Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/4/2007
07:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botnets Don Invisibility Cloaks

Botnet operators move their communications to the Web to cover their tracks

Most botnets are usually pretty obvious to detect -- the conspicuous Internet Relay Chat (IRC) connections they use are often a dead giveaway. But botnet operators are now starting to use stealthier ways to communicate with their zombied machines, namely through Web connections, according to researchers.

Jose Nazario, senior software and security engineer with Arbor Networks, says he and his colleagues last year started noticing a few botnets that weren't making the standard IRC connection to their bots or zombies. After taking a closer look, they realized these systems were making more subtle and inconspicuous Web-based connections instead.

IRC, basically a peer-to-peer system for real-time text conversations, has always been a hacker hangout, as well as a botnet's conduit to its victim machines. It's not widely used in enterprises, so IRC traffic sticks out like a sore thumb when it's detected in a corporate network, according to Nazario, and it's easily detected by IDSes and IPSes on the lookout for tell-tale messages like "join," "connect," etc.

So more botnet operators are trying to camouflage their communications with their victim bots via the Web. "We are seeing it pick up in the last few months," he says. "They are able to hide in the ether of the vast quantity of Web traffic out there...traffic that's not necessarily looking suspicious."

To detect these botnets at all, researchers have to know which endpoints to focus on, or specific commands the botnet may be using, because generic IDS signatures won't catch them.

It's also easier for botnet operators to obscure the bot machines. There's no way of knowing how many there are, nor to list all of the infected machines. "Web-based bots work transparently," Nazario says.

Researchers at the Shadowserver Foundation, which tracks and studies botnets and malware, have also seen a shift in how botnets handle their command and control communication. Andrè M. Di Mino, director of the Shadowserver Foundation, says both Web HTTP and peer-to-peer methods are the next big things for botnets. But it's the peer-to-peer botnets that would be the toughest to detect and shut down, he says.

"Peer-to-peer is difficult because it's not a centralized network -- each bot can send its commands on its own. That's more distributed and more difficult to isolate the actual bots, where they are, and where the commands originated from," he notes. "That's keeping us awake at night."

Di Mino says the HTTP botnet method needs to be studied by researchers, for sure. "From what we're seeing, that's [still] a small percentage compared to IRC," he says. "What's concerning us is what we are not seeing -- just because we're not seeing it doesn't mean it's not there."

And Web-based botnets would survive longer than IRC-based ones. "It would make bots live longer lives," Nazario says. "They will be stealthier," and detecting them won't be as simple, he says. And the good news for the botnet operator is it also uses up less system resources on the bot side because there's no persistent connection, he adds.

That also makes it tougher to detect since the Web-based approach only polls the machines periodically. "Often when we investigate a compromised box, we look at the current open connection and we'll see IRC," Nazario says. But with the Web-based approach, "there's no indication it's talking to this Web server."

Mark Loveless, a.k.a. simple nomad, and senior security researcher at Vernier Networks, says he doesn't see IRC going away anytime soon. "There's open-source [IRC] software and it's really easy for people who are just trying to start out and do [botnets]," he says. "If I was going to do a botnet, I would make sure it was encrypted and used some type of covert channels."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Vernier Networks Inc. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Truths About BEC Scams
    Ericka Chickowski, Contributing Writer,  6/13/2019
    DNS Firewalls Could Prevent Billions in Losses to Cybercrime
    Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
    Can Your Patching Strategy Keep Up with the Demands of Open Source?
    Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-9561
    PUBLISHED: 2019-06-19
    In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7...
    CVE-2018-9563
    PUBLISHED: 2019-06-19
    In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 ...
    CVE-2018-9564
    PUBLISHED: 2019-06-19
    In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Andro...
    CVE-2019-2003
    PUBLISHED: 2019-06-19
    In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-...
    CVE-2019-2017
    PUBLISHED: 2019-06-19
    In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 ...