SLBot: A Serverless Botnet Based on Service Flux

Today, botnet continue to be a significant threat to Internet, and is still responsible for most large scale cyber-attacks. An obvious strategy for preventing these activities is detecting Command-and-Control (C&C) servers of the botnet. Once C&C servers have been discovered, the botnet would face the risk of the whole structure's failure, and defenders can easily trace the owner. Recently years, attackers have begun to exploit social network websites (e.g., twitter.com) as their C&C infrastructures, which turns out to be quite stealthy but still can be detected through the application-centric approach, such as monitoring the behavior of particular usernames. In this paper, we assess the efficacy and feasibility of abusing multiple different public services to construct botnets, and propose a serverless C&C channel model using a novel strategy named Service Flux, which contains three subchannels: addressing channel (AC), command channel (CC), and upload channel (UC). We implement the model based botnet prototype named SLBot, and evaluate the resilience and efficiency of it.