Dennis Brown (Research Engineer, Tenable Network Security)

Presentation Title Resilient Botnet Command and Control with Tor
Presentation Abstract

Botnets pose a danger to all computer users today, but they’re not without their flaws. They all must eventually connect back to a command and control server, and this data, while it may be encrypted, is often distinguishable and detectable. Many systems, such as IDS and other monitoring systems, often rely on domain blacklisting or detection of consistent patterns of activity transmitted by the bot, which may be enough to interrupt a botnets activity.

From the bot herder’s perspective, there’s nothing worse than toiling away at building a large, powerful botnet after months of effort, only to see it get taken down due to being taken down by an ISP, hosting provider or due to law enforcement intervention. A large amount of time and/or money goes into setting up a botnet, and if it is offline, it is unable to recuperate those losses. It is highly desirable for a bot herder to find ways to keep their botnet undetected, unable to be taken down, and most importantly online and available for use.

This presentation focuses on how an bot herder may evade common detection techniques and build a more resilient botnet by using Tor. The centerpiece of this presentation focuses on Hidden Services, a feature of Tor that has been in place since 2004, and is used by organizations such as Wikileaks to keep select servers anonymous. These capabilities are also useful for someone who may be operating a botnet, and provide some inherent advantages over using traditional bulletproof hosting and ordinary domain names, amongst other things, for command and control servers.

In this presentation, several scenarios on how to operate a botnet anonymously via Tor will be shown. It will discuss the strengths and weaknesses of each method, and discuss mitigation and/or detection techniques. Live demonstrations will show effective use of these techniques with popular botnet tool kits used in many recent attacks. Both practical and theoretical approaches will be presented to demonstrate what is possible today with no modification to botnet tool kits such as Zeus, and what may be the future of botnet command and control.

About Dennis Brown

Dennis Brown is a research engineer for Tenable Network Security. He specializes in malware analysis with a penchant for botnet research. Dennis has spoken previously at Defcon 18, Toorcon 10 and 11 and on the PaulDotCom security podcast. He also organizes the DC401 hacker group in Rhode Island and the QuahogCon security conference.