A QUANTUM Thought: Ghost Servers to command your Botnet

QUANTUM Ephemeral Command and Control


In writing my Wired article about the possible uses of the NSA QUANTUM (packet injection/weaponized wiretaps), there is one application that I didn’t consider at the time, ephemeral command and control (C&C), a technique which enables “ghost” command and control servers.

When you have a global network of compromised machines (a ‘botnet’ in the general parlance), its often a huge problem maintaining command and control over the victims. If you construct a peer to peer network, someone could detect your bots by observing the peer to peer traffic. If you use central servers, someone could identify your central servers (and worse, attempt to identify the owner of said servers).

Yet with a global network of QUANTUM wiretaps, it becomes possible to use ghost servers to command these bots.

Simply program your bots so that, when they want to request instructions, they simply contact a normal server somewhere on the Internet. In the bot’s communication have it encode (either in the packet headers or in the content) any requests it has for the command and control system. The bot could even embed these requests in normal communication, such as by creating a “secret knock” in the traffic.

The C&C system is not a server on the Internet, but the QUANTUM wiretaps themselves. When they see a request pass the wiretap that they want to answer, the QUANTUM wiretap could insert a packet encoding its reply. The bot sees the reply and acts accordingly.

The result is ghost servers for command and control. The requests from the bots, and any data they chose to exfiltrate, simply go out into the ether, safe in the knowledge that somewhere one of the wiretap will intercept it. Commands to the bots simply appear out of the ether when necessary, injected into otherwise normal traffic. Since the bots themselves were almost certainly infected using packet injection, its highly unlikely that the commands will be detected.

I have no knowledge or evidence that the NSA is using such a C&C structure, but I suspect they are. It provides a unique and amazingly effective solution to the botnet command and control problem. No central servers, no peer to peer, just simple requests on the wind and whispers in reply.

But if they aren’t: Hey NSA guys, do this. If you are going to hack the rest of the world, at least do the best job you can!


Additional note: Thanks to Matthew Green for reminding me of Telex, an anti-censorship proposal by J. Alex Halderman, Ian Goldberg, Eric Wustrow, and Scott Wolchok. This is effectively “Telex for Botnets”.