Your browser is obsolete!

The page may not load correctly.

“Botology” basics

Основы ботоведения

Other issues in this category (4)
  • add to favourites
    Add to Bookmarks

Chasing botnets

Read: 19397 Comments: 2 Rating: 11

Thursday, May 31, 2018

Gaining control over a command and control server is not the only way to discover the identity of the criminals who are using it. You can catch them through the bungles they inevitably make after they get the idea that they are invincible and start acting recklessly.

Denis K purchased a car for 70,000 EURO but was in no rush to pay for it. The police paid the debtor a visit and had no idea who they were in fact dealing with. Subsequent data analysis revealed that the reluctant debtor was in fact one of the most wanted cybercriminals in the world.

But let's talk about other ways of discovering a criminal’s identity. Similarly to ordinary users, they use HTTPS. The protocol was universally adopted under the pretext that it would protect users from surveillance by secret services. In practice, however, this is not quite so.

Indeed, all the data being transmitted, including URLs, gets encrypted. However, because HTTPS communications are facilitated over TCP/IP, the final traffic destination information is available in unencrypted format. This information includes Mac and IP addresses as well as ports.


Simply put, data transmitted via HTTPS is really protected, but its destination can be determined easily. Before encryption commences, the client and the server need to negotiate what certificate they will be using, i.e., what specific site the client will contact.

Thus the address to which queries will be sent is revealed. Now we can ferret out some information about the address owner.

We’ve already discussed various tools that can be used to discover information about users from their IP addresses (to accomplish this, we can use the whois protocol).

Web-based WHOIS clients (such as can be used to gain information associated with IP addresses, including their owners. A simple Bing query can show you what sites use a specific IP address (e.g.,

However, since multiple sites may be using the same address, how can one determine which of them is being visited by a perpetrator?

A web server can host several sites, each of which has its own SSL certificate. When a query arrives, the web -server needs to determine which site the user wants to visit. Data is not being encrypted yet because the server and the client must negotiate which certificate they are going to use. This means that the client must transmit the site's domain name to the server before encryption commences so that the query is routed to the right site. So we need to examine the very first query that initiates encryption. Let's use our beloved WireShark and see what happens.



Here we can see something of interest.

  1. The first query does indeed contain an unencrypted domain name, which will be used to establish an HTTPS connection.
  2. The second client's query returns the certificate in unencrypted format. It also contains information about the domain it has been issued to. In the case of Bing, the certificate also contains the Subject Alternative Name extension field listing the domain names for which the certificate can be used (Bing certificates even contain staging environment addresses).

The above information can already yield some clues, but there’s more.

When the perpetrator types the URL into the address bar, the first query is not sent to the web server but rather to the DNS server which will return the IP address associated with the domain name. DNS queries aren't encrypted so by sniffing DNS traffic one can learn what sites the user has attempted to visit, and the DNS server's IP address will even help determine their whereabouts at that moment.


Then we set up a sink hole and:

The FBI disrupted the operation of a botnet made up of hundreds of thousands of infected home and office routers and other network nodes. The law enforcement agency seized control of the site that the hackers used to send instructions to the bots. Furthermore, after the infected routers are restarted, they will start communicating with an FBI-controlled server so that the agency will be able to identify all the devices that have been compromised.

The Anti-virus Times recommends

We can't reveal how the HTTP monitor SpIDer Gate™ and the Parental Control module block access to rogue sites that use encryption. But we assure you that they are more than up to the challenge.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.