8

A more general question How do bots communicate in the Zeus botnet? doesn't really address my question.

I'm trying to understand how a bot can communicate with command and control (CC) machine. On a technical level, I know bots use sockets (for example), but I really have no idea how the CC can send commands to a bot/computer which is probably inside a LAN private network. Lots of computers are in a LAN behind a box, or a router. So for communication behind a port with a server you must to use NAT I think.

Can anyone explain how this works?

Community
  • 1
kafson
  • 170
  • 1
  • 7
  • Another good read: http://security.stackexchange.com/questions/2440/why-do-botnets-use-irc-but-not-a-web-service-for-communication – Jared Burrows Feb 23 '15 at 16:09

4 Answers4

12

Usually it's not the command and control infrastructure which connects to the bots, because it can not magically know when a system gets infected. It's the botnet clients which contact the C&C infrastructure and ask for commands.

Most routers (at least in the consumer segment) are configured to blindly forward any connections from inside the network to systems outside the network. Port forwarding only needs to be configured when a service needs to be contacted from the outside.

How exactly the bots contact the C&C servers differs vastly between different botnets. They masquerade as other protocols (like HTTP), use anonymization networks like TOR and various other methods to avoid being detected easily.

Philipp
  • 48,867
  • 8
  • 127
  • 157
0

In the same way as your web browser does

Some bots (e.g. Stuxnet) may have very sophisticated alternate routes, but most of them simply initiate a https connection to a C&C server controlled by the attackers. There are cases where it doesn't work, but most networks are configured to allow such connections and most automated screening/filtering tools wouldn't detect it as unusual.

Once the bot has made that connection, it has a reasonably secure channel (encrypted to prevent logging, and with authentification so it knows it connects to the real C&C, not a simulation or overtaken domain) and can periodically poll it for orders to execute and lists of other/backup C&C servers.

Peteris
  • 8,369
  • 1
  • 26
  • 35
0

How bots communicate with the CC is of no difference with how regular programs communicate with each other. Most bots have a CC that is an actual server, this mean they have a real IP address and can listen to a port. Many would use standard protocols like HTTP, XML-RPC, SMTP/POP/IMAP, IRC, Web Socket, etc, some use custom protocols written in TCP or UDP. Most would encrypt and/or proxy their protocols to avoid detection, usually using standard encryption sockets like TLS (e.g. HTTPS). A small few would do peer to peer instead of a central command and control, the techniques used to communicate peer to peer is essentially the same as other peer to peer protocols.

Bots have to deal with network topologies that limits incoming connections, this is no different than legitimate applications. The techniques used are the same as in legitimate applications, the bot, like legitimate applications, would have to initiate the connection, which opens a two way socket. Such two way socket allows an external system to push any data that it needs to push.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

This doesn't directly answer your question per-say since they all differ, and the following links are a way old...but here are some PDF's explaining how it works in distributed scope (P2P with masked/dynamic/on-demand C&C layer). Cool legacy reads regardless:

Nugache:

The malware receives several inbound connections per day, and makes (or attempts to make) several outbound connections per day. Overall there are about a dozen connections active at a given time, and comprise regular peer list exchanges, software comparisons and upgrades, and simple commands via a set of numeric commands

https://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf

Torpig:

As we mentioned previously, Torpig opens two ports on the local machine, one to be used as a SOCKS proxy, the other as an HTTP proxy. 20.2% of the machines we observed were publicly accessible. Their proxies, therefore, could be easily leveraged by miscreants to, for example, send spam or navigate anonymously.

https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf

Peacomm:

Peer-to-peer botnets have more flexibility. The Trojan.Peacomm bot provides one such method for the attacker to issue commands to bots in a peer-to-peer architecture. Essentially, the bot downloads a secondary injection that can be arbitrary, which allows flexibility in the payload of the bot.

http://juliangrizzard.com/pubs/2007_grizzard_hotbots.pdf

dhaupin
  • 161
  • 1
  • 7