Malicious Website / Malicious Code, Web-Controlled BOT's

Date:08.12.2005

Threat Type: Informational Alert

Websense® Security Labs™ continues to research additional tactics that botnet operators utlize in order to command and control (C&C) their infected Zombies on the internet. This research has found more frequent use of web-based controllers. The currently most used method to control a botnet is through IRC, where commands can be sent to the infected hosts. The information is transmitted to and from the hosts.

The addition of using HTTP to control the bots and trigger them to upload their information creates another area where security professionals need to investigate possible infections and takedowns.  Websense Security Labs has seen this tactic as particularly popular with bots that are used to capture and transmit keylogging programs information and to store account information.

The screenshots below show an example of often used web-based botnet controller. The first screen gives the operator the ability to view all the infected hosts and display them by country and city, IP address, and unique ID.

The second screenshot is an example of how the controller can send commands to the infected hosts and modify the machine. In this screen, you can see how the operator can block URLs that they do not want the machine to contact, such as anti-virus update centers and Microsoft updates. They can modify the "hosts" file to redirect traffic, such as modify well-known banking and ecommerce sites to be redirected to fraudulent site. By a mouse click, they can send programs and commands to launch on the remote machines.

The third screenshot shows statistical information on how many infected hosts have received the input information, i.e. the success rate.

Screenshot 1:

 

Screenshot 2:

 

Screenshot 3: