IRC on the Outs for Botnet Command and Control

Internet Relay Chat, or IRC used to be the command and control choice for botherders worldwide. A simple private chat room of sorts that resided in cyberspace among series of interconnected often private servers running IRC server software. The IRC pretty much evolved from the BBS format which resided on dial-up home networks where people would call up and exchange files , play extreme text adventures, and if they were lucky enough to be online at the same time as someone else, and if the SysAdmin was lucky enough to have more than one phone line connection to his board, the two+ signed on users could chat.
Once computers and networks began to maintain constant connectivity to the internet, the IRC channels took off as a standalone chat/texting community. As AOL and other major players began jumping in with its online community complete with chat, the IRC channels became more of an underground hotspot, a nice place to hide from all of the noobs who were now invading the interwebs. The IRCs also became a place hidden where nefarious warez and activities began to bloom. These activities include(d) the trading of personal information, warez, malware, and the purchase and sale of botnets. Not only would botnets be available for purchase or rent, the command and control for these botnets would happen right through one of these private IRC chat rooms. Once a PC was infected and became a bot, it would sign in to one of these IRC chatrooms and await for its botherder to issue commands as simple text. Once a command was received that the bot recognized, it would go off and do its thing. Oftentimes these bots were found in public rooms as well, but only the proper commands could get reactions out of them.
This technique of using IRC was very strong for many many years, but it appears to be on its way out as newer techniques and technologies take its place.
One major flaw that led to this is the fact that IRC communications by default occurs on ports 6666 or 6667. If a bot was on a network with a firewall or a SysAdmin who was paying attention, they could simply cut off, or filter out any traffic to and from those ports as well as figure out exactly which machine was infected and clean it.
The botherders have realized the limitations that they now face in IRC, and have developed many new custom protocols for communicating with their zombie armies. One that had been developed originally for file sharing (Napster) was made very popular among the botnet community, and that was peer to peer communication. Instead of having a single point of failure such as the single command and control server, or IRC channel, these bots could now communicate amongst themselves sharing information in separate nodes. This technique for botnet communication was made infamous by the now defunct Storm Worm whose individual bots would be given lists of IP addresses from which to obtain its commands. If a particular node was down, it would simply try the next. This made it very strong and difficult to stop as it had no one source to shutdown.
There are still several large botnets out there that utilize the P2P technique, but there is no form of communication among bots and botherders more popular today than Http communication. Http traffic is the most prevalent of all traffic across the internet. Since Http traffic remains a very common site on all networks the C&C of these botnets remains hidden amongst all of the other Http requests. This makes the job of filtering out botnet commands from web page requests a very difficult task.
The latest buzz about botnet C&C came just recently when a Brazilian botnet was found to be using the micro-blogging site Twitter to control its bots. The bots would simply subscribe to the RSS feed which is a built in feature of the Twitter account and wait for the botherders to Tweet their commands. Simple and elegant. Once the account was found, it was pretty obvious that the tweets were up to no good as they were all Base64 encoded, obviously not random blurbs about the author's life. Once decoded these commands contained a Url from which to download their latest payloads once again utilizing Http traffic in a very creative way.
All of these techniques show an evolution which will continue among the attackers and the defenders out in cyberspace. We are sure to see many more inventive ideas being put to the test by botherders and malware authors for a good time to come. It's up to the people working on the side of the WhiteHats to continue to research, understand and anticipate the future of attacks.

photo courtesy secfront.com