Security Experts Visualize Botnets With an Eye Toward Defense
Not all botnets are organized in the same way. That's the conclusion of a report from Damballa which seeks to categorize the dominate structures. It attempts to explain why certain types of blocking and filtering will work against some botnets, and not for others.
"The 'hybrid' threat banner is often cast about," says Gunter Ollmann, VP of Research, Damballa, an enterprise security company specializing in botnet mitigation "But that label means nothing to teams tasked with defending the enterprise. By explaining the topologies (and their strengths and weaknesses) these teams can better visualize the threat."
The Star structure is the most basic and offers individual bots a direct communication with the Command and Control (CnC) server. It can be visualized in a star-like pattern. However, by providing direct communications with one CnC server the botnet creates a single point of failure. Take out the CnC server and the botnet expires. Ollmann says the Zeus DIY botnet kit, out of the box, is a star pattern, but that botmasters often upgrade, making it multiserver.
"In most cases, particular botnets can be classed as a member of just one CnC topology--but it s often down to the botnet master which one they choose."
Multi- Server is the logical extension of the Star structure using multiple CnC servers to feed instructions to the individual bots. This design, says Ollmann, offers resiliency should any one CnC server go down. It also requires sophisticated planning in order to execute. Srizbi is a classic example of a multi-server CnC topology botnet.
The Hierarchical botnet structure is highly centralized and are often associated with multi-stage botnets--for example botnets who’s bot agents have worm propagation capabilities--and utilize super-node-based peer-to-peer CnC. That means no one bot is aware of the location of any other bots, often making it hard for security researchers to gage the overall size of the botnet. This structure, says Damballa, is best suited for leasing or selling parts of the botnet to others. The downside is that instructions take longer to reach their targets so some kinds of attacks impossible to coordinate.
Random is the reverse of the Hierarchical structure. This botnet is decentralized and using multiple communication paths. The downside is that each bot can enumerate others in the neighborhood, and often communication lags between clusters of bots, again making some attacks impossible to coordinate. Storm would fit Damballa's Random model, as would botnets based off the Conficker malware
The report, Botnet Communication Topologies: Understanding the intricacies of botnet Command-and-Control, also ranked different methods of fast flux, the method by which a CnC server changes its domains on the fly. Damballa found that Domain Flux, a process changing and allocating of multiple Fully Qualified Domain Names to a single IP address or CnC infrastructure, is the most resilient to discovery and mitigation.
Robert Vamosi is a risk, fraud, and security analyst for Javelin Strategy & Research and an independent computer security writer covering criminal hackers and malware threats.