Botnet Triple-Channel Model: Towards Resilient and Efficient Bidirectional Communication Botnets

Current research on future botnets mainly focuses on how to design a resilient downlink command and control (C&C) channel. However, the uplink data channel, which is generally vulnerable, inefficient even absent, has attracted little attention. In fact, most of current botnets (even large-scale and well-known) contain either a resilient (maybe also efficient) unidirectional downlink C&C channel or a vulnerable bidirectional communication channel, making the botnets either hard to monitor or easy to be taken down. To address the above problem and equip a botnet with resilient and efficient bidirectional communication capability, in this paper, we propose a communication channel division scheme and then establish a Botnet Triple-Channel Model (BTM). In a nutshell, BTM divides a traditional communication channel into three independent sub-channels, denoting as Command Download Channel (CDC), Registration Channel (RC) and Data Upload Channel (DUC), respectively. To illuminate the feasibility, we implement a BTM based botnet prototype named RoemBot, which exploits URL Flux for CDC, Domain Flux for RC and Cloud Flux for DUC. We also evaluate the resilience and efficiency of RoemBot. In the end, we attempt to make a conclusion that resilient and efficient bidirectional communication design represents a main direction of future botnets.