[ Pobierz całość w formacie PDF ]

infrastructure. OSNs feature worldwide
encryption/decryption to mutate the
availability and load balancing, thus
traffic after each hop. It is extremely
mitigating the traditional scalability limits
D.3 C2 communication traffic
difficult to identify the original sender
of centralised C2 channels. They host
and receiver of packets sent over the
a rich variety of content enabling the
Communication pattern analysis. A key
network. This security has also made it
University of Birmingham | CPNI.gov.uk PAGE 14
Command & Control: Understanding, Denying and Detecting FEBRUARY 2014
C&C Techniques
a target for malware coders, and there mining and Bitcoin mining. When the low-latency communications but this
have been cases of malware that use malware is installed onto a machine, the is often difficult to achieve when using
the Tor network (and some of its extra Tor client for Windows is also installed, unobservable communication methods,
features) to aid in command and control. and a Tor hidden service is set up for the which often provide a higher-latency for
To become a part of the Tor network, one machine itself. All C&C communication of communication. While this is often
simply has to install a simple piece of is performed over a Tor SOCKS proxy deemed unacceptable for the user-base
software. The machine can then act as a running locally on the machine. The of Tor like systems where usability is
replay node for others, and make use of hidden service is opened on port 55080. a factor, it is not an issue for malware
the Tor network. The primary method of C&C is an coders. The most common form of
One of the more advanced features IRC server hosted behind a Tor providing unobservable communications
of Tor is the ability to set up Hidden hidden service. The server runs at is through the use of steganography.
Services. These allow a server to hide  uy5t7cus7dptkchs.onion on port
behind a proxy, keeping the actual 16667. The controller issues com- mands
to the malware through the IRC channel. 1 http://www.reddit.com/r/IAmA/
identity of the server hidden from those
These actions can include performing comments/sq7cy/iama_a_malware_
who access it. Hidden services work
attacks and returning info on the host coder_ and_botnet_operator_ama/
by setting up  Rendezvous points.
A rendezvous point is a node on the
The malware also includes a version of
Tor network, whicis used as the entry
the Zeus malware family. Zeus is a very Steganography (Greek:  concealed
point for the server. Traffic between
common banking trojan, with a primary writing ) is the art of writing messages
the rendezvous point and the server
goal of stealing personal financial in such a way that nobody, apart from
is routed in the normal Tor fashion,
details (for example credit card numbers the sender and receiver, suspects
providing anonymity. A rendezvous point
and online banking passwords). Zeus the existence of the message.
is access using an  .onion link.
provides a web- based C&C server, Steganography is an art that has been
While few examples of actual bots have
which the controller has hidden behind a used for thousands of years, and has
been identified that use Tor as part of
second Tor hidden service. By accessing been reinvigorated in the digital age. The
their C&C channel, there is growing
the control server, the researchers were main purpose of using steganography
evidence that this is occurring on a large
able to recover a XML file con- taining is that it can make the communication
scale. In late August/early September
the current target websites. unobservable. There are two ways
2013 the Tor network experienced a
The final component of the malware in which steganography can be used
large increase in the number of users
performs Bitcoin mining. The malware by malware to hide the command
[29]. The actual amount of traffic on exit
includes the open source  CGMiner and control communications. The
nodes, however, only showed a minimal
software used for Bitcoin mining, which first is that the malware can make its
increase. This was eventually identified
connects to a number of Bitcoin mining communication protocol appear as
to be down to the SDC botnet [134].
proxy servers. Interestingly, seven IP another, and secondly it can embed
The SDC botnet hosts its command
addresses for proxy servers were found, itself within otherwise legitimate content
and control server behind a Tor hidden
of which two were active, but none were online, such as images.
service. The botnet, however, shows
hidden by Tor. Today most media types, including
little activity, and is believed to simply be
Due to the use of Tor, it is almost text, images and video, are capable of
used for installing other malware.
impossible to identify the actual location contain- ing hidden data in a number of
(and owner) of the command and ways. In the simplest cases, this can be
Case Study: Skynet
control servers. Through responses achieved by adding extra metadata to
on the Reddit post, plus the botnets files to store the required information,
Skynet is a moderately-sized ( 12000 [ Pobierz całość w formacie PDF ]