Henry Dalziel | General Hacking Posts, Hacker Hotshots | August 24, 2013
Every botnet needs a command and control (C&C) center!
HiveMind, like every other botnet out there, needs to be told what to do next, or better still, to report back to the mothership and HiveMind is no different. HiveMind’s C&C is a web server that uses a SQL database to keep tables of all files and the acquired nodes that are running the script. Each time a file is uploaded to the C&C it is encrypted and is unique since every file can have a different password.
The history of botnets
Botnets are created and exploited for a variety of reasons, generally for denial-of-service attacks, spamming (by misappropriating SMTP mail relays), advertising click fraud, bitcoin mining and harvesting all kinds of data. The harvesting of data is easily explained because search engines become very suspicious of any IP address that hits their servers requesting multiple information within a very short amount of time. However, having rotating IP’s (also referred to as ‘proxies’) or better still (faster and more efficient) is to have a legion of computers harvesting on your behalf. Login ID’s, email addresses, bitcoins, etc etc is all useful and commercial data that cyber criminals can use.
Types of botnet attacks
Botnet’s can launch dozens of cyber attacks. Typical examples include: distributed denial-of-service attacks, spamming, click fraud (to gain a ‘Pay Per Click’ advertising benefit), FTP/ SSH brute forcing, scareware and more! If you can think of any other ways botnets can cause harm please leave your comments below.
The really interesting thing about Sean’s HiveMind is that it can be used to store data without any correlation to the owner (again, we might need to be corrected on this, hence why we are looking forward to Sean’s talk this Tuesday!). The reason for this is because when a file is uploaded to the botnet it is encrypted and distributed to the nodes. The file is no longer kept on the server. To reverse engineer the data flow and seek the publishers by, for example, extracting data from the server would fail. The block replication process would fail because the nodes would start to go offline thus making file recovery (virtually) impossible. Indeed, from our reading into Sean’s research, the only way to extract the data would be to seize a significant amount of nodes within the botnet whilst it is operating and obtain the necessary passwords from the owners.
In any event, we hope to have given some justice to Sean’s research, but to fully appreciate it and hear it direct from the horse’s mouth, come and join us Tuesday! If you are reading this post August 27th 2013 then you will be able to watch the recorded version, with questions, on the same URL.
Don’t forget to comment regarding your thoughts towards HiveMind (especially if you feel we have not been 100% accurate). We’d also be very interested to hear of creative botnet uses you might have come across.