The Command & Control (C2) network is the heart of any botnet. If you lose your command and control channel, then your bots are left in the wild with no way to reach them, stuck on their last instruction. In this talk we will explore ways to ensure that your command and control network is tolerant to changes and can adapt to servers being dynamically added to and removed from the network, as well as the organization of bots and how they connect to your C2 infrastructure.
3. INTRODUCTION
WHOAMI
▸ 4th Year BS/MS Computing Security RIT
▸ Former Tech-Lead and VP of RIT’s Competitive
Cybersecurity Club (RC3)
▸ Captain of RIT’s 2015 CPTC Team
▸ Giving my first talk ever!!!!
3
4. INTRODUCTION
WHAT’S IN SCOPE
▸ Command and Control (C2) Servers
▸ C2 Channels
▸ Server-to-server communication
▸ Client check-in
4
5. INTRODUCTION
WHAT’S NOT IN SCOPE
▸ Clients in general
▸ Clients managing callback domains
▸ Secure storage of information on clients
▸ Reverse engineering to find callback locations
5
8. BOTNET OVERVIEW & HISTORY
WHAT ARE BOTNETS
▸ “A botnet is a number of Internet-connected computers
communicating with other similar machines in which
components located on networked computers
communicate and coordinate their actions by command
and control (C&C) or by passing messages to one another
(C&C might be built into the botnet as P2P).” - Wikipedia
8
9. BOTNET OVERVIEW & HISTORY
WHAT ARE BOTNETS
▸ In other words, a network of computers that talk to each
other or a server, which gives them instructions
▸ Malicious or benign
▸ Malicious: Zeus, the infamous banking malware
▸ Benign: http://setiathome.berkeley.edu/
9
10. BOTNET OVERVIEW & HISTORY
WHAT ARE USES FOR BOTNETS
▸ DDoS attacks
▸ Email spamming
▸ Seeding torrents from leaked documents
▸ Botnet as a Service (BaaS)
10
11. BOTNET OVERVIEW & HISTORY
BRIEF BOTNET HISTORY
▸ Bagel, 2004 - 230,000 nodes
▸ Conficker, 2008 - Millions of nodes w/ portion in botnet
▸ Zeus, 2010 - 3,000,000+ in the US
11
12. BOTNET OVERVIEW & HISTORY
BOTNET TERMS
▸ Bot Master
▸ C2 Server
▸ Relay Node / Stepping Stone
▸ Bot / Zombie
12
13. BOTNET OVERVIEW & HISTORY
BOT
MASTER
C2
SERVER
C2
SERVER
C2
SERVER
RELAY
NODE
RELAY
NODE
RELAY
NODE
RELAY
NODE
CLIENT-SERVER ARCHITECTURE
13
BOTBOT BOT BOT BOT BOT BOT BOT BOT
14. BOTNET OVERVIEW & HISTORY
BOT
MASTER
C2
SERVER
C2
SERVER
C2
SERVER
RELAY
NODE
RELAY
NODE
RELAY
NODE
RELAY
NODE
CLIENT-SERVER ARCHITECTURE
14
BOTBOT BOT BOT BOT BOT BOT BOT BOT
15. BOTNET OVERVIEW & HISTORY
BOT / ZOMBIE
▸ The malware that you have installed on the target
▸ Ideally in large numbers
▸ Will execute commands given by the C2 servers
15
16. BOTNET OVERVIEW & HISTORY
BOT
MASTER
C2
SERVER
C2
SERVER
C2
SERVER
RELAY
NODE
RELAY
NODE
RELAY
NODE
RELAY
NODE
CLIENT-SERVER ARCHITECTURE
16
BOTBOT BOT BOT BOT BOT BOT BOT BOT
17. BOTNET OVERVIEW & HISTORY
RELAY NODE / STEPPING STONE
▸ Forwards connections from bots to C2 servers
▸ Protects the real locations of the C2 servers
▸ Could be as simple as a SOCKS proxy
▸ Could be as complex as rotating through known domains
▸ Your bots are tolerant to losing these connections
17
18. BOTNET OVERVIEW & HISTORY
BOT
MASTER
C2
SERVER
C2
SERVER
C2
SERVER
RELAY
NODE
RELAY
NODE
RELAY
NODE
RELAY
NODE
CLIENT-SERVER ARCHITECTURE
18
BOTBOT BOT BOT BOT BOT BOT BOT BOT
19. BOTNET OVERVIEW & HISTORY
C2 SERVER
▸ Holds commands from bot master
▸ Accepts connections from bots and dispenses commands
▸ Holds the files that will be downloaded by the bots
▸ A concept of C2 channels
▸ Different methods of delivering commands
▸ Can have different channels in the same network
19
