Dispatches from the botnet front
Bot herders have developed novel new methods for obscuring communication between bots and command and control servers. According to reports, they are taking advantage of Google's App Engine, which allows users to run web applications on Google's infrastructure. Rather than providing users with dedicated server space, the service merely assigns them CPU time, memory and 500 MB of disk space in the cloud. The service is, however, available free for up to 5 million page views per month.
However, this kind of infrastructure plays into the hands of cyber-criminals, with bots able to contact a C&C server in Google's cloud to receive new commands. Google has now removed a number of C&C servers identified by Arbor Networks, a specialist in defending against DDoS attacks.
Security services provider FireEye reports that it also has chalked up a major success in the battle against the botnets. In a coordinated attack, it was able to disable or severely damage the Ozdok/Mega-D botnet's C&C infrastructure. Achieving this required careful preparation in order to disrupt the fall-back and backup measures now used by many botnets and to frustrate the bot herder's countermeasures.
When an Ozdok bot loses contact with a hard-coded C&C server, it starts an emergency program, similar to one used by the Conficker worm, that uses a set algorithm to generate a new domain name, which it then attempts to contact. Because the algorithm is known to the bot herders, they are able to set up a new C&C server at this domain. FireEye succeeded in deciphering the Ozdok algorithm and registering a number of fallback domains itself.
The company also contacted various registrars and asked them to block C&C domains which were already in use and most registrars complied. FireEye then asked a number of ISPs, on whose networks active control servers were running, to take the bot herder's servers offline. The collaboration with registrars and ISPs was apparently so successful that spam output from the Ozdok botnet immediately dropped off almost to zero. The report does not say why the bots stopped sending spam when they were unable to contact a C&C server. Bots are usually able to continue to operate largely autonomously.
FireEye is, however, unsure how long it will be able to keep the botnet tamed, since registering future C&C domains is very time-consuming.
See also:
- Botnet control server camouflages commands as JPEG images, a report from The H.
- Botnet discovered on Linux servers, a report from The H.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
