Botnet Anonymization: How to Deal with Anonymous Zombies

Posted by Emma Ban on 2014-12-30 16:00:00

Gartner recently announced its predictions on the number of interconnected devices that will make up the Internet of Things (IoT) in the following years: 25 billion connected devices by 2020. This is a clear sign that technological advancements are moving quickly to make our lives easier. Before we get excited, we should take a look at what this means for the dark side of the IoT: internet-connected devices will also make it easier for bot-masters to seize and control thousands, it if not hundreds of thousands, of “zombies”.

While this possibility is far from turning into a “zombie-apocalypse” scenario, it should be treated with great caution. As with any network of endpoints, a degree of control must be maintained. The botnet methods and infrastructure have evolved significantly. Using Tor anonymization to command an entire network of “zombies”, along with multi-tier proxies, is a new trend that raises serious concerns about how these large infrastructures could be dismantled.

In order to get a better understanding of how botnet anonymization works, Bitdefender researchers have analyzed two well-known botnets, CryptoLocker and PushDo.

Botnets_and_Botnet_Anonymization-resize

1. CryptoLocker

When CryptoLocker gains access to a computer, it contacts its command-and-control center (C&C). This in turn, generates a 2048-bit RSA key pair. The public key is sent back to the computer and will be used to encrypt files with specific extensions.
Bitdefender research into Cryptolocker has revealed that the entire anonymization process is handled via multi-tier proxies that hide the communication between bots and the bot master.

  • The Tier-1 proxy server forwards the victim’s traffic to a secondary server to anonymize it and hide the location of the key server.

  • The Tier-2 proxy server takes the information forwarded by the Tier-1 server, filters it and forwards it via GRE tunnels to other servers (most likely Tier-3 proxies). 

Although Cryptolocker may be gone thanks to joint efforts of security companies and law enforcement agencies, there is still the issue of the content delivery network. A botnet’s backbone is the communication infrastructure, and in this case, it is designed not only to scale operations up and provide redundant access to other nodes in case of failure, but also to anonymize the data flow and prevent victims, law enforcement or security organizations from tracing the real operations center.

2. PushDo

Pushdo, a spam Trojan and a malware dropper also uses private and public keys to protect the communication between the bots and the C&C server. Primarily used to send spam from infected machines, it can also download other malicious files. 

It also uses a new DGA (Domain Generation Algorithm) to generate domain names that are different from previously analyzed samples.

After sinkholing one of them, Bitdefender researchers found the number of infected machines calling home to the C&C, and ranked them by country.

Top 3 is represented by India, Vietnam and Iran.

If you’re interested to learn more about botnet anonymization, the mechanisms behind Cryptolocker and PushDo, and what measures you could take to protect against these threats, be sure to download the full Threat Analysis.

botnets and botnet anonymization

Find me on:

Emma Ban

Emma Ban is a Content Writer at Bitdefender. Having worked in the industry for more than three years, in both B2C and B2B areas, she has a deep understanding of the online threats that put at risk the security of both consumers and corporations. Thus, her main focus is to provide insights into security technology trends that enable safe environments for companies and their employees. She thoroughly enjoys traveling and has a special interest in fashion technology.

Topics: Threats, Network Security, Endpoint Security