20. BOTNET OVERVIEW & HISTORY
BOT
MASTER
C2
SERVER
C2
SERVER
C2
SERVER
RELAY
NODE
RELAY
NODE
RELAY
NODE
RELAY
NODE
CLIENT-SERVER ARCHITECTURE
20
BOTBOT BOT BOT BOT BOT BOT BOT BOT
21. BOTNET OVERVIEW & HISTORY
BOT MASTER
▸ The person who controls all of the bots
▸ Inserts commands into C2 servers
▸ Can divide bots into logical groups
▸ Can specify what the bots will do
▸ Limited by the commands and intention of the botnet
21
23. C2 CHANNELS
C2 CHANNELS
23
▸ A means of transmitting information to bots
▸ Can be done through many different protocols
▸ Attempt to hide in plain sight
▸ Use whatever traffic looks normal
26. IRC C2
IRC C2
▸ Clients connect to an IRC server
▸ Clients connect to IRC channels to wait for messages from
the master
▸ Relies on the IRC infrastructure to deliver the messages
▸ Change channels every so often
26
27. IRC C2
ADVANTAGES TO USING IRC
▸ Easy setup
▸ Easy command distribution
▸ Send commands in plain English
27
28. IRC C2
DISADVANTAGES TO USING IRC
▸ Commands in plain English
▸ Unencrypted communications to the IRC server
▸ If bots do not validate user it is easy to RE and inject
commands
▸ Relatively easily hijackable
28
30. IRC INSPIRED C2 NETWORK
IRC INSPIRED C2 NETWORK
▸ Not using IRC
▸ Build a network of C2 servers close to how IRC operates
▸ IRC works as a spanning tree
30
31. IRC INSPIRED C2 NETWORK
WHY NOT USE IRC’S SPANNING TREE?
▸ The spanning tree poses a redundancy problem
▸ Imagine if you lose a middle branch
▸ Causes network segmentation
▸ 2 sections become disjointed
31
32. IRC INSPIRED C2 NETWORK
IRC NETWORK MESSAGE PROPAGATION
32
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
33. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
33
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
34. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
34
MESSAGE MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
35. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
35
MESSAGE MESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
36. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
36
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
37. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
37
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
38. IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
38
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
39. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
39
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
40. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
40
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
41. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
41
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
42. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
42
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
43. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
43
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
44. IRC INSPIRED C2 NETWORK
IRC NETWORK DIAGRAM
44
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
45. IRC INSPIRED C2 NETWORK
SOLUTION: PARTIAL MESH
▸ Take the concept of forwarding commands to servers
▸ Ensures that each server will have the same database
▸ If organized correctly, can be tolerant of mild to medium
losses
▸ If somebody dismantles 85% of your network, it will be
hard to ensure fault tolerance
▸ More practical and realistic than full mesh
45
46. IRC INSPIRED C2 NETWORK
DESIGN CHOICES
▸ Go is the language of choice
▸ Redundant messages are a problem
▸ Better than implementing a full P2P routing mechanism
▸ Could use BATMAN, but that’s hard with Go?
