Technique Makes Botnets Tougher

Tuesday, January 10, 2017 @ 03:01 PM gHale

“Ghost host” is a technique malware developers are using to ensure command and control (C&C) does not end up blocked, researchers said.

The method involves including unknown host names in the HTTP host fields of a botnet’s communication, Cyren researchers said in a multi-dimensional report focused on botnets.

IP Cameras Vulnerable to IoT Botnets
Video Tools Vulnerable to IoT Botnets
Botnet Hunts for IoT Devices
3 Botnets Unite in Huge DDoS Attack

With these host names being both registered and unregistered, web security and URL filtering systems end up fooled by the technique, the researchers said in a report.

The researchers said one of the malware families using this technique was performing DNS resolution when the domain ended up being blocked after several security firms flagged it as bad. Thus, the HTTP requests to the domain ended up blocked in networks protected by those vendors.

However, after DNS resolution of the IP address, while analyzing the C&C transaction sent by a newly infected bot, researchers discovered HTTP transactions informing the C&C of the successful infection of a new machine.

The destination IP address is the known bad server, but the HTTP host fields used in the HTTP requests belong to completely different domains—what Cyren calls “ghost hosts”. In this case, the fake domain names used were “events.” and “”.

The technique helps the botnet owner in several ways:
1. Web security and URL filtering systems will not block the ghost host names since they only block the originally resolved domain.
2. The botnet owner can manipulate the server to respond appropriately when this “coded” message (using different ghost host names) is received. For example, the response to the request might be the download of a specific type of malware for execution on the bot.
3. Generally, the IP address associated with the C&C URL will not end up blocked, since the server may contain legitimate and malicious content and blocking the entire server IP may prevent users from accessing legitimate services.

The Cyren report touched on aspects of botnets.

This past year was notable for the rise of ransomware, but the last few months attention has gone out to a fundamental element of the underlying criminal cyber infrastructure—botnets, said Lior Kohavi, chief technology officer at Cyren.

“In July, major attacks using LizardStresser, a distributed denial-of-service (DDoS) botnet using IoT devices, were launched by the Lizard Squad DDoS group,” Kohavi said. “In August, we learned of the first Android-based, Twitter-controlled botnet. September ended with the announcement that cybercriminals had published the source code for a Trojan program called Mirai, designed to infect IoT devices and use these devices to build botnets and launch DDoS attacks. The malware itself was previously in use by a handful of criminals (with hundreds of thousands of IoT devices already infected), but with its public distribution, cybercriminals around the globe now had an easy method to build even more botnets. Botnet highlights in October included the use of a 100,000-device strong botnet to attack the DNS provider Dyn, ultimately bringing down dozens of well-known Internet services, including Airbnb, Etsy, Pinterest, Amazon, PayPal, Twitter, and Netflix, as well as major news outlets, and ISPs, such as Comcast and Verizon.”

Leave a Reply

You must be logged in to post a comment.