All About Botnets: Part 2 - How Botnets Grow, Communicate and Evade Detection
The current generation of bots is complex. They propagate like worms, hide like viruses, and can be leveraged to launch large, coordinated attacks. The most popular techniques for botmasters to herd (or gather) bot-infected PCs into the botnet involve Domain Name Servers (DNS). Just as an ISP uses a dynamic DNS to assign an Internet domain name to a computer with a varying IP address, bots include hard-coded domain names assigned by dynamic DNS providers. Some newer botnets run their own distributed DNS services that run at high port numbers to evade detection by security devices at gateways.
Bots communicate with each other, and with their botmasters, according to well-defined network protocols. Rather than create new network protocols, botnets in most cases use existing communication protocols that are implemented by publicly available software tools.
The IRC protocol predominates in botnet communications. This protocol, designed for group communication in discussion forums called "channels", also allows one-to-one communication via private messages. As such, the IRC protocol can be used by botmasters to command their whole botnet army (group communication), as well as to command a few bots selectively (one-to-one communication). Firewalls can be configured to block IRC traffic; however, it is much more difficult to detect IRC channels tunneled in HTTP.
For this reason, the HTTP protocol is now a popular communication method used by botnets. Using the HTTP protocol makes a botnet more difficult to detect because it can blend into most Internet traffic. In addition, most firewall policies are implemented at the network gateway, where they will block incoming/outgoing traffic using the IRC protocol. Botnets using the HTTP protocol, however, can usually bypass firewall security policies.
Some more advanced botnets use IM protocols and peer-to-peer (P2P) protocols. Although the number of botnets that use protocols other than IRC and HTTP is relatively small, these protocols may get wider use in the future, which will impose more challenges for botnet detections.
Botnets are becoming more and more sophisticated every day, and thus better at evading detection. Not only are state-of-the-art bots better able to evade AV (anti-virus) engine and signature-based intrusion detection systems, they are also more evasive to anomaly-based detection systems. Botnets evade AV and signature based IDS systems via methods such as executable packers, rootkits, and protocol evasion techniques, which also improve the survivability of botnets and the success rate of compromising new hosts. Botnets have also added - and continue to add - new mechanisms that hide traces of their communication. As noted above, some botnets are already moving away from IRC, to either modified IRC protocols or HTTP and VoIP protocols. Sometimes, bots use encryption schemes to prevent their content from being revealed. State-of-the-art botnets now use TCP (Transmission Control Protocol), ICMP (Internet Control Message Protocol) tunneling, and even IPv6 (the latest level of the Internet Protocol) tunneling. The appearance of these new botnets in abundance is just a matter of time.
New developments in bot and botnet techniques, as well as new botnet detection/prevention schemes, will continue to escalate the security war.
