Endpoint Protection

The pseudo-random domain name generation for the rendezvous point is a clever idea. The common way for a botnet to communicate with its botmaster is usually done via a single rendezvous point. Since this rendezvous point is static, whoever controls this static location owns the botnet. This poses a problem for the botmaster since this rendezvous location is the weakest link of the botnet. The botmaster can lose control of the whole botnet if the server at the rendezvous point is brought down, or if the IP is blacklisted. Fast flux, where the IP address bound to a domain name changes rapidly, was an attempt to foil IP blacklisting, but fast flux cannot protect against domain name blacklisting.

The pseudo-random domain name generation is the measure taken against domain name blacklisting, since blacklisting a large list of non-static domain names is impractical. With this, the current weakest link is eliminated.

One downside of having many rendezvous points is that not all of those locations are registered and are basically up for grabs. Once the pseudo-random domain name generation algorithm and communication protocol is reverse-engineered (which is the case for Downadup), it is possible to steal the botnet. The Downadup (Conficker) authors knew this was possible, and prepared against this weakness by using asymmetric cryptographic authentication on the client. With the asymmetric cryptographic authentication, the botnet cannot be overtaken unless you have the correct private key.

The latest variant (.C) of Downadup has been improved in direct response to the Conficker Working Group's domain-name reservations, by increasing the number of possible daily rendezvous points from 250 to 50,000—thus making it practically infeasible to register all of those domain names daily.

One interesting bit of the .C variant is that the infected machine is querying back less aggressively than previous variants, such as querying only once a day, not every 2 or 3 hours, and each infection is randomly querying a different set of 500 domains out of the 50,000 generated domains. Thus, if a botmaster with the correct private key registers one domain name, that domain will only be reached by 1% of the total Downadup population directly. Note that 1% is an idealistic value and will actually vary due to the pseudo-random generation used, whether machines are online, time of day, whether a host will reach the intended domain, etc. A possible reason for this less aggressive stance is that it is not easy to build a server that can handle the massive amounts of traffic from three million+ infected machines, which can practically DDoS the server if not throttled on the client side.

While 1% seems small, over time, if the botmaster registers one domain name each day, within a month a third of the botnet could be reached directly. The following is a simulation to show how much of the Downadup-infected machine population will be reached starting from April 1, 2009. This simulation uses a very simple model and assumes some ideal conditions, such as equal distributions in regard to domain generation, the time of day that domains are queried, the fact infections and online hosts are not equally dispersed across time zones, etc. However, hopefully the simulation provides a view into how patience, and even just a few registered domains on the part of the authors, could still yield worthwhile results. We’ve provided three variables that can be tweaked:

•    Initial infection: Total number of .C infected hosts. The .C variant was spread by updating .B hosts, which ranged around 3 million at the time the .C updates were released. However, the number of .B hosts that have been converted to .C is likely a small fraction of that.

•    Domain with payload: Is the number of domains the botmaster will register each day. (The default is set to one per day.)

•    Take Down Time: Is the time to take down the malicious domain name if detected. If the server hosting the malicious payload was taken down within 6 hours, a quarter of the Downadup-infected population would receive the payload.

One more thing—if a P2P network is used to re-distribute the payload, using this 1% as the seeder nodes, the efficacy of this payload distribution method is much greater than using just the direct distribution as shown above.