0

This is an academic question, I googled a lot but couldn't find suitable answers for this question:

What are the different Command & Control infrastructures (Botnets) & what are the countermeasures?

Any help is much appreciated.

Phonolog
  • 115
  • 1
  • 13
Jishan
  • 193
  • 8

2 Answers2

4

Have you tried Wikipedia? In short, the malware (A) needs to connect to (B). This can be done using many different methods.

The easiest (in my opinion) to setup is by using the HTTP (Webserver) protocol. You make a simple web server with short PHP scripts that handle the incoming requests. You send/ask for requests by using sockets (for example) the Windows API.
Countermeasure: Blocking this specific domain/IP Address in your firewall. I should mention that malware often has multiple server addresses hard-coded into its source to countermeasure this countermeasure.
If you're working at a security company/government the countermeasure would be contacting the host-provider to take down that website, or in some cases even hack the server.

Another much used is by using IRC chatrooms. You create a secured and private IRC chatroom, and than you can 'chat' with your malware. In other words, you send a command into the chat-box, and the malware ('reading' the chat messages) will receive the commands and execute them. IRC is mainly used because of simplicity and its low bandwidth requirements.
Countermeasure: Block specific TCP ports like 6667 (specific to IRC), again I should mention that IRC tries other ports as well if 6667 is blocked.

What also is often used is P2P (Peer-to-peer), you use your own connection/computers as a C&C server. The malware communicates directly with your network to receive commands. This is what you most of the time use with frameworks like Metasploit.
Countermeasure: Here the IP of the attacker would be static, so simply blocking that IP should work. Again, if you're working in a security company/government, you can log the IP and with luck you have the IP of the attacker. The attacker could also use a VPN allowing port-forwarding, but then it isn't real P2P anymore.

As you see, your firewall is important.

Tom
  • 880
  • 1
  • 7
  • 14
O'Niel
  • 2,740
  • 3
  • 17
  • 28
1

I'd like to add DNS to O'Niels answer:

Some botnets use DNS tunneling to communicate between botmaster and bots. F.e. you can (ab)use TXT records to transmit data. As this is an academic question here's a good paper on this topic (requires IEEE access or maybe you can find it on Google as well).

Countermeasure: This one is tricky. Quoting the above paper:

Even in environments with heavily restricted Internet access, e.g. by means of firewalling and proxying, DNS is usually one of the few protocols – if not the only one – that is allowed to pass without further ado.

Of course you can't simply block all your DNS traffic. Instead monitoring your DNS traffic and looking for anomalies might be a solution. Above paper suggests a anomaly detection based on entropy. Simpler approaches (mentioned here) could be to use a IDS or searching for large DNS requests and DNS TXT records.

Phonolog
  • 115
  • 1
  • 13