BOTNETS

Welcome to the Botnet!

Connectivity is a critical aspect when it comes to botnets.
After all, an isolated bot is of no use, since it can not receive commands or data to be processed locally. That is why botmasters pay extra attention to connectivity and try to get the best out of the network while keeping a high level of anonymity.
Each time a bot infects a computer, it has to connect back to a predefined rally-point (usually the command center), in order to register with the botnet. This is one of the trickiest aspects of setting up a botnet, as any minor flaw can throw the botmaster in jail or have the command center take down. Bots usually come with hardcoded rally point addresses, and using static IPs would only make the person behind the botnet easier to catch by authorities by simply looking up which user has been assigned the specific hardcoded IP.
This is why most of the experienced botmasters usually ditch static IPs in favor of dynamic ones, also known as dynamic DNS. Such services allow bot herders to anonymously direct all the requests for a domain name to a different IP. Most botmasters use dynamically-allocated IPs to host their command and Control centers, which are harder to track, shutdown or ban. Each time an IP has been blacklisted and blocked by security software, botmasters would renew their IP addresses, and then they would update the IP address references for the dynamic DNS entries in order to point to the new IP address.
However, as many dynamic DNS service providers have strict terms and conditions, bot herders could end up with their account suspended. In order to overcome this shortcoming, botmasters usually rely on services that are less cooperative with the authorities. Moreover, such services are almost always offered for free, which means that there would be no contract, credit card number or identification details for the authorities to trace.
Distributed DNS services are also extremely appealing to botmasters. Such services are comprised of multiple systems that deal with resolving names for a specific domain. Remote attackers often run DDNS software on the compromised computers that are part of the botnet, as well as on servers that are highly unlikely to cooperate with the police for deactivation; this way, the rally mechanism is extremely difficult to take down. However, although DNS services are highly flexible and offer increased control over the botnet, setting up such systems is extremely complex as compared to dynamic DNS services.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.