News Stay informed about the latest enterprise technology news and product updates.

Botnet masters turn to Google, social networks to avoid detection

Cybercriminals turn to cloud computing to feed commands to the throngs of zombie computers under their control and avoid detection.

Twitter, Facebook and other social networks, as well as a number of Google services, are being eyed by cybercriminals not only to steal user data, but to use their storage and bandwidth for certain botnet command-and-control capabilities.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

The occurrences have been detected in greater numbers in recent months by various security firms. Cybercriminals behind many botnets remotely control zombie machines via a single communication channel, such as Internet relay chat (IRC) and a command-and-control server to dictate orders and collect stolen data. Another method to dictate orders is via a peer-to-peer protocol, a method still used to command portions of the botnet created by the notorious Conficker worm.

But it has become too easy for security researchers to detect, track and filter botnet traffic, experts say. The number of IRC botnets is on the decline. Two-thirds of IRC botnets are shut down within 24 hours, said Jose Nazario, a botnet expert and senior security engineer for Lexington, Mass.-based Arbor Networks Inc. It appears bot masters are testing out ways to take advantage of free storage and bandwidth offered by cloud-based services to make it more difficult for people to weed out and eradicate malicious traffic.

"When they shift over to cloud what they get is resiliency and anonymity," Nazario said. "There's no way Google can give us access to source code because there's legal barriers these guys have to deal with." 

Botnet detection:

Use BotHunter for botnet detection: Got bots? Hopefully not, but how can you be sure? Learn about botnet detection with the help of a free tool, BotHunter. This can keep your computers from participating in a botnet.

New Bahama botnet evades search engines, fuels click fraud: Researchers at Click Forensics have discovered a new botnet that is evading search engines and responsible for a spike in click fraud traffic and popup adware. 

Can intrusion prevention systems alone prevent botnet attacks? Network-based intrusion prevention systems offer some protection against botnets, but that's only one piece of the puzzle.

Security researchers at Arbor Networks have discovered the latest occurrence -- a Google AppEngine application used by cybercriminals to feed commands to zombie computers that make up a botnet.

The application functions as a switch to feed URLs to zombie machines, and then to a webpage where they can download additional instructions and malware. Nazario said the links led to a site hosted by a small ISP based in the United States. Google was contacted and the AppEngine application was taken down. The ISP unwittingly hosting the second stage malware has also taken it down.

Launched in April 2008, Google AppEngine is a cloud-based service that enables application developers to build and run Web applications on Google's distributed infrastructure. The service gives developers 500MB of space and bandwidth for about 5 million page views per month. Once the space and bandwidth is exceeded, Google charges for the service.

Content hosting sites, including Google, Facebook, Twitter and others, need to do a better job screening user uploaded content for executable files and links that lead to servers hosting malware, Nazario said. Enterprises need to be on the lookout as well. Network administrators need to follow the URL stream to detect botnet traffic originating from company machines. It's a problem that will only get worse as bot masters improve their methods, he said.

Last week, researchers at Symantec Corp. detected the Whitewell Trojan using Facebook to link to a command-and-control server to receive its orders. The Trojan logs into the mobile version of Facebook to receive configuration data before being forwarded to a Web server to download malware.

In 2008, Symantec saw 15,197 distinct new bot command-and-control servers, of which 43% were over IRC channels and 57% over HTTP, said Vincent Weafer, vice president of Symantec Security Response. Weafer said HTTP communications can be used to disguise botnet traffic to make it difficult to distinguish malicious traffic from legitimate HTTP traffic. Most HTTP bot transmissions are either encrypted or use fast flux to avoid detection.

"To filter the traffic, organizations would have to inspect the encrypted HTTP traffic and identify and remove bot-related traffic while still allowing legitimate traffic to pass through. Because of this, it is very difficult to pinpoint and disable a C&C [command-and-control] structure," Weafer said. "It is also unreasonable to block HTTP traffic since organizations depend on legitimate HTTP traffic to conduct day-to-day business." 

Google services have played host to a number of nefarious activities. In September, researchers at Symantec Security Response discovered command-and-control data streaming through Google Groups, Google's online discussion forums. The Trojan was coded to login to Google Groups and then redirected to a webpage containing encrypted commands. Symantec said the Trojan then posted the data it collected from victim's machines to the newsgroup.

Botnets are also becoming smaller to avoid detection. As a result, smaller hordes of zombie machines are more valuable on the black market. Weafer said smaller botnets offer a more flexible service model.

"Ten, 10,000 node botnets is far more flexible and resilient than a single 100,000 botnet that could be taken down by cutting off a single C&C server," Weafer said.

Symantec also identified a Trojan downloader using the popular microblogging service Twitter to distribute command-and-control data. The Sninfs Trojan was coded to follow a particular Twitter account where the cybercriminals posted an encoded string that contained two URLs directing the Trojan to and The cybercriminals used pastebin on the two legitimate websites. Pastebin is a Web application which allows people to post source code. The code uploaded by the bot master ordered the Trojan to install a malicious account credential stealing program on victim machines.

Gunter Ollmann, vice president of research for Damballa Inc., an Atlanta, Ga.-based security vendor focusing on botnet detection, called the latest techniques "proof-of-concept." Social network accounts are whitelisted by most security vendors and it's trivial to set up an experiment with an account. Ollmann said it may not be a viable path for bot masters because a competitor may have the ability to hijack a Facebook, Google or Twitter account and gain control of their investment.

"Botnet masters are experimenting with the techniques, evaluating detection probabilities and the length of time before the C&C is closed down," he said. "Relying upon these techniques for C&C probably isn't viable to professional cybercriminals and botnet masters because they represent single points of failure in their C&C."

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.