Web 2.0 services can be abused for bot command and control
A new approach to the command and control of bots has been identified by Finjan. In its 4th quarter 2007 Web Security Trends Report, the vendor describes how public Web 2.0 services can be exploited by bot operators. Instead of command and control servers communicating directly or via Fast Flux networks with individual bot computers, they can now send instructions and receive data indirectly via legitimate public blogs and RSS feed aggregators.
The attacker infects a suitable number of hosts with a trojan using well-established techniques such as Iframe injection exploits. The trojan accepts its commands over an RSS feed and posts its output, suitably formatted, to a legitimate public blog that the attacker has access to. The botnet comand and control server also signs up with a different legitimate public blog. Its commands are posted to the blog and relayed unwittingly over RSS from that blog via an RSS aggregation service subscribed to by the trojans on the bots.
This technique makes the command and control server invisible to the bots and also permits its internet presence to be changed at will without affecting the functioning of the botnet. The perceived probity of the providers of many RSS feed services (Google, Yahoo and their like) will tend to militate against early detection. The utility of such services also essentially prevents the malicious traffic being blocked by conventional network countermeaures without denying users access to legitimate services. Indeed, content-aware countermeasures are needed to protect against such attacks. Finjan informed heise Security that three trojans using this technique have already been detected in the wild and that they are expected to multiply in the coming year.
- Web Security Trends Report - Q4/2007, Report from Finjan