Mitigating botnet C&Cs has become useless

here is a recent email message i sent to the botnets mailing list and nanog:

the few hundred *new* irc-based c&cs a month (and change), have been
around and static (somewhat) for a while now. at a steady rate of change which
maintains the status quo, plus a bit of new blood.

in this post i ask the community about what you see, against what we have
observed, and try and test my conclusions and numbers against your
findings.

the subject line “why mitigating botnet c&cs has become useless” is
misleading. it has been useless for a long time, but someone
had to hold back the tide, which several online mitigation communities
have been doing.

today it has become (close to) completely useless. i will present the case
on why that is in my opinion, in a few bullets, and we can discuss what
alternatives we have, or if perhaps i am misreading what’s going on.

*. when a botnet c&c is mitigated, it is immediately re-created on
another host on the same isp or another.
*. most botnet c&cs are a part of a larger group, such as an irc network
or another, possibly hidden “behind the scenes” network. lusers are being
redirected on the spot or reconnect to another host.
*. most botnet c&cs are a compartmentalized group out of the whole,
possibly a sub-group several tiers down. much like a terrorism cell.
*. if the above measures and features fail, most botnets have a secondary
control channel with which an immense host can be re-directed. this has
been seen back a few years ago.
*. many botnet c&cs now use fast-flux technology, moving ip addresses
quite often.
*. when the c&c is taken down, the bot may not jump to a new host, a new
one may simply be installed.
*. coordinated take-down of entire networks is extremely difficult, relies
on incomplete intelligence and only takes care of the problem for an
extremely short period of time until re-assembly.

the name of the game is the spbc: simple primitive botnet control (c&c).

simple – as it is simple, vs. a complex dynamic control channel.
primitive – old and quite unimpressive.
botnet – d’oh
c&c – command and control

it’s simple, we can see most of them with our tools. primitive, hey, they
have been using these for a long long time. it works.

as what we mainly did is concentrate on taking the c&c down, as well as
academically study how to detect or quantify it, what we achieved was
teaching the bad guys their business. that is yesterday’s news.

they are an oiled machine. we don’t hurt them any more. botnet have
become mainstream. they are part of sales pitches now.

spbc for the botnet controllers these days relies on proven and tested
techniques, concentarting and backing themselves on:
reliability – efficient and stable.
robust – easily replaced.
diverse – varying control channels, from dns, other irc servers and direct
connect to a downloader ready to download a new bot or re-infect a known
bad network.
distributed – need i speak of that one?

what taking down c&c’s does achieve?
1. coordination on security issues between isp’s, continued and
peer-pressure based. slowly but surely becoming more and more leo,
regulation and vendor-run in comparison to what it used to be.

2. responsiveness to abuse – gaging isp response is interesting and shows
how interested they are.

3. feeling good – cleaning the back yard and moving the problem to someone
else (another isp). hmm, yeah.. not really. in most cases the same isp’s
have the same problems month after month. they just make the c&c’s
“unknwon” vs. “yes, we know where they are”.

we are now past the point where killing c&cs has been harmful. it
was. these days the only real use a c&c can have for an organization with
a network, is to check for infected clients connecting in.

when it was harmful, creating the current situation, we were comfortable
with it as it helped hold back the immediate problem – which was important
by itself.

that’s my educated opinion, following this since 1996, and gathering
statistics for several years, some of which are seen by this community
every month.

please, i would love to hear your opinions, disputes and how you find the
operational intell on botnet c&cs useful to this day on networks for
mitigation purposes.

then i would like to try and check my facts against your findings as well,
and see if my conclusions hold up or if i miscalculated.

please try and limit your answers on this thread (unless you start
another) to network mitigation issues.

thank you all for your input. oh, and i wasn’t very accurate. killing c&cs
these days is still harmful, just that now it doesn’t even hold back the
tide.

sunshine.

note: this is also being sent to the public botnets mailing list.

gadi evron,
ge@beyondsecurity.com.

Share