427 Botnet fm qxd

and file a complaint to the ISP. Although often this is all they do, these C&C
servers are also susceptible to eavesdropping. For example, when sitting on the
IRC chat channel that the bots in a particular botnet connect to, one could
potentially listen in on the commands given by the botnet controller, and per-
haps even emulate him.
This is dangerous to the botnet controller, because he’d like to maintain
control over his botnet and not risk it being taken over by a competing
botnet controller, or even disassembled (think of uploading a new file to each
bot by issuing a download command on IRC, and that way destroying the
botnet.This is not exactly legal or ethical, but it is an example of what could
be done, which IRC makes easy).
As useful as IRC is to the people running botnets, there are some
inherent threats for them. For a long time these threats were non-existent
beyond the theoretical realm, and later on not significant.Today, these threats
have become commonplace, forcing botnet controllers to adapt. IRC is still
the most commonplace form of a C&C server. It is slowly being comple-
mented with obfuscation and security using alternative or more advanced
C&C technologies, but while there are quite a few C&C servers running on
different protocols and applications, most of these are still IRC based.
Historical C&C 
Technology as a Road Map
Looking back to history and the most basic C&C mechanisms, we can estab-
lish basic terminology, which will help us to determine the usefulness and
risks of newer technologies introduced later on.
In the beginning, bots and botnets indeed were legitimate tools used
mainly for functional purposes, such as maintaining an IRC channel open
when no user is logged in or maintaining control of the IRC channel.
The first botnets of the new age of Trojan horses (Trojan horses have
been here for years, but became popular mass-infection devices in
1996–1997). Controlling one compromised computer is easy. Controlling a
thousand becomes a logistical nightmare. When an infection would happen,
the Trojan horse would phone home by connecting to an IRC server. Once
logged on to the server, the Trojan horse (now bot, more commonly referred

Download 6,98 Mb.

Do'stlaringiz bilan baham: