2.3 Our Focused Techniques and Existing Countermeasures
2.3.3 C&C Techniques for Mobile Botnet
2.3. Our Focused Techniques and Existing Countermeasures 27
addition, neither HUKO nor Gateway isolate untrusted extensions themselves from each other. This is quite dangerous because untrusted extensions could be also critical and need well protection.
To well balance the security and the performance is the biggest challenge to develop a hypervisor-based kernel-protection system. If the monitoring granularity is too small, e.g., to intercept and verify every memory writing by marking all the memory pages read-only in the page tables, the kernel integrity may be well guaranteed, but the performance overheads are unbearable. Conversely, if we amplify the monitoring granularity, e.g.
only auditing the interactions between the non-trusted kernel extensions and the kernel as what HUKO does, although the system overheads are greatly reduced, it will leave attackers a big window.
In addition, the goal of this research is to protect the OS from being defeated by kernel rootkits, whose users are usually non-professional. For this reason, the developed system should bring few side eﬀects on the usability of the original OS. This mainly involves two issues. Firstly, it should require no static revisions on the original OS, which means the commodity OSes can be supported directly without recompilation. At best, their usage remans completely the same as before. Secondly, the hypervisor itself should be easy to install and use. Unfortunately, most existing commodity hypervisors like Xen are very complex. It is even too diﬃculty for unprofessional users to install them, mush less to use them.
some particular features of mobile phones to propose new C&C techniques that are completely diﬀerent from existing ones. As a result, they can easily escape from being detected by the existing botnet detection systems. By now, there is no formal report of such C&C in the real world, but some proof-of-concept models have been proposed by researchers. In this research, we ﬁrst study the eﬀectiveness to construct a special C&C channel from the viewpoint of attackers and then propose some countermeasures against this channel. This is diﬀerent from the works on Google Hacking and Kernel Rootkits, where we mainly study the countermeasures from the perspective of defenders.
126.96.36.199 Related Work
In 2009, Traynor et al. propose using a mobile botnet to launch a DDoS attack against the core infrastructure of the cellular network. Their simulation and analysis demonstrate that their attack can cause nation-wide outages with even a single-digit infection rate, which teaches us a good lesson about the astonishing destructive power of mobile botnets. However, their work does not discuss how to construct a mobile botnet in details, especially how to construct an eﬃcient C&C channel.
The ﬁrst detailed work in the mobile botnet construction is done by Kapil et al. .
They study the feasibility to use Bluetooth as a medium for the C&C. In their design, botnet commands are propagated via Bluetooth when those infected mobile phones move into each other’s radio range. Through several large-scale simulations based on some publicly available Bluetooth traces, they demonstrate this malicious infrastructure is possible. However, since this C&C technique is heavily relied on the human mobility, its real performance is hard to guarantee especially when the density of hijacked phones is not high: according to their simulations, a command can only reach 2/3 of the bots even after 24 hour in a botnet with 100 bots. This is far from enough for those DDoS attacks require a high collaboration.
In 2010, Zeng et al.  propose the ﬁrst SMS-based C&C channel. In their pro-posal, they implement a Kademlia P2P network with SMS. The botmaster could use this network to propagate his commands. Unfortunately, the Kademlia protocol is so
2.3. Our Focused Techniques and Existing Countermeasures 29
complex that too many messages are required for a bot to lookup and then download a command. Their experiments show that a single command lookup costs 20 messages on average even within a small botnet of just two hundred nodes. As SMS messages are usually not free and go through the cellular network monitored by telecom operators, sending too many messages abnormally will soon draw the attention of both telecom operators and users. In addition, since the command propagation in this network uses the pull mode, bots do not know when a new command will be issued. As a result, they have to probe new commends periodically, which also wastes a great number of messages.
Later in 2010, Mulliner et al.  further investigate the potential to construct a SMS-based botnet. They ﬁrst organize the bots into a tree and ﬂood the commands via SMS from the root node. However, such a tree-style topology suﬀers a critical drawback: once some node dies due to diﬀerent failures, all the sub-nodes of the branch starting from this node are isolated from the botnet and can no longer receive any new commands. Although botmaster could solve this problem by periodically broadcasting ping messages to locate dead nodes and then repair the tree, these additional messages will bring great side eﬀects to the botnet stealthiness and feasibility. They then present another SMS-HTTP hybrid botnet to avoid such problems. This proposal ﬁrst hangs SMS messages enclosing commands on some websites and then assign several randomly selected nodes as seeds to download and forward these messages. Unfortunately, as the destinations of these messages are encoded in the messages, defenders could easily uncover the corresponding bots by decrypting the messages when malicious websites are leaked. In addition, those seed nodes are prone to being exposed because they have to send an unusually high number of messages if the botnet is huge.
Based on the related works, we can ﬁnd that a successful C&C channel has to guar-antee at least the following two issues:
(1) Eﬃciency: In the proposed C&C medium, a newly issued command can reach a large enough number of hijacked devices within a short time as required by the botmaster.
(2) Stealthiness: In the process of command propagation, both the channel and the end bots should be hidden from the users and the telecom operators. Even if some nodes are captured by the defenders, limited information about the botnet can be leaked.
Unfortunately, these two requirements are conﬂicted in many cases. For example, for the SMS-based C&C, To rapidly propagate a C&C message, a bot holding this message should quickly forward it to as many other nodes as possible. However, SMS uses the cellular network, which means all the SMS messages are under the monitoring of telecom operators and also cost money. Sending too many messages abnormally will soon draw the attention of both the operators and the users. Therefore, the proposed SMS-based C&C should make sure that even if each node sends very few messages, a command can be still propagated quickly.
In addition, once we propose an eﬃcient and stealthy C&C for mobile botnets, a new challenge is how to well defense against it.