Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Botnet
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Command and control== Botnet command and control (C&C) protocols have been implemented in a number of ways, from traditional IRC approaches to more sophisticated versions. ===Telnet=== [[Telnet]] botnets use a simple C&C botnet protocol in which bots connect to the main command server to host the botnet. Bots are added to the botnet by using a scanning [[Scripting language|script]], which runs on an external server and scans [[Subnetwork|IP ranges]] for telnet and [[Secure Shell|SSH]] server default logins. Once a login is found, the scanning server can infect it through SSH with malware, which pings the control server. ===IRC=== IRC networks use simple, low bandwidth communication methods, making them widely used to host botnets. They tend to be relatively simple in construction and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases, merely blocking of certain keywords has proven effective in stopping IRC-based botnets. The RFC 1459 ([[Internet Relay Chat|IRC]]) standard is popular with botnets. The first known popular botnet controller script, "MaXiTE Bot" was using IRC XDCC protocol for private control commands. One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions.<ref name=":0" /> To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.<ref>{{Cite book |doi=10.1016/B978-159749135-8/50005-6 |title= Botnets|last1=Schiller |first1=Craig A. |last2= Binkley |first2=Jim |last3=Harley |first3= David | last4=Evron |first4=Gadi |last5= Bradley |first5=Tony |last6=Willems |first6= Carsten |last7= Cross |first7= Michael |chapter= Alternative Botnet C&Cs|date= January 1, 2007 |isbn= 978-159749135-8 |publisher=Syngress|location= Burlington, Virginia |pages= 77β95}}</ref> ===P2P=== Since most botnets using IRC networks and domains can be taken down with time, hackers have moved to P2P botnets with C&C to make the botnet more resilient and resistant to termination. Some have also used [[encryption]] as a way to secure or lock down the botnet from others, most of the time when they use encryption it is [[public-key cryptography]] and has presented challenges in both implementing it and breaking it. ===Domains=== Many large botnets tend to use domains rather than IRC in their construction (see [[Rustock botnet]] and [[Srizbi botnet]]). They are usually hosted with [[bulletproof hosting]] services. This is one of the earliest types of C&C. A zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands. The advantages of using [[web page]]s or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated. Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with [[denial-of-service attack]]s. [[Fast flux|Fast-flux DNS]] can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with [[domain generation algorithm]]s being used to create new DNS names for controller servers. Some botnets use free [[Domain Name System|DNS]] hosting services such as [[DynDNS|DynDns.org]], [[No-IP|No-IP.com]], and Afraid.org to point a [[subdomain]] towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. ===Others=== Calling back to popular sites<ref>{{cite web|last1=Zeltser|first1=Lenny|title=When Bots Use Social Media for Command and Control|url=https://zeltser.com/bots-command-and-control-via-social-media/|website=zeltser.com|access-date=27 May 2017|archive-date=7 October 2017|archive-url=https://web.archive.org/web/20171007221426/https://zeltser.com/bots-command-and-control-via-social-media/|url-status=live}}</ref> such as [[GitHub]],<ref>{{Cite news|url=https://www.zdnet.com/article/hammertoss-russian-hackers-target-the-cloud-twitter-github-in-malware-spread/|title=Hammertoss: Russian hackers target the cloud, Twitter, GitHub in malware spread|last=Osborne|first=Charlie|work=ZDNet|access-date=7 October 2017|archive-date=18 February 2017|archive-url=https://web.archive.org/web/20170218061944/http://www.zdnet.com/article/hammertoss-russian-hackers-target-the-cloud-twitter-github-in-malware-spread/|url-status=live}}</ref> [[Twitter]],<ref>{{cite magazine|last1=Singel|first1=Ryan|title=Hackers Use Twitter to Control Botnet|url=https://www.wired.com/2009/08/botnet-tweets/|magazine=[[Wired (magazine)|Wired]]|access-date=27 May 2017|date=13 August 2009|archive-date=7 October 2017|archive-url=https://web.archive.org/web/20171007221457/https://www.wired.com/2009/08/botnet-tweets/|url-status=live}}</ref><ref>{{cite news|title=First Twitter-controlled Android botnet discovered|url=https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/|access-date=27 May 2017|date=24 August 2016|archive-date=3 July 2017|archive-url=https://web.archive.org/web/20170703095215/https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/|url-status=live}}</ref> [[Reddit]],<ref>{{cite news |last1=Gallagher |first1=Sean |date=3 October 2014 |title=Reddit-powered botnet infected thousands of Macs worldwide |url=https://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands-of-macs-worldwide/ |access-date=27 May 2017 |magazine=[[Ars Technica]] |archive-date=23 April 2017 |archive-url=https://web.archive.org/web/20170423230321/https://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands-of-macs-worldwide/ |url-status=live }}</ref> [[Instagram]],<ref>{{cite news|last1=Cimpanu|first1=Catalin|title=Russian State Hackers Use Britney Spears Instagram Posts to Control Malware|url=https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/|website=Bleeping Computer|access-date=8 June 2017|date=6 June 2017|archive-date=8 June 2017|archive-url=https://web.archive.org/web/20170608094128/https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/|url-status=live}}</ref> the [[XMPP]] open source instant message protocol<ref>{{cite news|last1=Dorais-Joncas|first1=Alexis|title=Walking through Win32/Jabberbot.A instant messaging C&C|url=https://www.welivesecurity.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc/|access-date=27 May 2017|date=30 January 2013|archive-date=2 June 2017|archive-url=https://web.archive.org/web/20170602205712/https://www.welivesecurity.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc/|url-status=live}}</ref> and [[Tor (anonymity network)|Tor]] [[.onion|hidden services]]<ref>{{cite news|last1=Constantin|first1=Lucian|title=Cybercriminals are using the Tor network to control their botnets|url=http://www.pcworld.com/article/2045183/cybercriminals-increasingly-use-the-tor-network-to-control-their-botnets-researchers-say.html|magazine=[[PC World]]|access-date=27 May 2017|date=25 July 2013|archive-date=3 August 2017|archive-url=https://web.archive.org/web/20170803064226/http://www.pcworld.com/article/2045183/cybercriminals-increasingly-use-the-tor-network-to-control-their-botnets-researchers-say.html|url-status=live}}</ref> are popular ways of avoiding [[egress filtering]] to communicate with a C&C server.<ref>{{cite web|title=Cisco ASA Botnet Traffic Filter Guide|url=https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html|access-date=27 May 2017|archive-date=25 May 2017|archive-url=https://web.archive.org/web/20170525185701/http://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html|url-status=live}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)