Wednesday, March 07, 2007

Botnet Communication Platforms

Botnets, or the automated exploitation and management of malware infected PCs is perhaps the most popular and efficient cyber threat the Internet faces these days. Whether you define it as the war on bandwidth or who's commanding the largest infected population, this simple distributed hosts management problem is continuing to evolve in order for the botnet masters to remain undetected for as long as possible. On the other hand, the growing Internet population combined with the lack of awareness of the "just got a PC for Christmas" users, and IPv4's well known susceptability to IP spoofing compared to IPv6, always make the concept an interesting one to follow.

Despite that at the beginning of 2006, I pointed out on how malware related documentation and howtos turned into open source code resulting in a flood of malware variants, thus lowering the entry barries for a novice malware copycats, a week ago I located a very throughout document on various botnet communication platforms and I'm sure its author wouldn't mind me reposting the fancy graphs and commenting on them.

IRC based Botnet Communications
Nothing ground breaking in this one besides the various advices on stripping the IRCd, creating own network of IRC servers compared to using public ones, and on the importance of distributed secrecy of the botnet participants' IPs, namely each bot would never know the exact number or location of all servers and bots.

HTTP Botnet Communications

The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel.

ICQ Botnet Communications
Perhaps among the main reasons to repost these graphs was the ICQ communication platform which I'll leave up to you to figure out. As a major weakness is listed the reliance on icq.com, but as we've already seen cases of botnets obtaining their commands by visiting an IRC channel and processing its topic, in this case it's ICQ WhiteLists getting the attention.

Related comments on the programming "know-how" discussed will follow. Know your Enemy!