427 Botnet fm qxd

These are GUI Web interfaces by which the botnet controller can issue
instructions, much like typing them on IRC, only it works in push mode
rather than pull.The C&C connects to all the bots, rather than the bots con-
necting to it and awaiting instructions.
Figure 3.1 is a screenshot of one of the very earliest command-based Web
botnets:
Figure 3.1
Command-Based C&C GUI
As you can see, it enables the controller to do the following:
■
Have the bot download files from the Web.
■
Upload a file to the compromised computer.
■
Give the bot direct shell commands.
■
Save screenshots.
■
Block URLs from surfing.
■
Change the hosts file, so that the user goes to malicious Web sites
instead of ones to which he intends to surf.
Some later GUI C&Cs also enabled browsing of the botnet, choosing bots
by country, ISP, bandwidth, and other options, and instructing them directly,
www.syngress.com
Alternative Botnet C&Cs • Chapter 3
85
427_Botnet_03.qxd 1/8/07 11:56 AM Page 85

as well as gathering statistics. Consider this a Web service—a Web application
to help run a botnet.
P2P Botnets
P2P (or peer-to-peer) has been discussed in botnet circles for a long time,
both by the good guys and the bad guys.
The first P2P botnet to be spotted was Sinit (aka Calyps.a or Calypso) in
2003, by Joe Stewart at LURHQ (now SecureWorks). Later on, Agobot vari-
ants had a P2P option and Phatbot made the leap to P2P for real.
Some more information on how Phatbot operates with P2P can be
located at LURHQ (now SecureWorks): www.lurhq.com/phatbot.html.
This technology presented botnet controllers with both pros and cons. On
the plus side, the bots were decentralized and not reliant on one point of
failure. On the negative side, programming could potentially be injected from
any peer in the botnet. Some solved this by introducing cryptographic keys,
but one could still study the bot itself and potentially discover the entire net-
work of bots.
Another type of P2P botnets are those that rely on a centralized location
for “tracking,” much like P2P networks. And indeed, for using one of the
public P2P networks, this has to be the case.The main problem with
advancing control channel technology over the years is that the more com-
plex it is, the easier it becomes to track down the botnet. In P2P, this would
be especially true, as by being a simple peer you can discover other bots
without taking any action.
Instant Messaging (IM) C&Cs
In the past couple of years, the spread of worms over IM has become com-
monplace.The worms can then report to any C&C, on IRC or elsewhere.
However, the use of IM accounts as echo control channels is seen in the wild.
In such a scenario, computers infected with a bot would communicate to
the said account over IM, whether using AIM,Yahoo!, ICQ, MSN, or any
other network. Much the same as on IRC, the same can be said for discussion
groups or chat channels, where the bot would send the echo there, or just
join and await new instructions.

Download 6,98 Mb.

Do'stlaringiz bilan baham: