Botnet Command and Control via Covert Channels
Botnets
A Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
Command and Control
A botnet's originator (aka "bot herder" or "bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots. Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server (CandC). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network typically using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
Typical Communication Channels
A bot typically runs hidden and uses IRC to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."
New & Innovative Covert Channels!
As stated previously, IRC channels are used as the communication medium for bot herders to communicate with bots. Most detection and preventions systems in the corporate environment will block IRC communications altogether. Desktop firewall software installed on end-user machines, in most cases, will detect arbitrary connection attempts to IRC channels/ports, pause the connection and prompt for user intervention. As bots become slightly more difficult to herd, we can expect new and innovative ways for bot masters to send C&C communication to the bots.
New Covert C&C Channels:
JPG Images
JPG images contain areas for metadata (known as EXIF; 64k) that is often used by digital camers to store information such as shutter speed, aperature, ISO, etc. It would become quite trivial for a bot in a corporate environment to "report" to the commanding bot server via an outbound HTTP Port 80 connection and receive commands within the mailicious JPG image. Since nearly all firewalls allow outbound HTTP Port 80 connections, command and control of the bot will likely go completely unnoticed.
Microsoft Word 2007 Files
It's not widely known that a Microsoft Word *.docx file is actually a compressed file that contains XML metadata among other files. In much the same way as the previously mentioned channel, a *.docx Word file could be placed on a webserver with malicious metadata instruction for communicating with the bot server. A connection could be made from IE on the infected bot to the Word *.docx file. Again, the HTTP Port 80 request will likely go entirely unnoticed by protection and prevention systems.
Linkedin.com Status
A dummy Linkedin.com account could be created as a way to provide botnet instructions. The Linkedin API allows for the status portion of the profile to be writable. The botnet C&C server could be written to programmatically update the dummy Linkedin account status with malicious instructions for the bots to periodically check and execute. As users of Linkedin know, even URLs entered in the Linkedin status are shortened thus providing another layer of obfuscation. Once again, these would be appear to be "trusted" connections from within a company as they are going over an alreay open port (80) to a trusted website (www.linkedin.com).
In the true spirit of covert operations, these methods are hidden and based on the exploitation of trust. We should expect to see botnet gangs seek out new and innovate ways to carry out their deeds much like the aforementioned methods. Having a sound information security foundation will allow an organization to adapt and mitigate with minimal effort.
Trust, but verify...
Jeremiah Talamantes, CISSP
RedTeam Security
Categories
Contact Us
Phone number:
1-612-234-7848
E-mail: