mitigating botnet C&Cs has become useless
The few hundred *new* IRC-based C&Cs a month (and change), have been around and static (somewhat) for a while now. At a steady rate of change which maintains the status quo, plus a bit of new blood. In this post I ask the community about what you see, against what we have observed, and try and test my conclusions and numbers against your findings. The subject line "why mitigating botnet C&Cs has become useless" is misleading. It has been useless for a long time, but someone had to hold back the tide, which several online mitigation communities have been doing. Today it has become (close to) completely useless. I will present the case on why that is in my opinion, in a few bullets, and we can discuss what alternatives we have, or if perhaps I am misreading what's going on. *. When a botnet C&C is mitigated, it is immediately re-created on another host on the same ISP or another. *. Most botnet C&Cs are a part of a larger group, such as an IRC network or another, possibly hidden "behind the scenes" network. lusers are being redirected on the spot or reconnect to another host. *. Most botnet C&Cs are a compartmentalized group out of the whole, possibly a sub-group several tiers down. Much like a terrorism cell. *. If the above measures and features fail, most botnets have a secondary control channel with which an immense host can be re-directed. This has been seen back a few years ago. *. Many botnet C&Cs now use fast-flux technology, moving IP addresses quite often. *. When the C&C is taken down, the bot may not jump to a new host, a new one may simply be installed. *. Coordinated take-down of entire networks is extremely difficult, relies on incomplete intelligence and only takes care of the problem for an extremely short period of time until re-assembly. The name of the game is the SPBC: Simple Primitive Botnet Control (C&C). Simple - as it is simple, vs. a complex dynamic control channel. Primitive - old and quite unimpressive. Botnet - d'oh C&C - Command and Control It's simple, we can see most of them with our tools. Primitive, hey, they have been using these for a long long time. It works. As what we mainly did is concentrate on taking the C&C down, as well as academically study how to detect or quantify it, what we achieved was teaching the Bad Guys their business. That is yesterday's news. They are an oiled machine. We don't hurt them any more. Botnet have become mainstream. They are part of sales pitches now. SPBC for the botnet controllers these days relies on proven and tested techniques, concentarting and backing themselves on: Reliability - Efficient and stable. Robust - Easily replaced. Diverse - varying control channels, from DNS, other IRC servers and direct connect to a downloader ready to download a new bot or re-infect a known bad network. Distributed - need I speak of that one? What taking down C&C's does achieve? 1. Coordination on security issues between ISP's, continued and peer-pressure based. Slowly but surely becoming more and more LEO, regulation and vendor-run in comparison to what it used to be. 2. Responsiveness to abuse - gaging ISP response is interesting and shows how interested they are. 3. Feeling good - cleaning the back yard and moving the problem to someone else (another ISP). Hmm, yeah.. not really. In most cases the same ISP's have the same problems month after month. They just make the C&C's "unknwon" vs. "yes, we know where they are". We are now past the point where killing C&Cs has been harmful. It was. These days the only real use a C&C can have for an organization with a network, is to check for infected clients connecting in. When it was harmful, creating the current situation, we were comfortable with it as it helped hold back the immediate problem - which was important by itself. That's my educated opinion, following this since 1996, and gathering statistics for several years, some of which are seen by this community every month. Please, I would love to hear your opinions, disputes and how you find the operational intell on botnet C&Cs useful to this day on networks for mitigation purposes. Then I would like to try and check my facts against your findings as well, and see if my conclusions hold up or if I miscalculated. Please try and limit your answers on this thread (unless you start another) to network mitigation issues. Thank you all for your input. Oh, and I wasn't very accurate. Killing C&Cs these days is still harmful, just that now it doesn't even hold back the tide. Gadi. Note: this is also being sent to the public botnets mailing list.
The really interesting question is when botnets are going to use p2p-technologies since one wouldn't know how to stop them then. Please let that never happen....
On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
The really interesting question is when botnets are going to use p2p-technologies since one wouldn't know how to stop them then. Please let that never happen....
I am not sayin gyou are wrong, or that dynamic channels won't happen far more widely. Currently they are not widely used as they are not needed. Web, IRC, etc. are quite efficient. That said, there is one problem to solve with every evolved C&C, the more complex it is the easier it is to follow. Gadi.
ge@linuxbox.org (Gadi Evron) writes:
The subject line "why mitigating botnet C&Cs has become useless" is misleading. It has been useless for a long time, but ...
Today it has become (close to) completely useless. ...
i wish that the value of this activity were zero. instead, it's negative. see <http://fm.vix.com/internet/security/superbugs.html> for details. -- Paul Vixie
On Jul 30, 2006, at 10:37 AM, Gadi Evron wrote:
The few hundred *new* IRC-based C&Cs a month (and change), have been around and static (somewhat) for a while now. At a steady rate of change which maintains the status quo, plus a bit of new blood.
In this post I ask the community about what you see, against what we have observed, and try and test my conclusions and numbers against your findings.
Gadi, *SPs* today deal with command and control infrastructure on a very tactical basis, and as for specific bots themselves, even more tactically (i.e., usually when some incident requires that they take some response action). They're very incident driven from that respect, and with an attempt to focus on revenue and services profitability, it just amplifies the problem. That is, they're busy turning the steam valves and putting out fires - who has the time for strategizing and waging a global war on organized crime and it's employment of botnets that yields a negligible return on a considerable investment, just cutting deeper into their losses? [disclaimer: the above is a gross oversimplification and many SPs do far more, but it's largely applicable across a broad spectrum of SPs] Heck, they rarely have time to chase DOS attack sources past their network perimeter and today report less than 2% of *actionable* attacks to LEOs. It's an ROI game... While you could spin botnet resurrection a hundred ways, taking out the bots themselves, even if it's often times only as temporal function, is the low hanging fruit and something SPs can understand and instrument. I agree that the root of the problem is the miscreants perpetrating these crimes, and they need to be prosecuted, but the responsibility falls far wider than the SPs. I also accept the references provided by Paul and others, but what's the near-term alternative? -danny
participants (4)
-
Danny McPherson
-
Gadi Evron
-
Gunther Stammwitz
-
Paul Vixie