Crimeware is increasing at an exponential rate. Attackers and underground sellers now use crimeware-as-a-cervice (CaaS) models to sell crimeware services to buyers. These days, one does not need to be tech savvy to conduct attacks on the Internet as CaaS has made this process easier.

One of the main CaaS channels is the selling of botnets for nefarious operations, such as DDoS, triggering large scale phishing attacks, stealing credentials and others. Botnets can be rented out to the buyers on pay-per service basis, as well.

So, the CaaS has become the defacto product in the underground cyber marketplace to earn money by illicit means i.e. by selling automated crimeware.

Targeted cyber attacks can be dissected into different phases, such as Infection, Command and Control (C&C), Lateral Movement and Data Exfiltration. Targeted cyber attacks are carried out to build distributed and centralized botnets. When the term “HTTP botnets”  is used, it refers to the botnets that use the HTTP protocol for C&C communication.

Specifically, it is required to understand how the botnet is architected to dissect the C&C communication between the bot and the attacker-managed server (C&C server). For that, it is important to unearth the network communication channels with the C&C server and how exactly the C&C servers are deployed on the web.

In this discussion during BSidesSF, we primarily talk about the deployments of HTTP-based botnet C&Cs:

  • The study revolves around the deployment of C&C panels in real time by the attackers. A number of techniques will be discussed to obtain details about C&C panels. In addition, a number of inherent architectural constraints will be discussed.
  • The study also busts myths related to the design of crimeware C&C panels and reveals a number
    of interesting facts that can be used to enhance the detection and prevention (Read more...)