ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: [FD] mitigating botnet C&Cs has become useless (Gadi Evron)



> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 30 Jul 2006 11:44:33 -0500 (CDT)
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> Subject: [Full-disclosure] mitigating botnet C&Cs has become useless
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <Pine.LNX.4.21.0607301143140.15324-100000@xxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> I decided to email this here as well, I don't speak much of 
> botnets in the
> security community, but rather in the network world, and the 
> interest rate
> has sky-rocketted lately.
> -----
> 
> The few hundred *new* IRC-based C&Cs a month (and change), have been
> around and static (somewhat) for a while now. At a steady 
> rate of change which
> maintains the status quo, plus a bit of new blood.
> 
> In this post I ask the community about what you see, against 
> what we have
> observed, and try and test my conclusions and numbers against your
> findings.
> 
> The subject line "why mitigating botnet C&Cs has become useless" is
> misleading. It has been useless for a long time, but someone
> had to hold back the tide, which several online mitigation communities
> have been doing.
> 
> Today it has become (close to) completely useless. I will 
> present the case
> on why that is in my opinion, in a few bullets, and we can 
> discuss what
> alternatives we have, or if perhaps I am misreading what's going on.
> 
> *. When a botnet C&C is mitigated, it is immediately re-created on
> another host on the same ISP or another.
> *. Most botnet C&Cs are a part of a larger group, such as an 
> IRC network
> or another, possibly hidden "behind the scenes" network. 
> lusers are being
> redirected on the spot or reconnect to another host.
> *. Most botnet C&Cs are a compartmentalized group out of the whole, 
> possibly a sub-group several tiers down. Much like a terrorism cell.
> *. If the above measures and features fail, most botnets have 
> a secondary
> control channel with which an immense host can be 
> re-directed. This has
> been seen back a few years ago.
> *. Many botnet C&Cs now use fast-flux technology, moving IP addresses
> quite often.
> *. When the C&C is taken down, the bot may not jump to a new 
> host, a new
> one may simply be installed.
> *. Coordinated take-down of entire networks is extremely 
> difficult, relies
> on incomplete intelligence and only takes care of the problem for an
> extremely short period of time until re-assembly.
> 
> The name of the game is the SPBC: Simple Primitive Botnet 
> Control (C&C).
> 
> Simple - as it is simple, vs. a complex dynamic control channel.
> Primitive - old and quite unimpressive.
> Botnet - d'oh
> C&C - Command and Control
> 
> It's simple, we can see most of them with our tools. 
> Primitive, hey, they
> have been using these for a long long time. It works.
> 
> As what we mainly did is concentrate on taking the C&C down, 
> as well as
> academically study how to detect or quantify it, what we achieved was
> teaching the Bad Guys their business. That is yesterday's news.
> 
> They are an oiled machine. We don't hurt them any more. Botnet have
> become mainstream. They are part of sales pitches now.
> 
> SPBC for the botnet controllers these days relies on proven and tested
> techniques, concentarting and backing themselves on:
> Reliability - Efficient and stable.
> Robust - Easily replaced.
> Diverse - varying control channels, from DNS, other IRC 
> servers and direct
> connect to a downloader ready to download a new bot or 
> re-infect a known
> bad network.
> Distributed - need I speak of that one?
> 
> What taking down C&C's does achieve?
> 1. Coordination on security issues between ISP's, continued and
> peer-pressure based. Slowly but surely becoming more and more LEO,
> regulation and vendor-run in comparison to what it used to be.
> 
> 2. Responsiveness to abuse - gaging ISP response is 
> interesting and shows
> how interested they are.
> 
> 3. Feeling good - cleaning the back yard and moving the 
> problem to someone
> else (another ISP). Hmm, yeah.. not really. In most cases the 
> same ISP's
> have the same problems month after month. They just make the C&C's
> "unknwon" vs. "yes, we know where they are".
> 
> We are now past the point where killing C&Cs has been harmful. It
> was. These days the only real use a C&C can have for an 
> organization with
> a network, is to check for infected clients connecting in.
> 
> When it was harmful, creating the current situation, we were 
> comfortable
> with it as it helped hold back the immediate problem - which 
> was important
> by itself.
> 
> That's my educated opinion, following this since 1996, and gathering
> statistics for several years, some of which are seen by this community
> every month.
> 
> Please, I would love to hear your opinions, disputes and how 
> you find the
> operational intell on botnet C&Cs useful to this day on networks for 
> mitigation purposes.
> 
> Then I would like to try and check my facts against your 
> findings as well,
> and see if my conclusions hold up or if I miscalculated.
> 
> Please try and limit your answers on this thread (unless you start
> another) to network mitigation issues.
> 
> Thank you all for your input. Oh, and I wasn't very accurate. 
> Killing C&Cs
> these days is still harmful, just that now it doesn't even 
> hold back the
> tide.
> 
>       Gadi.
> 
> Note: this is also being sent to the public botnets mailing list and
> NANOG.
> 




 




Copyright © Lexa Software, 1996-2009.