(can hardly be the first, can it?)
http://blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html
10.09.2012,
TS
Botnet command server hidden in Tor
The G Data SecurityLabs recently identified a malware sample that takes the
next step in Command-and-Control (short: C&C) communication evolution,
regarding C&C traffic obfuscation. The botnet owners placed their C&C server,
which uses the common IRC protocol, as a hidden service inside of the Tor
network.
The analyzed bot:
Despite the novel way of C&C-communication, the other features of the analyzed
bot are quite common these days. It offers several possibilities for DDoS
attacks, can download and execute other malware, and can act as SOCKS proxy to
anonymize the attacker.
What is it about?
One of the biggest challenges for botnet owners is the protection of
Command-and-Control traffic. C&C traffic is required to give orders to the
"zombies", the infected computers that are part of the botnets. Generally, up
to now, two approaches existed for C&C traffic: Either a central control server
is put somewhere on the Internet or Peer-to-Peer-networks (short: P2P) are
built up to ensure the chain of commands.
One central C&C server:
Central control servers have a big problem: Regardless of the underlying
protocol, they are a "single point of failure". The servers can be taken over
by authorities, and thus the malware can be uninstalled from the zombies. It is
possible to conceal the server, e.g. by having a hidden algorithm that changes
domain names on a daily base; but these algorithms can be reverse engineered.
Schematic of direct client-Command-and-Control server communication
The P2P architecture:
An alternative is the usage of classic P2P networks. P2P networks became
(in)famous with the rise of Napster, which used to be a service where every
user could send and receive music from and to other users. Every user acted as
client and server simultaneously, hence the term Peer-to-Peer.
Malware adapted to this scheme by giving every zombie the ability to issue
commands to other zombies. The botnet owner issues the command to a handful of
zombies, and these zombies propagate the commands to other zombies, and so on
and so forth. Even though this seems to be more sophisticated than the direct
client-server-communication, it is anything but perfect.
Zombies are often located behind routers, meaning that they effectively cannot
act as a server, because the routers do not allow incoming traffic by default.
Also, the protocol has to be especially designed for the respective bot, which
results in a great implementation effort.
Furthermore, there are security issues the botnet owners have to think about:
By design, every zombie programmed for the P2P-communication has the ability to
issue commands to other zombies. Therefore authorities or other cybercriminals
could issue commands to conduct a hostile takeover of the botnet. Generally, it
is possible to authenticate messages, but botnet owners often find it hard to
implement this or are not willing to put that much effort into these
authentication mechanisms. This resulted in several botnet takedowns and even
takeovers in the last couple of years.
The next step made – using the Tor network
The next step in evolution is the usage of the Tor network. Tor is generally
known as web anonymization service for end users, but Tor offers more than
that: “Tor makes it possible for users to hide their locations while offering
various kinds of services, such as web publishing or an instant messaging
server.”
In this particular case, the creators of the malware decided to build an IRC
server as hidden service.
Schematic of the client-Command-and-Control server communication using the Tor
network with Hidden Services
This gains the botnet owner several advantages:
The server is anonymous and thus cannot point to the botnet owners’
identity.
The server cannot be taken down easily.
The traffic is encrypted by Tor, so it can’t be blocked by Intrusion
Detection Systems.
Tor traffic usually cannot be blocked altogether, because there are also
legit use cases for Tor.
The bot creator does not necessarily have to generate a custom protocol,
but can use the known and reliable IRC protocol.
Besides these advantages, it has to be noted that malware like this suffers
from the latencies that come with the Tor network. In other words: Tor tends to
be slow and unreliable, and inherits these flaws to underlying botnets. Also,
while this traffic adds a lot of security to the botnet communication, the
malware itself still can be blocked by AV software using signature- and
behavior-based detection mechanism.
_______________________________________________
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
