427 Botnet fm qxd

us as the leading protocol and application for C&C servers for a long time to
come.
There have been rumors of ICMP-controlled botnets, as well as of covert
channels, such as entries on social networking Web sites like MySpace.com,
being used for C&C. Even if they are in fact being used and not only theo-
retical, the vast majority of C&Cs have been and will remain on IRC.
Where we can definitely expect change is with introduction of more
advanced encryption by the bot masters, as well as the C&Cs themselves
becoming very hard to take down (or, as shown in fastflux, taking down
becomes irrelevant).
Another issue that we can expect to see change is the structure of the
botnet. For example, in recent years botnets stopped being very large and
became, rather, relatively very small. It is more likely for a botnet controller to
hold 20 C&C servers with a few thousand bots on each, than to hold one
C&C with several hundred thousand bots on it.The structure of an army
becomes more and more clear as time goes by; however, with the introduc-
tion of compartmentalization into the equation, it looks more and more like a
terrorist organization, with a few bots controlling botnets of their own, and
only they as the “cell” leaders get instructions from the main C&C. If a brand
is lost, the tree remains alive.
Botnets are here to stay, and the C&C or alternative control channels will
be here to direct the armies.
www.syngress.com
92
Chapter 3 • Alternative Botnet C&Cs
427_Botnet_03.qxd 1/8/07 11:56 AM Page 92

Summary
Botnet technology has been in use for almost two decades, and its most basic
form, which is distributed computing, even longer.The fact that botnet con-
trollers now work for pay rather than build and maintain their armies for fun
is key. Most botnet controllers either build or rent their armies for malicious
usage, as that is where the money is.
In order to maintain revenue, they will do whatever it takes, from using a
previously unknown exploit to spread to using new technologies for com-
mand and control, which is what this chapter is about. As technology
advances on one side, it will on the other, but there are some conclusions we
can draw based on our past experience on how whatever technology that fol-
lows is going to work:
■
There will be a complicated network-based approach to communi-
cating with the botnet.
■
The botnet itself will be running on new protocols and services as
they come along (IM, P2P, and so on).
■
There will be alternative means of controlling the botnet in case of
failure.
■
The botnet will be built to attempt to avoid detection.
This all comes down to robustness and reliability, which is what these
alternative control channels provide.
DNS is a good example of how C&Cs use multiple layers in their design
to ensure they stay up. By diversifying and using different servers and allowing
for a quick alteration of what servers these are, the botnet controllers can
concentrate on the C&C itself rather than moving all the bots constantly.The
Web and P2P are good examples for alternative technologies being used for
the actual control mechanisms.

Download 6,98 Mb.

Do'stlaringiz bilan baham: