IRC vs HTTP botnets

In the next PandaLabs Quarterly Report I talk about this issue:

"Zombies have usually been associated with personal computers with inadequate protection and broadband Internet connections which are permanently on. In fact, this is still largely the case as the most common infection methods can easily be blocked in corporate environments with good perimeter security policies. These bots usually receive orders via IRC, so, simply having a firewall on the network blocking this type of communications would avoid the bot-herder controlling the zombies.

Hackers however are still drawn by the prospect of controlling millions of corporate computers, due to the quantity or quality of the information they could access. However, they face two obstacles:

1.- Infecting corporate network systems.

Most big companies have security devices to try to keep their networks safe. All will have anti-malware products protecting different network levels. Consequently, the methods used by hackers to attack corporate environments must differ from those used to infect home users. What services do companies have activated? The Internet.

Solution: use web pages as a means of infection, in other words, exploit vulnerabilities so neither users nor administrators are conscious of the infection.

Antivirus protection must also be taken into account. How do they combat them? No manufacturer can guarantee 100% detection. Depending on the technologies it implements (reactive and proactive) it can reach a specific protection level, but it can never offer total protection. Furthermore, most products are only based on reactive technologies (malware detection via signature files), which, although powerful, have a significant disadvantage: they only detect previously identified malware.

Solution: modify malware to prevent signature file detections. Hackers are capable of changing Trojan variants in a few minutes. Unless you possess other types of solutions, such as behavior-based detections, you are vulnerable.

2.- Being able to control the zombies on the network.

Once systems are infected, how can bot-herders communicate with the zombies in a network which has a firewall and other security systems installed? What possible entry points do companies have? The Internet.

Solution: change the way the bot communicates, by using HTTP instead of IRC, to guarantee communication with all zombies without anyone being able to prevent it.

IRC-based bots are still the most common – the source code of some IRC bot families has been circulating on the Internet for many years-, but this trend is quickly shifting towards HTTP-based bots since communication is much more effective in all environments."

I have seen many large (hundreds of thousands zombies) http controlled botnets in the last months, though there are much more IRC botnets right now.