Skip to content ↓ | Skip to navigation ↓

Crimeware is increasing at an exponential rate. Attackers and underground sellers now use crimeware-as-a-cervice (CaaS) models to sell crimeware services to buyers. These days, one does not need to be tech savvy to conduct attacks on the Internet as CaaS has made this process easier.

One of the main CaaS channels is the selling of botnets for nefarious operations, such as DDoS, triggering large scale phishing attacks, stealing credentials and others. Botnets can be rented out to the buyers on pay-per service basis, as well.

So, the CaaS has become the defacto product in the underground cyber marketplace to earn money by illicit means i.e. by selling automated crimeware.

Targeted cyber attacks can be dissected into different phases, such as Infection, Command and Control (C&C), Lateral Movement and Data Exfiltration. Targeted cyber attacks are carried out to build distributed and centralized botnets. When the term “HTTP botnets”  is used, it refers to the botnets that use the HTTP protocol for C&C communication.

Specifically, it is required to understand how the botnet is architected to dissect the C&C communication between the bot and the attacker-managed server (C&C server). For that, it is important to unearth the network communication channels with the C&C server and how exactly the C&C servers are deployed on the web.

In this discussion during BSidesSF, we primarily talk about the deployments of HTTP-based botnet C&Cs:

  • The study revolves around the deployment of C&C panels in real time by the attackers. A number of techniques will be discussed to obtain details about C&C panels. In addition, a number of inherent architectural constraints will be discussed.
  • The study also busts myths related to the design of crimeware C&C panels and reveals a number
    of interesting facts that can be used to enhance the detection and prevention algorithms
    to counter crimeware communications.
  • The talk also covers the different web technologies and associated mechanisms used by
    the attackers to build and deploy C&C panels used for crimeware.

The audience will learn and understand how the attackers are deploying HTTP-based C&C panels for managing crimeware. The threat intelligence provided during this talk will enhance the existing state of detection and prevention algorithms. The study is backed by statistics, which will clarify the preferences and selections that attackers make while deploying C&C panels.

To learn more about my talk, click here.


About the Author: Dr. Sood is a security researcher and consultant. Dr. Sood has research interests in cloud security, malware secure software design and cyber security. He has authored several papers for IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin,and others. His work has been featured in several media outlets including AP, Fox News, The Register, Guardian, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HITB, RSA, Virus Bulletin, OWASP and many others. Dr. Sood obtained his Ph.D from Michigan State University. Dr. Sood is also an author of “Targeted Cyber Attacks” book published by Syngress.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.