Skip to main content
SpringerLink
Log in
Book cover

International Conference on Web Information Systems Engineering

WISE 2017: Web Information Systems Engineering – WISE 2017 pp 517–527Cite as

Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10570))

Abstract

Botnet armies constitute a major and continuous threat to the Internet. Their number, diversity, and power grows with each passing day, and the last years we are witnessing their rapid expansion to mobile and even IoT devices. The work at hand focuses on botnets which comprise mobile devices (e.g. smartphones), and aims to raise the alarm on a couple of advanced Command and Control (C&C) architectures that capitalize on Tor’s hidden services (HS) and DNS protocol. Via the use of such architectures, the goal of the perpetrator is dual; first to further obfuscate their identity and minimize the botnet’s forensic signal, and second to augment the resilience of their army. The novelty of the introduced architectures is that it does not rely on static C&C servers, but on rotating ones, which can be reached by other botnet members through their (varied) onion address. Also, we propose a scheme called “Tor fluxing”, which opposite to legacy IP or DNS fluxing, does not rely on A type of DNS resource records but on TXT ones. We demonstrate the soundness and effectiveness of the introduced C&C constructions via a proof-of-concept implementation.

This is a preview of subscription content, log in via an institution.

References

  1. Anagnostopoulos, M., Kambourakis, G., Gritzalis, S.: New facets of mobile botnet: architecture and evaluation. IJIS 15(5), 455–473 (2016)

    Article  Google Scholar 

  2. Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. COSE 39(B), 475–485 (2013)

    Google Scholar 

  3. Brown, D.: Resilient Botnet command and control with Tor. In: DEFCON 18 (2010)

    Google Scholar 

  4. Casenove, M., Miraglia, A.: Botnet over Tor: the illusion of hiding. In: 6th International Conference On CyCon 2014, pp. 273–282, June 2014

    Google Scholar 

  5. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  6. Guarnieri, C., Schloesser, M.: Skynet, a Tor-powered Botnet straight from Reddit. https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit

  7. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS 2008 (2008)

    Google Scholar 

  8. Kang, L.: Efficient Botnet herding within the Tor network. J. Comput. Virol. Hack. Tech. 11(1), 19–26 (2015)

    Article  Google Scholar 

  9. Klijnsma, Y.: Large Botnet cause of recent Tor network overload. https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

  10. Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and Other Botnets. IEEE Comput. 50(7), 80–84 (2017)

    Article  Google Scholar 

  11. Lipovsky, R.: ESET Analyzes Simplocker: First Android File-Encrypting, TOR-enabled Ransomware, June 2014

    Google Scholar 

  12. Sanatinia, A., Noubir, G.: OnionBots: subverting privacy infrastructure for cyber attacks. In: 45th IEEE/IFIP International Conference on DSN, pp. 69–80, June 2015

    Google Scholar 

  13. Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)

    Article  Google Scholar 

  14. throwaway236236: IAmA a malware coder and Botnet operator, AMA (2012). https://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama

  15. Tsiatsikas, Z., Anagnostopoulos, M., Kambourakis, G., Lambrou, S., Geneiatakis, D.: Hidden in plain sight. SDP-based covert channel for Botnet communication. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 48–59. Springer, Cham (2015). doi:10.1007/978-3-319-22906-5_4

    Chapter  Google Scholar 

  16. Unuchek, R.: The first Tor Trojan for Android. https://securelist.com/blog/incidents/58528/the-first-tor-trojan-for-android/

  17. Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM IMC 2010, New York, NY, USA, pp. 48–61, November 2010

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Singapore University of Technology and Design, Singapore, 487372, Singapore

    Marios Anagnostopoulos & David K. Y. Yau

  2. Department of Information and Communication Systems Engineering, University of the Aegean, 83200, Karlovassi, Greece

    Georgios Kambourakis, Panagiotis Drakatos, Michail Karavolos & Sarantis Kotsilitis

Authors
  1. Marios Anagnostopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Georgios Kambourakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Panagiotis Drakatos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michail Karavolos
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sarantis Kotsilitis
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. David K. Y. Yau
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marios Anagnostopoulos .

Editor information

Editors and Affiliations

  1. University of Sydney, Darlington, NSW, Australia

    Athman Bouguettaya

  2. Zhejiang University, Hangzhou, China

    Yunjun Gao

  3. Institute of Computing for Physics and Technology, Protvino, Russia

    Andrey Klimenko

  4. Nanyang Technological University, Singapore, Singapore

    Lu Chen

  5. King Abdullah University of Science and Technology, Thuwal, Saudi Arabia

    Xiangliang Zhang

  6. Institute of Computing for Physics and Technology, Protvino, Russia

    Fedor Dzerzhinskiy

  7. Shanghai Jiao Tong University, Minhang Qu, China

    Weijia Jia

  8. Institute of Computing for Physics and Technology, Protvino, Russia

    Stanislav V. Klimenko

  9. City University of Hong Kong, Kowloon, Hong Kong

    Qing Li

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Anagnostopoulos, M., Kambourakis, G., Drakatos, P., Karavolos, M., Kotsilitis, S., Yau, D.K.Y. (2017). Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing. In: Bouguettaya, A., et al. Web Information Systems Engineering – WISE 2017. WISE 2017. Lecture Notes in Computer Science(), vol 10570. Springer, Cham. https://doi.org/10.1007/978-3-319-68786-5_41

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68786-5_41

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68785-8

  • Online ISBN: 978-3-319-68786-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation