cautiousness or the rising number of attacks’ vectors (social network, mobile applications, spam, compromised websites…)
Those machines are a set of infected hosts which communicate with one or several Command and Control servers, also name C&C servers.
There are many advantages of owning a botnet for cybercriminals, such as:
- Stealing banking information,
- Sending spam massively,
- Performing Denial of Service attacks,
- Or in a more original way, mining BitCoin[1].
Therefore, in response to this rising issue, actions that have been setup by law enforcement and researchers aim at mainly identify and disable nerve centers: the C&C servers.
From then on, cybercriminals add technical or organizational improvements to the existing mechanisms in order to make them stealthier and more resilient.
More resilient botnets
The rising cooperation between law enforcement and specialized experts forced cybercriminals to change their strategy to ensure C&C servers’ resilience. Indeed, the use of “bullet-proof” hosting providers, located in approving jurisdiction and allowing attackers to keep in a long-term their servers up and running, is no more efficient.
We can mention, among the more common strategies which are now used:
- [Multiplying the C&C servers] – Performing a takedown implies an important coordination. Besides, C&C servers’ identification requires having all configuration files which means having a sample of each malware version.
-
[Multiplying access methods] – Setup a blacklist with C&C server names would cut off the communication with infected hosts. Many methods can bypass this mechanism:
- Change the URL regularly using configuration file update.
- Use a Domain Generation Algorithm (DGA). The inconvenient is that, using reverse engineering methods, a victim could decode the algorithm and then exploit this process to protect him proactively.
- Using third-party websites: Malware such as Torpig use for instance the “trends” feed of Twitter to random the address generation of the C&C server.
- [P2P feature] – Without centralized C&C servers, P2P botnets are very hard to takedown or to blacklist.
These methods can be combined or used as a fallback mechanism. Indeed, cybercriminals implement control recovery modes to retrieve their botnets easily once they have been seized by law enforcement, security companies or competitors.
The following table describes the main control technics used by the different well-known malware:
You can’t see me !
To be stealthier, infected hosts and C&C servers use different mechanisms to communicate. The main ones are listed below:
- [Using IRC and instant messaging] – Mandiant, in its « APT1 » report, mentions the use of Jabber, MSN messenger or Gmail Calendar as command channels.
- [Using the DNS protocol] – We can only mention few malware using it such as Feederbot, Morto or Spachanel.
- [Using images] – MiniDuke and DuQu, for instance, are able to run commands included in « .gif » files.
The stealth of the botnet also depends on its capacity to hide the C&C server. It’s pretty common to use many proxies to make the identification of the “real” C&C servers more difficult. However, it is still possible, for instance, to identify them by sniffing the traffic on the different proxies.
Salad, tomato, .onion !
The « Tor » network and more precisely its « hidden services » feature, allows masking the true localization of the C&C server. A domain name in .onion is attributed to this service, making it possible to route communications between clients and the anonymous service.
- Full anonymity of the server hosting the service is guaranteed, and it is impossible to suspend the .onion domain name. It is therefore impossible to takedown the service. However, the “Tor” traffic can be identified and blocked on a professional network.
Therefore the use of Tor for botnets is likely going to increase. Until just recently, this was merely a proof of concept, but the discovery of the Trojan Skynet in late 2012 proves that actual cases indeed exist. Recently, the investigation in response of the denial of service perpetrated against two South-Korean DNS servers, revealed the installation of Tor client required to download the payload in charge of performing the denial of service attack.
Conclusion
The war against botnet is going to be long-term. The evolution of stealth and resilience mechanisms makes the task of the researcher and law enforcement harder.
Besides, the low cost and difficulty to rebuild a botnet make the operations, especially against C&C servers, less efficient.
Therefore, efforts must be focused on a more global approach, including the limitation of available resources for the cybercriminals, the impacts mitigation caused by their ill-will, the identification of alleged cybercriminals and the reinforcement of legal proceeding against them.