0

I am having trouble wrapping my head around the idea on how a server-client botnet structure actually works.

Let's say that the server is A, and the client is B.

  • We know A is listening always on port 1000, and A is the infected machine.
  • We know B is the attacker on his end and can connect to A at anytime since there is an open port and server running on the infected machine.

My question is how does B (the attacker) even know when A (the infected) is online, if B (the attacker) does not have a server running listening for connections incoming from infected machines?

For example if the attacker is spreading his install file for his botnet, how would they even know when computers are infected with their server indeed running if he does not have something listening for established connections?

Thanks in advance.

ABC
  • 115
  • 4
  • 1
    There's really a lot of options here. The bot might connect back to the Command and Control server and notify it of infection by posting a value to a PHP page. There might be a reverse shell in the malware that connects and triggers something on the C2 server to update the database of infected clients. I've even seen an example of malware encoding the PC name and infection date into a BMP with LSB steganography, and posting the image to a webserver. This communication between C2 and bots is something malware writers try to hide as well as possible, so there's a lot of possibilities. – Nomad Mar 01 '19 at 08:46
  • In fact, a botnet is no different than an web services agent. You should look for some old botnet (some researcher might publish the data somewhere) example available and learn from there. – mootmoot Mar 01 '19 at 08:56

1 Answers1

1

The Client-Server model in botnets is just the same (with maybe some pimps from botnet family to other) as any client<->server model, its setup like a network with one or more main server(s) that control the transmission of informations from and between each client. As for RATs the botmaster have usually a Command and Control (C&C) server (or servers) in order to orchestrate slaves (clients). This model is called Centralized. While there is also Peer-To-Peer model and Hybrid models

Know:

How does B (the attacker) even know when A (the infected) is online, if B (the attacker) does not have a server running listening for connections incoming from infected machines?

While far from being exhaustif, here are some ways described in the following slides:

Internet Relay Chat (IRC)

  • Port 6667 or custom port
  • join hardcoded channel send
  • command/instruction via joined channel (PUSH)

HTTP/HTTPS

  • Port 80, 443
  • Php based system
  • Post request (PULL)
  • Snd.php (register the botnet)
  • Update.php (update the binary file)
  • Stat.php (get the command)

P2P

  • UDP
  • No fixed port
  • Supernode (locate where the C&C server)

There are several maneer to perform this, and keep in mind that usually (if not always) that it's A that notifies B of its presence,whether as a new infection or as an online/offline activity. There is always some kind of Push and Pull methods.

For example once a client of Zeus botnet is infected, he tries to download a config file from the server (B) via HTTP/Getnotifying this way the server of a new infection (called registering):

enter image description here

Some Botnets uses IRC , by setting up some IRC servers, A reports to B and B commands A via IRC commands.

Kraken Botnet for example uses UDP/447 to the C&C server resolved from a fully qualified domain name list.

There is no generic answer, it all depends on the topology/model and how the developers of the botnet in question are smart/skilled.

You can learn more on how botnets communicate from these links. "Detecting Covert Botnets Using Communication Patterns", "Botnet Communication Patterns"

Soufiane Tahiri
  • 2,667
  • 12
  • 27