Hiding the network behind the network. Botnet proxy business model

Wednesday 24 September 15:00 - 15:30, Red room.

Alexandru Maximciuc Bitdefender
Cristina Vatamanu Bitdefender
Razvan Benchea Bitdefender

   This paper is available online (HTML, PDF).

  download slides (PDF)

Over the years, botnet creators have implemented various methods for protecting their networks, and especially their command and control servers. Since hiding a C&C means that the botnet will remain running for longer, specialized hosting services that are able to hide a server behind many proxies have appeared.

During one of our investigations, we discovered a network of this type, which currently has 10 'clients' (10 servers distributing different malware families). This proxy network has two types of redirection, one on the HTTP standard port (protecting the C&C servers) and the other on the UDP standard port (protecting a dedicated server that handles the DNS resolution for domains generated by Domain Generation Algorithms or chosen at will).

This infrastructure is designed in such a way as to allow critical changes to be made in the shortest time. So, any abuse report regarding the proxy nodes is handled immediately. The so-called 'cleaning' is done by making some minor changes to the configuration of the proxy nodes. This is usually achieved through changing the proxies between 'clients'. Therefore the financial loss caused by interruption of the malware is very small.

In this paper we will emphasize the architecture of this network and the changes made during the time we have been monitoring it. In the end we will present some examples of malware families that make use of it.

Click here for more details about the conference.

Alexandru Maximciuc

Alexandru Maximciuc

Alexandru Maximciuc is passionate about reverse engineering, likes Perl and studied mathematics. He has been working for Bitdefender for eight years, and he really likes fighting malware.

Cristina Vatamanu

Cristina Vatamanu

Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi', Iasi and received a Master's degree in 'Embedded Computers' from the same University. She has worked at Bitdefender for four years. Some of her responsibilities (and hobbies) include reverse engineering, exploits analysis and automated systems.

Razvan Benchea

Razvan Benchea

Razvan Benchea is a team leader at Bitdefender, where he coordinates the research team's efforts towards building automated analysis systems. He is a computer science graduate from Alexandru Ioan Cuza University in Iasi, where he also obtained his Master's degree and is now a third-year Ph.D. student. During recent years his research interests have included machine learning, botnet monitoring, exploit analysis and research on mobile threats.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.