Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FYI: [FD] mitigating botnet C&Cs has become useless (Gadi Evron)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 30 Jul 2006 11:44:33 -0500 (CDT)
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> Subject: [Full-disclosure] mitigating botnet C&Cs has become useless
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <Pine.LNX.4.21.0607301143140.15324-100000@xxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> I decided to email this here as well, I don't speak much of
> botnets in the
> security community, but rather in the network world, and the
> interest rate
> has sky-rocketted lately.
> -----
>
> The few hundred *new* IRC-based C&Cs a month (and change), have been
> around and static (somewhat) for a while now. At a steady
> rate of change which
> maintains the status quo, plus a bit of new blood.
>
> In this post I ask the community about what you see, against
> what we have
> observed, and try and test my conclusions and numbers against your
> findings.
>
> The subject line "why mitigating botnet C&Cs has become useless" is
> misleading. It has been useless for a long time, but someone
> had to hold back the tide, which several online mitigation communities
> have been doing.
>
> Today it has become (close to) completely useless. I will
> present the case
> on why that is in my opinion, in a few bullets, and we can
> discuss what
> alternatives we have, or if perhaps I am misreading what's going on.
>
> *. When a botnet C&C is mitigated, it is immediately re-created on
> another host on the same ISP or another.
> *. Most botnet C&Cs are a part of a larger group, such as an
> IRC network
> or another, possibly hidden "behind the scenes" network.
> lusers are being
> redirected on the spot or reconnect to another host.
> *. Most botnet C&Cs are a compartmentalized group out of the whole,
> possibly a sub-group several tiers down. Much like a terrorism cell.
> *. If the above measures and features fail, most botnets have
> a secondary
> control channel with which an immense host can be
> re-directed. This has
> been seen back a few years ago.
> *. Many botnet C&Cs now use fast-flux technology, moving IP addresses
> quite often.
> *. When the C&C is taken down, the bot may not jump to a new
> host, a new
> one may simply be installed.
> *. Coordinated take-down of entire networks is extremely
> difficult, relies
> on incomplete intelligence and only takes care of the problem for an
> extremely short period of time until re-assembly.
>
> The name of the game is the SPBC: Simple Primitive Botnet
> Control (C&C).
>
> Simple - as it is simple, vs. a complex dynamic control channel.
> Primitive - old and quite unimpressive.
> Botnet - d'oh
> C&C - Command and Control
>
> It's simple, we can see most of them with our tools.
> Primitive, hey, they
> have been using these for a long long time. It works.
>
> As what we mainly did is concentrate on taking the C&C down,
> as well as
> academically study how to detect or quantify it, what we achieved was
> teaching the Bad Guys their business. That is yesterday's news.
>
> They are an oiled machine. We don't hurt them any more. Botnet have
> become mainstream. They are part of sales pitches now.
>
> SPBC for the botnet controllers these days relies on proven and tested
> techniques, concentarting and backing themselves on:
> Reliability - Efficient and stable.
> Robust - Easily replaced.
> Diverse - varying control channels, from DNS, other IRC
> servers and direct
> connect to a downloader ready to download a new bot or
> re-infect a known
> bad network.
> Distributed - need I speak of that one?
>
> What taking down C&C's does achieve?
> 1. Coordination on security issues between ISP's, continued and
> peer-pressure based. Slowly but surely becoming more and more LEO,
> regulation and vendor-run in comparison to what it used to be.
>
> 2. Responsiveness to abuse - gaging ISP response is
> interesting and shows
> how interested they are.
>
> 3. Feeling good - cleaning the back yard and moving the
> problem to someone
> else (another ISP). Hmm, yeah.. not really. In most cases the
> same ISP's
> have the same problems month after month. They just make the C&C's
> "unknwon" vs. "yes, we know where they are".
>
> We are now past the point where killing C&Cs has been harmful. It
> was. These days the only real use a C&C can have for an
> organization with
> a network, is to check for infected clients connecting in.
>
> When it was harmful, creating the current situation, we were
> comfortable
> with it as it helped hold back the immediate problem - which
> was important
> by itself.
>
> That's my educated opinion, following this since 1996, and gathering
> statistics for several years, some of which are seen by this community
> every month.
>
> Please, I would love to hear your opinions, disputes and how
> you find the
> operational intell on botnet C&Cs useful to this day on networks for
> mitigation purposes.
>
> Then I would like to try and check my facts against your
> findings as well,
> and see if my conclusions hold up or if I miscalculated.
>
> Please try and limit your answers on this thread (unless you start
> another) to network mitigation issues.
>
> Thank you all for your input. Oh, and I wasn't very accurate.
> Killing C&Cs
> these days is still harmful, just that now it doesn't even
> hold back the
> tide.
>
> Gadi.
>
> Note: this is also being sent to the public botnets mailing list and
> NANOG.
>
|
