Do botnet controllers prefer certain ISPs for their Command and Control servers?

Add to my custom PDF

The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware

A botnet is a network of remotely-controlled computers managed by an operator, known as a bot master. Bot masters use a Command and Control (C&C) infrastructure to control their botnets. The bot master gains control of target hosts by infecting them with malware. The infected machines connect to a “server” so that the bot master can issue instructions. Bot masters can rent or illegitimately use servers to run their C&C infrastructure. Many hosting providers have efforts set in place to prevent people using their service for C&C infrustructure. Little is known about what motivates bot masters to make decisions when choosing C&C servers, such as price or risk of discovery.

Tajalizadehkhoob et al. wanted to know whether bot masters seem to prefer certain types of server hosting providers or whether the distribution of C&Cs across the industry is random. They looked at trends in different hosting locations of C&C domains for 26 different malware families known to be involved in attacks on financial services.

The researchers started with a database of C&C domains and a database of hosting providers. Together, these databases provided the domain name and IP information of C&C domains in 109 countries from 2009 to 2016. The researchers associated the known IP addresses to their respective hosting providers. In total, they located and identified over 45,000 hosting providers. They then analysed the different trends for the hosting providers. The researchers looked at the size and legal regulations of every hosting provider. They then looked at the popularity, longevity, best price and software vulnerabilities of smaller samples of the hosting providers. The researchers also reviewed the “uptime” of C&C domains by measuring the number of days between the first and last observation of the domain in their dataset.

The results show a general increase in hosting providers over time. The researchers found just 30% of providers hosted 80% of the C&C servers. Most of the domains in the top 20 were located in the USA and Western Europe. The majority of C&C domains seem to be quite short-lived, but some domains do appear to stay hosted for longer periods of time; such as over a year. Bot masters seemed to have little or no preference for hosting providers that leave C&C domains up longer. However, there was an increased presence of C&C servers on hosting providers that were larger, more popular, more established, used more vulnerable software and had better prices. However, all things considered, the researchers concluded that bot masters choices for C&C hosting seems to be random, with the most probable deciding factor being the size of the hosting provider.

It appears that bot masters take a fairly random approach when choosing hosting providers for their C&C servers. Though some may take into consideration a hosting provider’s popularity, longevity and pricing, it seems to be the size of the host that matters the most. Hosting providers with larger IP and domain name space size should be aware that their size seems to increase the chance of their business hosting more C&C servers than others.

Bot masters don’t appear to have preferred service providers for their C&C servers.