Leveraging Honest Users: Stealth Command-and-Control of Botnets

Botnets are large networks of infected computers controlled by an attacker. Much effort has already been invested in the detection and analysis mechanisms, capable of defusing this type of threat. However, botnets have been constantly evolving, and will certainly continue to do so. We must, therefore, make an effort to foresee and study possible future designs, if we are to be capable of timely development of adequate defense mechanisms. Many of the most recent methods to detect and analyze botnets are based upon the vulnerabilities of their command-and-control (C2) infrastructure. We thus believe that attackers will follow a predictable evolutionary pattern, and start using designs with more robust and stealth C2 channels, thus minimizing the risk of shutdown or infiltration. In this paper, we will therefore analyze in detail a new kind of botnet C2 infrastructure, where bots do not possess any information concerning command-and-control mechanisms. These stealth, isolated bots are controlled through honest participants not pertaining to the botnet. This architecture eliminates the possibility of estimation of the botnet size, minimizes the probability of detection of individual bots, and eliminates the possibility of researcher infiltration.