I have to admit, I've had a lot of fun in the past thinking of creative ways to control botnets. It's a fun thought exercise in developing in an area where everything is adversarial to your goal. And the fact that the amount of information you really need to transfer is so trivially small that you can get some really creative "solutions".
My favorite idea so far is to look for the existence of a specific username across several services for commands. Only the usernames are (in part) generated via a TOTP style rolling code. So to see if something should activate, it will look for the existence of a username of "imnotabot349556" on reddit, HN, and twitter. if it sees any of them, it can read a small command from any number of places on those sites that the user can post some kind of comment/profile/text.
This is super easy to control securely (could be done from anywhere, using any machine, over TOR or other networks), is hard to shut down (the rolling codes mean they would need to either have access to the "secret" and ban all future codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple botnets started using this method, not to mention you could just switch to a hash of everything as the username), and is fairly fullproof (no reliance on any one network or channel). And with some forethought, an update mechanism can be built into it as well, so when someone gets close to your scheme, you could have all your bots update at a moment's notice to a new one.
At the end of the day, trying to stop a C&C server of a botnet is a futile exercise. Once the botnet is out there, there's no stopping it by shutting down a C&C server. There are just SO many ways to pass information, and when the information is on the size of hundreds of bytes in some cases, there's just no hope.
Using a popular Blockchain seems to me to be the best C&C system. It's distributed and authenticated. The botnet could either talk directly to the network or fallback to http and look at the hundreds of websites that allow you to read the blockchain. It would be "impossible" for the C&C to be taken over without the collaboration of the Blockchain developers and miners...
It means "spending" to send a command, but you only lose the fee.
Eh, I dunno. Easy to corporate firewall off. Easy to detect once it starts. I'd rather just communicate through a google API of some kind. Or maybe a clever series of dropbox accounts.
> the rolling codes mean they would need to either have access to the "secret" and ban all future codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple botnets started using this method
They will have access to the secret, because they have access to the programs that run the TOTP algorithm.
But it relies on all services I would use to add custom code to block all future rolling codes. For a problem that they don't really have any financial reason to write that custom code to stop it.
And any fix that they introduce, can be trivially updated to change around by any of the other services. They'd have to coordinate across all services that are used to update at the same time in order to stop it.
No, you reverse engineer the "domain generation algorithm" and figure out what the secret seeds are as input, then every time you need to know the name of the rendezvous point you figure out what the current seed is (easy if it's static, a little harder if it's dynamic) and run the algorithm.
Anyone that does this can register the reddit/twitter handles or domain names as soon as they figure this out, if they aren't pre-registered. And if you're the provider, you are then given a list of accounts to kill. Now you're in a game of cat and mouse with the botnet operator, and each move you take kills off some of the operators bots, perhaps all of them if you get ahead of them by enough.
> trying to stop a C&C server of a botnet is a futile exercise.
Laptop users who want broad Internet access (and will complain loudly if reddit/HN/Twitter is "down") aren't the same thing as the app server that only talks to a short whitelisted set of RFC1918 IPs, on specific ports only, and doesn't have Internet access - not even DNS. (WannaCry demonstrated why not.)
Reddit and the like needs to accept they are hosting botnet C&C servers due to hosting loads of user-generated content (I'd do an invite-only subreddit with a tracking pixel in the CSS), but that doesn't make it pointless for the rest of us to do something where possible.
Except it doesn't work because reddit sanitizes their CSS and doesn't allow url() to external hosts. You need to upload the images you want to reference in the CSS to reddit.
> The app server that only talks to a short whitelisted set of RFC1918 IPs, on specific ports only, and doesn't have Internet access - not even DNS.
Problem is that this stops application level automated updating. Firewalls are all fine but unfortunately they operate at IP level, not DNS - which means good luck if the vendor's auto-update server uses stuff like Cloudflare, ELB or anything other that (more or less rapidly) changes IP addresses.
61 pages to conclude, yes you can indeed pass messages via chat APIs, shocking.
Also stupid if you actually do that since the chat API provider can simply cut you off and you don't have a C2 anymore and lost access to all the systems you infected.
This isn't really focused at developers and admins. The paper is for CEO's, managers, and purchasing to get new software and hardware for reasons. It also makes great presentation materials.
Chat API's are good because the traffic to "facebook.com" probably won't be detected as malicious by most firewalls.
Your fallback should be a peer2peer network in DHT style, scanning the entire IP address space on a well known port to find nodes to connect to.
When a node is found, addresses of other nodes are requested, and a cache of a few thousand infected nodes kept to use as seeds for future connections.
Imagine you have 1 million infected machines, then most new nodes will find and connect to the network within 4000 packets sent across the network. For good measure, build in a list of a few thousand addresses into the malware as bootstrap nodes.
Yes, this is something well known. Chat platforms have long since been used as botnet infrastructures. IRC is/was a big one for a long time because it's very lightweight and the protocol is well known (with a little know-how you can completely IRC over telnet). The only reason it's been ditched is because it's so heavily centralized -- loose the C&C server and you lose control, unless you have a way to push updates. That's why fast-flux DNS became popular.
In other news, water is wet, the sky is blue, etc. etc.
Agreed, but they created this paper because they actually found malware using Discord and Telegram. Apparently it can have alternative uses, such as being a direct interface to ransomware victims ("join this Slack channel to send me your bitcoin")
I think a Tor hidden service would probably be a really good way to run C&C infrastructure. I'm surprised it doesn't get used more often. Or maybe it does?
Actually not. TOR is easily blocked and doesn't play well on mobile (install, bandwidth, and battery hog.) Plus if you're sending a small commands say in Twitter like ones below, no one would even notice.
Tor botnets are extremely common for ransomware and Bitcoin mining... however, Tor is readily blocked on some networks, so other considerations should be made - a variety of available approaches is generally the way to go.
My favorite idea so far is to look for the existence of a specific username across several services for commands. Only the usernames are (in part) generated via a TOTP style rolling code. So to see if something should activate, it will look for the existence of a username of "imnotabot349556" on reddit, HN, and twitter. if it sees any of them, it can read a small command from any number of places on those sites that the user can post some kind of comment/profile/text.
This is super easy to control securely (could be done from anywhere, using any machine, over TOR or other networks), is hard to shut down (the rolling codes mean they would need to either have access to the "secret" and ban all future codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple botnets started using this method, not to mention you could just switch to a hash of everything as the username), and is fairly fullproof (no reliance on any one network or channel). And with some forethought, an update mechanism can be built into it as well, so when someone gets close to your scheme, you could have all your bots update at a moment's notice to a new one.
At the end of the day, trying to stop a C&C server of a botnet is a futile exercise. Once the botnet is out there, there's no stopping it by shutting down a C&C server. There are just SO many ways to pass information, and when the information is on the size of hundreds of bytes in some cases, there's just no hope.