Hiding the network behind the network. Botnet proxy business model

Wednesday 24 September 15:00 - 15:30, Red room.

Alexandru Maximciuc Bitdefender
Cristina Vatamanu Bitdefender
Razvan Benchea Bitdefender

   This paper is available online (HTML, PDF).

  download slides (PDF)

Over the years, botnet creators have implemented various methods for protecting their networks, and especially their command and control servers. Since hiding a C&C means that the botnet will remain running for longer, specialized hosting services that are able to hide a server behind many proxies have appeared.

During one of our investigations, we discovered a network of this type, which currently has 10 'clients' (10 servers distributing different malware families). This proxy network has two types of redirection, one on the HTTP standard port (protecting the C&C servers) and the other on the UDP standard port (protecting a dedicated server that handles the DNS resolution for domains generated by Domain Generation Algorithms or chosen at will).

This infrastructure is designed in such a way as to allow critical changes to be made in the shortest time. So, any abuse report regarding the proxy nodes is handled immediately. The so-called 'cleaning' is done by making some minor changes to the configuration of the proxy nodes. This is usually achieved through changing the proxies between 'clients'. Therefore the financial loss caused by interruption of the malware is very small.

In this paper we will emphasize the architecture of this network and the changes made during the time we have been monitoring it. In the end we will present some examples of malware families that make use of it.

Click here for more details about the conference.

	Alexandru Maximciuc Alexandru Maximciuc is passionate about reverse engineering, likes Perl and studied mathematics. He has been working for Bitdefender for eight years, and he really likes fighting malware.
	Cristina Vatamanu Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi', Iasi and received a Master's degree in 'Embedded Computers' from the same University. She has worked at Bitdefender for four years. Some of her responsibilities (and hobbies) include reverse engineering, exploits analysis and automated systems.
	Razvan Benchea Razvan Benchea is a team leader at Bitdefender, where he coordinates the research team's efforts towards building automated analysis systems. He is a computer science graduate from Alexandru Ioan Cuza University in Iasi, where he also obtained his Master's degree and is now a third-year Ph.D. student. During recent years his research interests have included machine learning, botnet monitoring, exploit analysis and research on mobile threats.