For the last few year I've been writing about emergence of botnets, the use of thousands of backdoor Trojan-infected computers all centrally connected to form one very large pipeline. Through that large pipeline we've seen distributed denial of service (DDoS) on large companies and governments; we've also seen them used as spam relays; and we've seen them used as a launch point for malicious code. There's even an economy built around the buying and selling of botnets (part 1 and part 2).

In the beginning, the command and control of these patchwork networks occurred through Internet Relay Chat; the IRC Command and Control (C and C) traffic was often quite visible to sys admins, who, if responsible, would promptly shut them down. Last year, we saw the use of peer-to-peer botnets, with the C and C traffic hidden within legitimate P2P traffic. Now, Dr. Jose Nazario of Arbor Networks, has started to see HTTP botnets, where the C and C traffic lies buried within common, everyday HTTP traffic. With this we're talking a significant signal to noise proposition here. HTTP bots appear to be limited to the Russian Federation and nearby countries, but Nazario and others wonder whether HTTP botnets, which use HTTP requests to receive and import instead of a persistent IRC or peer-to-peer connection, could be the next big thing in criminal malware.

Black Energy
One botnet that Nazario has been studying is Black Energy. According to Nazario, the Black Energy code base uses an HTTP post that contains information describing the bot. The HTTP request sends out a unique identifier, and the server returns via HTTP commands telling it, "OK, for the next thirty minutes or so I want you want to launch this DDoS against this target. Here are the parameters of the DDoS."

	The point here is that it's not a persistent connection that is necessary for peer-to-peer and IRC-based botnets. That means the HTTP botnet goes stealth, making it harder to find.

Nazario said he's seen other HTTP botnets, such as Mocbot "It just simply does a GET request and receives back similar series of commands telling it 'Launch this DDoS for so long, etc., and then check back in, say, half an hour or whatever.' So it's a single request that identifies, receives the command and a reply, and then it sort of goes quiet or launches an attack." The point here is that it's not a persistent connection that is necessary for peer-to-peer and IRC-based botnets. That means the HTTP botnet goes stealth, making it harder to find.

Aren't these just Web 2.0 botnets?
Two years ago, I reported on the vulnerabilties in Web 2.0 Web sites. In particular, Billy Hoffman of SPI Dynamics, among others, was commenting on how criminals could use the loose structure of Asynchronous JavaScript and XML or AJAX to hide hidden requests for additional data, such as mapping the internal network of a target server. I asked Nazario if HTTP botnets were taking advantage of the same.

The idea here is to basically hide in the flotsam and jetsam of normal Web traffic.

"No," said Nazario,"those (AJAX attacks) are going to be designed to actually compromise a Web server, alter the content there, or maybe install your own content. This is instead set up on a Web site. These contain PHP scripts or CGI bin scripts that are written and (that) interact with an underlying database which contains commands, for example, logging how many bots you've seen that day etc. There's not a third-party application, for example, when you're actually attacking to alter the Web site. So that's the key difference there."

Any way to stop it?
If you're looking for a needle in the HTTP haystack, this would seem to be one. But Nazario said "If you know what you're looking for, it's pretty easy. If you know, for example, what the requests look like, you can sniff for them, or you can use proxy logs, or you can even install (an) application that filters on a firewall device." He said the same is true with IRC and P2P botnets.

"One of the challenges, however, that this provides compared to an IRC-based botnet, is Web traffic to the outside world by systems is the bulk of the backbone traffic that we see. That and peer-to-peer. So you have to shift through a boatload of data to really figure out, then sort of identify, and then read through all that." As opposed to IRC, which Nazario said allow you to have protocol inspections running on an IPS, watching for IRC traffic. But with HTTP botnets, "you can't just block the Web....The idea here is to basically hide in the flotsam and jetsam of normal Web traffic."

You can hear more of my interview with Dr. Nazario in this Security Bites podcast.

Are we doomed to a future with more botnets? TalkBack to me.