A smartphone displaying an icon representing wireless connectivity
November 5, 2021

Botnet buster finds IoT command and control centers

Tool fools malware twice and can trick it into revealing itself

Author: Holly Ober
November 5, 2021

Did you know that your home smart devices could be soldiers in a malicious robot army called a botnet? Smart devices range from refrigerators that let you peer inside them remotely to baby monitors that let you check on your baby from wherever you are in the house.

To criminals, these, along with wireless printers, wearable health monitors, and countless other internet-connected household and office devices look like a vast army of docile robots waiting to do their dark bidding. 

But a new tool created by computer scientists at UC Riverside strikes at a botnet’s Achilles’ heel by tricking it into revealing itself.

This smart toothbrush could be the command and control center of a malicious IoT botnet. (electricteeeth on Wikimedia commons)

For context, a botnet operates in a hierarchy. It consists of a command and control, or CnC, server. The server acts like a general, issuing orders to soldier robots. A CnC server can create a botnet by infecting and controlling thousands of Internet of Things, or IoT, devices. The army of infected bots will be later used for malicious purposes: mounting a denial of service attack to take critical servers down or launching massive email spam campaigns to commit identity theft or infect even more devices.

IoT botnets can do serious damage. In 2016, IoT botnets disrupted the activity of major service providers such as Github, Twitter, Reddit, Airbnb, and Netflix. CnCs control the bots and are crucial for the existence of the botnets. They are therefore also the Achilles heel of IoT botnets. By taking a CnC server down, the botnet operation would be disrupted. But first, a would-be botnet buster has to detect the CnC server address, which is no easy feat.

Discovering IoT botnets can be maddeningly difficult. Companies put much effort into securing computers against intrusions, but security for IoT devices often comes as an afterthought, if at all. And while a laptop might eventually show signs of being compromised, a hijacked toothbrush or refrigerator might evade detection. In fact, according to a threat report published by SonicWall, the number of IoT attacks rose to a record of 56.9 million between 2019 and 2020, a 66% increase. Given the growth in use of IoT devices, the worst is yet to come. 

The UC Riverside tool, called CnCHunter, could be a turning point in the battle against IoT botnets.

“Our tool provides a novel capability: we can get real malware to reveal its CnC server. We selected 100 IoT malware samples collected between 2017 and 2021 and were able to find their CnC servers with a 92% precision, ” said said Ali Davanian, a doctoral student in the Marlan and Rosemary Bourns College of Engineering and first author of a paper presented at this year’s Blackhat USA security conference, the leading corporate conference in computer security.

“CnC servers can change locations to avoid detection, use secret communication protocols, and often use end-to-end encryption,” said co-author Ahmad Darki, who recently completed his doctorate at UCR. “Most approaches wait passively and try to identify botnet action in the traffic. We go seek them out wherever they are hiding.” 

In addition, most prior efforts first "learn" a malware communication protocol, then scan the Internet in search of live CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or a communication protocol that is hard to reverse engineer.

In contrast, CnCHunter uses real, activated malware to look for live CnC servers, similar to how the malware would. It acts as a middleman and knows how to communicate with its server even in the presence of encryption. CnCHunter contacts a suspicious internet server using real malware and observes how the malware communicates with it.

If the dialogue between the suspect and the malware is meaningful in the botnet language, the Internet server is a CnC. 

“We take a more aggressive approach where we try to detect botnets proactively and by fooling malware twice, first by activating the malware in a safe environment, and then intercepting and redirecting the traffic where we want to trick the botnet to engage with us,” said senior author, UCR computer science professor Michalis Faloutsos.

The authors demonstrated the potential of their system at the BlackHat conference in Las Vegas this past August by activating a sample of a 4-year-old, well-known malware called Gafgyt and enabled it to communicate with a live CnC server for a recent sample of the same malware family. They have also used CnCHunter to locate a recent CnC server used by Mirai, a malware used to build botnets that appeared in 2016 and continues to wreak havoc on computer networks. 

The authors are currently working on an automated system that can find live CnC servers of IoT malware continuously.

CnC Hunter is the first open-source tool for finding IoT malware CnCs. The code is available for download here. The paper detailing the work, “CnChHunter: An MITM-approach to identify live CnC servers,” is available here. The authors have also discussed their work on an episode of The Hacker Mind podcast.

Header photo: Franck on Unsplash

Media Contacts