Botnets Don Invisibility Cloaks

Botnet operators move their communications to the Web to cover their tracks

Most botnets are usually pretty obvious to detect -- the conspicuous Internet Relay Chat (IRC) connections they use are often a dead giveaway. But botnet operators are now starting to use stealthier ways to communicate with their zombied machines, namely through Web connections, according to researchers.

Jose Nazario, senior software and security engineer with Arbor Networks, says he and his colleagues last year started noticing a few botnets that weren't making the standard IRC connection to their bots or zombies. After taking a closer look, they realized these systems were making more subtle and inconspicuous Web-based connections instead.

IRC, basically a peer-to-peer system for real-time text conversations, has always been a hacker hangout, as well as a botnet's conduit to its victim machines. It's not widely used in enterprises, so IRC traffic sticks out like a sore thumb when it's detected in a corporate network, according to Nazario, and it's easily detected by IDSes and IPSes on the lookout for tell-tale messages like "join," "connect," etc.

So more botnet operators are trying to camouflage their communications with their victim bots via the Web. "We are seeing it pick up in the last few months," he says. "They are able to hide in the ether of the vast quantity of Web traffic out there...traffic that's not necessarily looking suspicious."

To detect these botnets at all, researchers have to know which endpoints to focus on, or specific commands the botnet may be using, because generic IDS signatures won't catch them.

It's also easier for botnet operators to obscure the bot machines. There's no way of knowing how many there are, nor to list all of the infected machines. "Web-based bots work transparently," Nazario says.

Researchers at the Shadowserver Foundation, which tracks and studies botnets and malware, have also seen a shift in how botnets handle their command and control communication. Andrè M. Di Mino, director of the Shadowserver Foundation, says both Web HTTP and peer-to-peer methods are the next big things for botnets. But it's the peer-to-peer botnets that would be the toughest to detect and shut down, he says.

"Peer-to-peer is difficult because it's not a centralized network -- each bot can send its commands on its own. That's more distributed and more difficult to isolate the actual bots, where they are, and where the commands originated from," he notes. "That's keeping us awake at night."

Di Mino says the HTTP botnet method needs to be studied by researchers, for sure. "From what we're seeing, that's [still] a small percentage compared to IRC," he says. "What's concerning us is what we are not seeing -- just because we're not seeing it doesn't mean it's not there."

And Web-based botnets would survive longer than IRC-based ones. "It would make bots live longer lives," Nazario says. "They will be stealthier," and detecting them won't be as simple, he says. And the good news for the botnet operator is it also uses up less system resources on the bot side because there's no persistent connection, he adds.

That also makes it tougher to detect since the Web-based approach only polls the machines periodically. "Often when we investigate a compromised box, we look at the current open connection and we'll see IRC," Nazario says. But with the Web-based approach, "there's no indication it's talking to this Web server."

Mark Loveless, a.k.a. simple nomad, and senior security researcher at Vernier Networks, says he doesn't see IRC going away anytime soon. "There's open-source [IRC] software and it's really easy for people who are just trying to start out and do [botnets]," he says. "If I was going to do a botnet, I would make sure it was encrypted and used some type of covert channels."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Vernier Networks Inc.
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5