15

IRC seems still the most prominent way for communication within botnets.

Why do attackers choose IRC?

In my (very naive) opinion, to set up a web service is far more easier.

6 Answers6

13

There are at least two types of schemes how to controls botnets:

  • via C&C;
  • decentralized scheme;

The following ways of C&C botnet networks exists:

  • IRC (one or many);
  • control via web servers;
  • internet messengers;

Without C&C:

  • peer to peer networks;
  • trust rings;

Combined schemes are also possible, thus taking the best of each technology. It is not rare case when botnet developers creates their own protocols to leverage the capabilities of control.

First of all, IRC is used because it allows simple way to deploy communication network. For very small amount of bots it is enough with one IRC server, when server is unable to handle some peak moments of when bots online, several IRC servers can be joined. But, this type of networks is not for serious botnets nowadays. See my comments here: Malware known to use port knocking to evade detection by network scanners?.

By minimal complexity control via web server is similar to IRC. However, it allows more possibilities of control scheme variations. Is easy to deploy, control and to loose too. One of the most popular ways how to control botnet.

Control via internet messengers is not popular, because it is hard to create such network without headache for botmaster. Registration of accounts for one person is not a problem, but when it comes to automation of process, the problems starts.

Peer-to-peer botnets are hard to develop, but they can provide more stable and robust network.

The so called "trust ring" is even more complex scheme, but because of it's way of decentralized scheme it is hard to kill it. This is similar to scheme that is used in Skype.

C&C botnets are easy to create, but also easy to kill - just destroy control center. The last two types of C&C-less botnets are often seen used in serious botnets, because of really serious authors intents to be in big business of bad boys.

By the way, botnets are used not only in malicious purposes.

  • 1
    What you've said is what I already know actually.... I would like to know why IRC is better than some simple web page. –  Mar 07 '11 at 14:22
  • Generally, sooner or later attackers choose web server setup - it is easier to monitor statistics and to control bots. However, choice might depend on the purpose of botnet. Thus, your the question is similar to "why the teaspoon is better than the soap-spoon?". Sometimes there is enough of IRC server capabilities. C&C based on the web server might also be complex to support and develop. –  Mar 07 '11 at 14:56
  • @Ams Any reference on _choice on purpose_? –  Mar 07 '11 at 15:39
  • @all: anyone can point me some useful resource about botnet? i want to know more about this. can you suggest some book ? blog ? twitter ? papers ? and must read/follow stuff ? great thanks – boos Mar 07 '11 at 19:48
  • 2
    >By the way, botnets are used not only in malicious purposes. Any examples? – Nemo Sep 30 '11 at 12:04
  • @Capt.Nemo most supercomputers are distributed across many individual computers, in a way very similar to a botnet. Depending on the task, only a minimal amount of networking could be necessary - imagine a bitcoin mining cluster that you own VS one that you run on computers that aren't yours - the protocols, botnet, etc. are all the same, just that one is more legal than the other. – user2813274 Nov 03 '14 at 03:34
8

I agree, websites are easier and Conficker, for one, proved that a scheme of random domain name creation can be used to set up C&C servers, where each of the domain names is valid only for a day (or whatever the period is that the code defines).

But in my opinion the killer argument for IRC as opposed to a website is that IRC allows interactive control of the bot. That means an attacker can pick out any of the bots from the botnet and send custom commands to it. This means you have a much higher degree of control over a botnet with IRC with a comparably low effort, while the same level of control with a website would require a custom web-server software first of all.

So while in general a website is simpler to set up and it's (on most systems) easier to get HTTP client functionality, the features that the bad guys are looking for are not easily (or readily) available on stock HTTP servers.

However, I also side with Mark Davidson in that IRC is simply better tested and that there are implementations out there that can be grabbed.

0xC0000022L
  • 1,604
  • 2
  • 15
  • 20
  • A little bit of coding on the web server backend could provide an interactive control channel to the web service. – bstpierre Oct 16 '11 at 23:38
  • 1
    @bstpierre: you're certainly right. Still, most developers will prefer proven solutions and I reckon malware authors are no different in that respect (not to speak of script kiddies). – 0xC0000022L Oct 23 '11 at 18:33
4

IRC used to be the primary method for controlling botnets but according to research done by Team Cymru in November 2010, web-controlled botnets now outnumber those controlled by the traditional method of IRC channel by a factor of five. So your opinion may be correct.

One of the main reasons I would say behind the use of IRC for botnet control is that when botnets started emerging in 1999 ( History of the Botnet ) IRC had been around for 11 years already and probably was considered to be a tried and tested communication for many users.

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
  • I know. But a simple web page seems easier.... –  Mar 07 '11 at 14:22
  • @Dante Jiang: since botnets are nowadays being sold, it makes sense to keep them as reliable as possible. It's not about ease of implementation but about reliability of the resulting code, as sick as it sounds. – 0xC0000022L Mar 07 '11 at 14:52
  • 2
    Setting up an IRC bot was always easier. Growing up I gained alot of experience with irc bots. The major issues with them are that they are easier to detect(unless using tunneling and full encryption for their connections), rival botnet operators easily find your botnet on one of their hosts, reverse your bot, get your pass and network info then steal all of your bots. With HTTP/HTTPS c&c, there are infinite places to hide your control panel, very easy for ids systems to see it as normal web activity and fast flux makes them difficult to track. I can speak on this for days but im out of space. – detro Aug 18 '11 at 14:44
1

IRC messages are pushed to multiple clients HTTP messages have to be pulled by each client from the server

The main advantage of IRC in this context is that the controller can send a message to multiple listening bots. All the bots joined the same IRC channel. The controller sends a PRIVMSG to the channel name and all the bots receive it. An IRC client on an IRC server is a long-lived TCP connection. The messages are pushed to all the clients

HTTP, by contrast, is one-to-one communication using request/response messaging over short-lived TCP connections. For the client to get a message from the server, it has to repeatedly ask the server if there are any messages. Multiple bots need to receive the same message from the server, so they're all repeatedly sending wasted requests until a message is available

1

skiddos who cant read good or code (but call themself h4xorZ) take what they can get, and php/perl/c - irc-bots are easily found. i recently wiped out a bot that dated back to 2001 but still was used.

The other part of the answer to your WHY - question: because sysadmins dont do their job. there is usually no need for a server to allow outgoing irc-connections (or any outgoing connection at all, gkiven the fact you use a mailgateway and an update-server for your dc)

1

I think a major reason is that to use a web service an attacker would have to run their own web service. To do this, avoid being shutdown, and cover their tracks is a PITA for the botnet controller. With IRC control they can use an existing IRC network, and control the bots by joining as a particular user.

paj28
  • 32,736
  • 8
  • 92
  • 130