The future of botnets or thinking about what can wait for us.
Being engaged in conjunction with his main job analysis of viral activity, there were some ideas about what we can expect in the near future with respect to botnets (spam, DoS, etc.). It will focus on possible methods of managing botnets.
Analyzing the latest methods of managing botnets, it is clear that the main focus is on DNS. Those. To determine the management server, specific names of registered domains are used by which the server address is determined (data based on the analysis of different versions of the Kido virus).
This method ceases to be effective, because judging by the latest version of Kido, the virus generates in a special way the names prepared by dns in the amount of 50,000 pieces daily. Naturally, this method will lead to an increase in DNS traffic and easier detection of a virus-infected machine, as well as a quick isolation of this machine to block access to the management server.
Everyone knows that the main way that a virus-machine interacts with the botnet center is p2p, in some cases it may be ssh or http. The main problem of p2p is that it is very easily filtered by a simple set of rules blocking udp packets and tcp packets outside the allowed range. SSH is not always open on the gateways to the outside, and http / https is very easily caught through a proxy server and thus the control center is very easily detected.
Presumably the next step in the development of botnet management will be the profound use of social networks. Most social networks (personal, public blogs, dating sites, classmates, etc.) provide services that can be easily used to ensure the hidden interaction of botnets with each other. A good example is twitter.
You register several dozen names according to a given algorithm without spending money and hardware resources for registering a domain name and dns services. Further, by a simple status update on this site, you specify in encrypted form the address of the management server or the botnet management directive (where to get and where to deliver). Because social networks have a huge traffic, they are very difficult to control in terms of creating and registering new users or communities.
Captchas and other protection of registration cost by attracting human resources to pay (there are already enough of these on the Internet). There can be several thousand registrations per day, for updating the status there are already own protocols and programs from which these protocols can be reversed. The result is a flexible system for managing a botnet, which is protected from almost all sides by the service of the company providing the service.
The previously popular method of controlling a botnet via irc may well be escalated to using Jabber as a managing transport. Jabber allows you to encrypt information from the sender to the recipient and has a fairly strong protection from external intrusions in the form of a normal system of authorization of interlocutors. So the management server practically becomes invulnerable from the point of view of the invasion of antivirus companies to intercept management. At the moment there is a huge number of gateways to work in Jabber via the web, this simplifies the task of obtaining control when filtering Jabber ports of services to the maximum. “Why Jabber?” You ask. Everything is very simple. Jabber is gaining momentum, it is open, easy to implement on the client side (xml) and has strong support from quite large services, such as: Google, Yandex, Livejournal, Mail.ru and others.
This information is provided as an attempt to show the reverse side of the medal of the development of modern infrastructure, as well as the misuse of popular services. I have described here only 2 options for the inappropriate use of services, but there are several dozens, if not hundreds of these options, and by including a head in the implementation of various protection and distribution mechanisms, you can get incredible and truly limitless possibilities.
Analyzing the latest methods of managing botnets, it is clear that the main focus is on DNS. Those. To determine the management server, specific names of registered domains are used by which the server address is determined (data based on the analysis of different versions of the Kido virus).
This method ceases to be effective, because judging by the latest version of Kido, the virus generates in a special way the names prepared by dns in the amount of 50,000 pieces daily. Naturally, this method will lead to an increase in DNS traffic and easier detection of a virus-infected machine, as well as a quick isolation of this machine to block access to the management server.
Everyone knows that the main way that a virus-machine interacts with the botnet center is p2p, in some cases it may be ssh or http. The main problem of p2p is that it is very easily filtered by a simple set of rules blocking udp packets and tcp packets outside the allowed range. SSH is not always open on the gateways to the outside, and http / https is very easily caught through a proxy server and thus the control center is very easily detected.
Presumably the next step in the development of botnet management will be the profound use of social networks. Most social networks (personal, public blogs, dating sites, classmates, etc.) provide services that can be easily used to ensure the hidden interaction of botnets with each other. A good example is twitter.
You register several dozen names according to a given algorithm without spending money and hardware resources for registering a domain name and dns services. Further, by a simple status update on this site, you specify in encrypted form the address of the management server or the botnet management directive (where to get and where to deliver). Because social networks have a huge traffic, they are very difficult to control in terms of creating and registering new users or communities.
Captchas and other protection of registration cost by attracting human resources to pay (there are already enough of these on the Internet). There can be several thousand registrations per day, for updating the status there are already own protocols and programs from which these protocols can be reversed. The result is a flexible system for managing a botnet, which is protected from almost all sides by the service of the company providing the service.
The previously popular method of controlling a botnet via irc may well be escalated to using Jabber as a managing transport. Jabber allows you to encrypt information from the sender to the recipient and has a fairly strong protection from external intrusions in the form of a normal system of authorization of interlocutors. So the management server practically becomes invulnerable from the point of view of the invasion of antivirus companies to intercept management. At the moment there is a huge number of gateways to work in Jabber via the web, this simplifies the task of obtaining control when filtering Jabber ports of services to the maximum. “Why Jabber?” You ask. Everything is very simple. Jabber is gaining momentum, it is open, easy to implement on the client side (xml) and has strong support from quite large services, such as: Google, Yandex, Livejournal, Mail.ru and others.
This information is provided as an attempt to show the reverse side of the medal of the development of modern infrastructure, as well as the misuse of popular services. I have described here only 2 options for the inappropriate use of services, but there are several dozens, if not hundreds of these options, and by including a head in the implementation of various protection and distribution mechanisms, you can get incredible and truly limitless possibilities.
')
Source: https://habr.com/ru/post/55199/
All Articles