2 min read

Welcome to the Botnet!

Bogdan BOTEZATU

July 30, 2008

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Welcome to the Botnet!
After all, an isolated bot is of no use, since it can not receive commands or data to be processed locally. That is why botmasters pay extra attention to connectivity and try to get the best out of the network while keeping a high level of anonymity.
Each time a bot infects a computer, it has to connect back to a predefined rally-point (usually the command center), in order to register with the botnet. This is one of the trickiest aspects of setting up a botnet, as any minor flaw can throw the botmaster in jail or have the command center take down. Bots usually come with hardcoded rally point addresses, and using static IPs would only make the person behind the botnet easier to catch by authorities by simply looking up which user has been assigned the specific hardcoded IP.
This is why most of the experienced botmasters usually ditch static IPs in favor of dynamic ones, also known as dynamic DNS. Such services allow bot herders to anonymously direct all the requests for a domain name to a different IP. Most botmasters use dynamically-allocated IPs to host their command and Control centers, which are harder to track, shutdown or ban. Each time an IP has been blacklisted and blocked by security software, botmasters would renew their IP addresses, and then they would update the IP address references for the dynamic DNS entries in order to point to the new IP address.
However, as many dynamic DNS service providers have strict terms and conditions, bot herders could end up with their account suspended. In order to overcome this shortcoming, botmasters usually rely on services that are less cooperative with the authorities. Moreover, such services are almost always offered for free, which means that there would be no contract, credit card number or identification details for the authorities to trace.
Distributed DNS services are also extremely appealing to botmasters. Such services are comprised of multiple systems that deal with resolving names for a specific domain. Remote attackers often run DDNS software on the compromised computers that are part of the botnet, as well as on servers that are highly unlikely to cooperate with the police for deactivation; this way, the rally mechanism is extremely difficult to take down. However, although DNS services are highly flexible and offer increased control over the botnet, setting up such systems is extremely complex as compared to dynamic DNS services.

tags


Author


Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

You might also like

Bookmarks


loader