Abstract
Botnet armies constitute a major and continuous threat to the Internet. Their number, diversity, and power grows with each passing day, and the last years we are witnessing their rapid expansion to mobile and even IoT devices. The work at hand focuses on botnets which comprise mobile devices (e.g. smartphones), and aims to raise the alarm on a couple of advanced Command and Control (C&C) architectures that capitalize on Tor’s hidden services (HS) and DNS protocol. Via the use of such architectures, the goal of the perpetrator is dual; first to further obfuscate their identity and minimize the botnet’s forensic signal, and second to augment the resilience of their army. The novelty of the introduced architectures is that it does not rely on static C&C servers, but on rotating ones, which can be reached by other botnet members through their (varied) onion address. Also, we propose a scheme called “Tor fluxing”, which opposite to legacy IP or DNS fluxing, does not rely on A type of DNS resource records but on TXT ones. We demonstrate the soundness and effectiveness of the introduced C&C constructions via a proof-of-concept implementation.
This is a preview of subscription content, log in via an institution.
References
Anagnostopoulos, M., Kambourakis, G., Gritzalis, S.: New facets of mobile botnet: architecture and evaluation. IJIS 15(5), 455–473 (2016)
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. COSE 39(B), 475–485 (2013)
Brown, D.: Resilient Botnet command and control with Tor. In: DEFCON 18 (2010)
Casenove, M., Miraglia, A.: Botnet over Tor: the illusion of hiding. In: 6th International Conference On CyCon 2014, pp. 273–282, June 2014
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)
Guarnieri, C., Schloesser, M.: Skynet, a Tor-powered Botnet straight from Reddit. https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS 2008 (2008)
Kang, L.: Efficient Botnet herding within the Tor network. J. Comput. Virol. Hack. Tech. 11(1), 19–26 (2015)
Klijnsma, Y.: Large Botnet cause of recent Tor network overload. https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and Other Botnets. IEEE Comput. 50(7), 80–84 (2017)
Lipovsky, R.: ESET Analyzes Simplocker: First Android File-Encrypting, TOR-enabled Ransomware, June 2014
Sanatinia, A., Noubir, G.: OnionBots: subverting privacy infrastructure for cyber attacks. In: 45th IEEE/IFIP International Conference on DSN, pp. 69–80, June 2015
Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)
throwaway236236: IAmA a malware coder and Botnet operator, AMA (2012). https://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama
Tsiatsikas, Z., Anagnostopoulos, M., Kambourakis, G., Lambrou, S., Geneiatakis, D.: Hidden in plain sight. SDP-based covert channel for Botnet communication. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 48–59. Springer, Cham (2015). doi:10.1007/978-3-319-22906-5_4
Unuchek, R.: The first Tor Trojan for Android. https://securelist.com/blog/incidents/58528/the-first-tor-trojan-for-android/
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM IMC 2010, New York, NY, USA, pp. 48–61, November 2010
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Anagnostopoulos, M., Kambourakis, G., Drakatos, P., Karavolos, M., Kotsilitis, S., Yau, D.K.Y. (2017). Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing. In: Bouguettaya, A., et al. Web Information Systems Engineering – WISE 2017. WISE 2017. Lecture Notes in Computer Science(), vol 10570. Springer, Cham. https://doi.org/10.1007/978-3-319-68786-5_41
Download citation
DOI: https://doi.org/10.1007/978-3-319-68786-5_41
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68785-8
Online ISBN: 978-3-319-68786-5
eBook Packages: Computer ScienceComputer Science (R0)