Command and Control communications
- Most bots do not listen on ports, because administrators could block these ports.
- Bots will initiate communications with C&C server to appear legitimate.
- How bots locate C&C server:
- fixed IP list (weak) and
- DNS lookup of the C&C server (reliable).
- Defense beyond anti-virus: take down the domain (s) , block DNS access (?!?!).
- The economics of botnets.