http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html

Botnets - legions of computers controlled by malware and coordinated by a malicious botmaster - are used for many purposes, including spamming, launching distributed denial-of-service attacks, and stealing personal information, but until recently they had never been used for academic research. In early 2009, researchers at the University of California, Santa Barbara, used a vulnerability in the infamous Torpig bot to “hijack” the botnet for a period of ten days and analyze the data it harvested. The full paper offers an interesting look at the methods Torpig uses and how they can be subverted or guarded against and is recommended reading for anyone interested in botnets, but relevant to this course is the Torpig code which simultaneously makes the botnet more robust and offers an intelligent intruder the opportunity to hijack it.

All bots (malware controlling an infected computer) on a given botnet need to communicate with one or more “command and control” servers - to upload stolen credit card numbers, download today’s spam messages and recipient lists, or otherwise carry out the botnet’s purposes. The mechanics of this communication are of interest, since sticking the C&C server’s IP address in the bot’s configuration file is just begging some dark-suited men to show up at your door, and any proxies you route the communication through probably won’t be very happy about it. Most modern botnets register domains for their C&C servers, which are then stored by individual bots, but this still allows major points of vulnerabilities in the network - if law enforcement or abuse complaints get these domains pulled, the botnet will fall apart. A technique known as “domain flux,” used by Torpig and other sophisticated malware such as Conficker, makes the network much more robust by dynamically generating domain names to check for a valid C&C server, but also allows an attacker with knowledge of the domain-generation code to hijack the botnet by registering one such domain and setting up a valid C&C server of their own (a process known as “sinkholing”).

Torpig uses the following procedure to generate domains: first, it takes a short list of three-character strings, uses the year and week to select two, and concatenates them. It then sends requests to this string plus .com, .net, or .biz; the first DNS to identify itself as a valid C&C server terminates the search process, and all further communication is carried out with that server. If none is found, Torpig then generates a domain based on the day and repeats the process. If that fails, it moves on to hardcoded domains. Obviously, with even a small number of building blocks, there would be enough domains generated in this manner to allow the criminals behind the botnet to keep their C&C servers alive even if dozens or hundreds of specific domains were shut down; however, this flexibility is a double-edged sword, as if (for instance) all the domain names for a particular week remain unregistered while the criminals have only registered the daily domains, a clever attacker can hijack the botnet for that week if he knows the algorithm Torpig uses to generate domains and the communications which identify a server as a valid C&C by setting up such a server and registering one of the weekly domains. Torpig will look for the weekly domain first, find a valid server, and communicate with the hijacker rather than its original botmasters. In fact, this is exactly what the researchers did, accumulating over 70 gigabytes of stolen data from over 180,000 infected computers.

Though a simple blog post can’t do the paper justice (read it, it’s very interesting), the implications of this kind of hijacking for the study of networks are pretty clear.  Creating a system which can link to a vast number of potential “targets” - far too many for either you or your opponents to handle - can make a system incredibly robust while at the same time creating massive security holes (security sinkholes?).  The odds that Torpig - or Conficker, whose daily generation can produce 50,000 domains! - cannot contact any of its C&C servers for an extended period of time will be minimal if the criminals are smart about registering their domains, since only one connection needs to work, but at the same time, any attacker who knows the workings of this system can play the game just as well as the criminals who set up the system. Both will try to register the “domain of the week,” which the bots will communicate with in preference to the daily domains, and it’s entirely possible that this could create a botnet oscillating between various controllers, especially as authorities shut down such domains. In fact, depending on the bot itself and how much control the C&C’s have over it, such an attacker could permanently alter the botnet in a way that prevented the original owner from regaining control, such as changing the building blocks it uses to generate domains to something unknown to the original botmasters! This is exactly what the criminals behind Torpig did after ten days of researcher control; a new Torpig binary with a different DNS generation algorithm was distributed to infected computers, ending the hijacking. Presumably, if one were to figure out the new algorithm, the same sort of hijacking could be attempted again. This sort of botnet, then, requires information asymmetry between its botmasters and would-be attackers, since its very robustness also allows an intelligent attacker to subvert its control.