• Eric's Photos
    The Cook's hat on Cinco de Mayo :)
    Otto, Eric, and Nick on the back of Otto's toy hauler
    Alicia at the edge of the bay in Hama-rikyu
    Eric made a friend playing darts
    a crane
    Yahoo Japan dome - home of the Soft Bank Hawks professional baseball team
    Ginza St in the Ginza District
    Alicia (BIG OL' HEAD)
    More Crepes

    • « New Format for MP3s | Home | Hanging outside the Turtle »

    Botnets Botnets Botnets

    By stunder | April 9, 2008

    So I have been working on this Web Content Filtering project at work and the question of “what kind of applications are using HTTP to tunnel outbound of our network?”  One of the first applications I can remember that auto discovered outbound openings was the AOL instant messenger client.  It would try its default port then try telnet and then port 80.  Getting out to the Internet so you could chat with your other friends who were on AOL.

    As time has went on some application developers don’t even try to host their servers on other ports they just write them for TCP port 80.  Guys started configuring self ran mail servers for mail on port 80 and games were quick to start using the port also so you could meet up with your buddies.  Now days VoIP providers use it for their customers behind firewalls.   I haven’t done any hard number crunching on this but I would bet up to 10% of your outbound port 80 traffic isn’t even HTTP or web page traffic.

    Now on to how I think Botnets could use the port 80 as a way of controlling the Bots.  Now I wouldn’t doubt that the majority of the Botnets out there are using port 80 to call home from their bot clients to their controllers to get their commands.  Seems easy enough and I bet the Botnet guys have already thought of this but why not use all of the 1000000s of web servers out there that have forums or open ways of posting HTML (or owned sites) and place Botnet commands inside of HTML comments that won’t be read or noticed by the average web user.

    The craziness is anyone could startup a predefined “call home” server name or IP have the bots execute small HTTP GET traffic throughout the day and if it doesn’t notice any commands or anything it just goes back to sleep until the next time it needs to call home and look for commands.  I guess you could even work out tags in your botnet call that would look for something like home-server. It would tell your clients to change the name of the server they were calling home to this will help keep people off of your tracks.

    Looking at this you can even make it past most proxy devices out there.  You could also use the SSL port (443) if you were behind a network that didn’t have an HTTPS proxy in place.   If an SSL proxy is in place it would work but you need to make sure you client/server is using SSL encryption and this might be a bit to much overhead to run on your botnet clients and setting up new SSL servers all the time could be work too.  I guess no one said running a botnet would be easy.

    With these botnets and people tunneling out of large enterprise network its only going to lead to more and more networks becoming very locked down over time.  Either that or getting used to answering up to other companies’ legal departments.  I have always been a fan of an open wide west network and I am changing in my old age.

    Topics: Internet Nerd, Just Eric |

    Comments