How can bots contact their master safely?
Simple, naive approach:
victims contact single IP, website, ping a server, etc.
Easily defeated (ISP intervention, blackhole routing, etc.)
still used by script-kiddies, first-time malware authors
Efficient and reliable
– able to reach to a sizable set of bots within a time limit
– hard to detect(i.e., blended with normal/regular traffic)
– Hard to disable or block
Advanced Persistent Threat(APT)
-Advanced:
malware, special operation and operators
-Persistent:
Long-term presence, multi-step, “low-and-slow”
-Threat:
Targeted at high-value organization and information
APT characteristics
– Zero-day exploit or a specially crafted malware
– No readily available signature for its detection
Social-engineering to trick even the most sophisticated users
– First compromise core internal network control elements such as routers and web servers to learn about the valuable targets
– Then play man-in-the-middle on the compromised routers/server to make social-engineering attacks very convincing to even forge answer challenge or inquiry by suspecting users