▸ Partial vs Full Information Chain
▸ Full would increase traffic size
46
47. IRC INSPIRED C2 NETWORK
ALGORITHM
▸ Server establishes connection with peer C2 server
▸ Command DB updated
▸ Server notifies all other peer servers
47
48. IRC INSPIRED C2 NETWORK
PEER SERVER CONNECTION
▸ Server contacts other server
▸ Servers validate each other’s authenticity
▸ Maintain comms at periodic interval or constant command
channel
48
49. IRC INSPIRED C2 NETWORK
COMMAND DB UPDATED
▸ Could be done by the Bot Master manually
▸ Could be from an update from a peer server
▸ Server will silently ignore duplicate messages
▸ Server will then notify all other peers
49
50. IRC INSPIRED C2 NETWORK
SERVER TO SERVER UPDATES
▸ Server will update all other peers that it did not receive
and update from
▸ Server will attach a partial information chain
▸ Each update contains a partial information chain
50
51. IRC INSPIRED C2 NETWORK
PARTIAL INFORMATION CHAIN
▸ Partial information chain contains IDs of each server that
the update is being sent to
▸ If the ID is listed as a peer it will not notify that server
▸ Remember that it ignores the updates that it has already
received
51
56. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
56
SERVER 3SERVER 1 SERVER 2
57. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
57
SERVER 3SERVER 1 SERVER 2
2
58. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
58
SERVER 3SERVER 1 SERVER 2
2 3
59. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
59
SERVER 3SERVER 1 SERVER 2
3 32
60. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
60
SERVER 3SERVER 1 SERVER 2
3 32
61. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
61
SERVER 3SERVER 1 SERVER 2
SERVER 4
62. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
62
SERVER 3SERVER 1 SERVER 2
SERVER 4
2
63. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
63
SERVER 3SERVER 1 SERVER 2
SERVER 4
2
3, 4
64. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
64
SERVER 3SERVER 1 SERVER 2
SERVER 4
2
3, 4
3, 4
3, 4
65. IRC INSPIRED C2 NETWORK
C2 NETWORK: 3 NODES
65
SERVER 3SERVER 1 SERVER 2
SERVER 4
2
3, 4
3, 4
3, 4
66. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
66
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
67. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
67
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
68. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
68
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
1, 2
3, 5
69. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
69
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5
4, 6
6
70. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
70
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5 6
4, 64, 6 4, 6
6
71. IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
71
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5 6
4, 64, 6 4, 6
6
72. IRC INSPIRED C2
WHERE DOES THE FAULT TOLERANCE COME IN?
▸ The fault tolerance is a combination of things
▸ Server command DB updates and synchronization
▸ Clients having a chain of domains to contact in the C2
network
▸ Clients have the ability to contact any server in the
network to receive commands
72
74. PROJECT GOALS
SHORT TERM GOALS
▸ Server accepts communications from clients
▸ Default channel placement. Only 1 channel support now :(
▸ Server responds to command request for client
▸ Database replication is supported by default
74
75. PROJECT GOALS
LONG TERM GOALS
▸ TLS Cert generation and validation
▸ Full forwarding and database replication
▸ Web Administration Panel
▸ Dispense modules to clients
▸ HTTP/HTTPS C2
▸ Potential framework for automated deployment
75
76. PROJECT GOALS
IMPROVEMENTS
▸ Things that definitely need to be changed
▸ Using and actual database rather than data types
▸ Proper client and server ID differences
76
80. SPECIAL THANKS & REFERENCES
SPECIAL THANKS
▸ Jaime Geiger
▸ Encouraging me to do this talk
▸ Brad Campbell
▸ Introducing me to Golang
▸ Design assistance
▸ General concept checking
80
81. SPECIAL THANKS & REFERENCES
REFERENCES
▸ Definition of Botnet: https://en.wikipedia.org/wiki/Botnet
▸ Botnet Number Figures: https://en.wikipedia.org/wiki/
Botnet#Historical_list_of_botnets
81