are centralized machines that are able to send commands and receive output of machines that are part of a botnet. Command and control is the act of communicating with a botnet. Ideally, the control mechanism should provide three things: Anonymity, Security, and Resilience.
IRCBot.HI, RageBot and Phorpiex are some examples. Only as anonymous as the IRC server’s ISP. Can be trivially blocked by blocking IRC; so fails resilience test.
Basically each bot connects to another, to another, in a mesh layout. Still, generally requires some kind of directory server. More anonymous than IRC, but can be trivially blocked by port blocking and packet inspection.
HTTP Bots connect to a webserver. Not overly anonymous, and relatively easy to take out. Blacklist the IP and/ or domain, and use ISP logs to take action against operators.
the domain on the fly means it’s not tied to a specific host or IP. Similar to how RSA SecureID works. eg c37d819d0c4c16865e9519478897d5d4.com If the generation algorithm is cracked, all future domains can be blacklisted.
implemented by malware including newer versions of Vawtrak. It uses DGA to get a domain, which then redirects to tor2web. A directory server is returned by the tor2web address. This allows the operators to hide behind the tor anonymity network. Tor2web becomes a single point of failure. Block it. Done.
half of a SHA-1 of the public key. Need to generate that public key on the fly. First attempt; Hand the client the private key. • Generate a public key and hash based on a timestamp. • Connect to that onion. Sign the response with a second private key. • … • Profit. This approach is susceptible to impersonation, as the client will inherently have the private key. That being said, they would require an order of magnitude more servers than the bot herder.
Savoie, who came up with this idea. Generate onion addresses similar to the algorithm eschallot, scallion, and other vanity onion generators use. • The modulus is shared between private and public key. • The private key has a private exponent. • The public key has a public exponent. • Do DGA on e. ◦ 0xffffff + timestamp (rounded to nearest hour) (+1 if even) • … • Profit. The procedural generation of e allows multiple public keys for any given private key that changes at a known interval.
• One would be a blacklist of the descriptors, if the algorithm generating them was reverse-engineered. • Another would be requiring a fixed value of e. This has been suggested before to deal with vanity onions. It is extremely unlikely to happen. • On the user's machine, an antivirus provider could feasibly block connections, and provide a scary “Opt-in to the darknet” button hidden away in the back of a config page.
to unmask users, even for three letter agencies, TOR is fairly safe for sending commands, even if posted on the public internet. Security. That is, how secure is your command and control channel? Signed commands. Done. Resilience. How hard is it to take down your C&C system?
be blocked at a massive scale The question is, how do you usurp their service? The key is, to yell things in public where everyone can see but no one will notice.
messages per hour, and we want to hide in plain sight. The key is, writing a message (or a series of messages) that can't be detected automatically in a way that can be easily found.
know what to look for in a predictable yet not searchable way. Encode binary data in a markov chain of tweets which are syntactically valid, though often meaningless. @jzsavoie: “Bit pricey for the reality on deanonymizing hidden service website for me” @jzsavoie: “snooping, it's not a patched rabbit hole. And still an exit node problem."
trending for example) Analyze patterns in words. Regurgitate those patterns but encode a passphrase @jzsavoie: “Bit pricey for the reality on deanonymizing hidden service website for me” 010010101100 @jzsavoie: “snooping, it's not a patched rabbit hole. And still an exit node problem." 0000100010111