{"id":30548,"date":"2013-10-24T10:09:21","date_gmt":"2013-10-24T17:09:21","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=30548"},"modified":"2025-06-03T21:33:29","modified_gmt":"2025-06-04T04:33:29","slug":"periodic-links-to-control-server-offer-new-way-to-detect-botnets","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/","title":{"rendered":"Periodic Connections to Control Server Offer New Way to Detect Botnets"},"content":{"rendered":"<p>A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie chart shows\u00a0 the predominance of HTTP in botnet communications.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CC-distribution.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-30549\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CC-distribution.png\" alt=\"C&amp;C distribution\" width=\"382\" height=\"230\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CC-distribution.png 545w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CC-distribution-300x180.png 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Why is HTTP so popular? One reason is that\u00a0HTTP is always allowed on the network perimeter. Because the malicious traffic blends well with legitimate HTTP traffic, it&#8217;s hard to differentiate and impossible for network security devices to block malicious traffic unless there is a known signature for it.<\/p>\n<p>The limits with the traditional signature-based approach drive security researchers to shift focus to behavioral-based approaches, but the question remains: What network behaviors should the security devices look for?<\/p>\n<p>Botnets typically work in a &#8220;pull&#8221; fashion; they continuously fetch commands from the control server, either at fixed intervals or at stealth level. Once connected, they usually &#8220;phone home&#8221; via HTTP GET\/POST requests to a specific server resource (URI). Subsequently, a botnet might execute a command sent by the server or sleep for fixed interval before it tries again. Security researchers can perhaps leverage this connection behavior.<\/p>\n<h2>Difference Between Automated and Human-Initiated Traffic<\/h2>\n<p>An infected machine connecting periodically to a control server is automated traffic. We need to draw a line between automated and human-initiated traffic as well as between control server responses and legitimate server responses. We can rely on a few facts:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">It is abnormal for most users to connect to a specific server resource repeatedly and at periodic intervals. There might be dynamic web pages that periodically refresh content, but these legitimate behaviors can be detected by looking the server responses.<\/span><\/li>\n<\/ul>\n<ul>\n<li>The first connection to any web server will always have response greater than 1KB because these are web pages. A response size of just 100 or 200 bytes is hard to imagine under usual conditions.<\/li>\n<\/ul>\n<ul>\n<li>Legitimate web pages will always have embedded images, JavaScript, tags, links to several other domains, links to several file paths on the same domain, etc.<\/li>\n<\/ul>\n<ul>\n<li>Browsers will send the full HTTP headers in the request unless it comes from a man-in-the-middle attack<\/li>\n<\/ul>\n<p>The preceding points give us a way we can look for specific behaviors on the network: Repetitive connections to the same server resource over HTTP.<\/p>\n<p>If we monitor a machine under idle conditions&#8211;when the user is not logged on and the host does not generate a high volume of traffic&#8211;we can distinguish botnet activity with a high level of accuracy.<\/p>\n<p>Under these conditions, if the machine was infected with the Zeus botnet, for example, the traffic from the infected machine would look like this:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Zeur1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-30608\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Zeur1.png\" alt=\"Zeur\" width=\"810\" height=\"187\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Zeur1.png 900w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Zeur1-300x69.png 300w\" sizes=\"auto, (max-width: 810px) 100vw, 810px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Notice that Zeus connects to one control domain and keeps running HTTP POST every six seconds to a specific server resource. Algorithmically, while idle, we&#8217;d deem a host&#8217;s activity repetitively suspicious under these conditions:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">The number of unique domains a system connects to is less than a certain threshold<\/span><\/li>\n<li>The number of unique URIs a system connects to is less than a certain threshold<\/li>\n<li>For each unique domain, the number of times a unique URI is repetitively connected to is greater than a certain threshold<\/li>\n<\/ul>\n<p>Assuming the volume of traffic from the host is less, \u00a0If we take the preceding conditions in a window of say two hours, we might come up with following:<\/p>\n<ul>\n<li>Number of unique domains = 1 (less than the threshold)<\/li>\n<li>Number of unique URIs connected = 1 (less than the threshold)<\/li>\n<li>For each unique domain, the number of times a unique URI is repetitively connected to = 13 (greater than threshold)<\/li>\n<\/ul>\n<p>All of the thresholds can be set as configurable parameters, depending on typical traffic on a network. The following traffic pattern shows the behavior of the SpyEye botnet. The repetitive activity here occurs every 31 seconds as it connects to a specific resource.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-30660\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye1.png\" alt=\"spyeye\" width=\"1337\" height=\"164\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye1.png 1337w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye1-300x36.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye1-1024x125.png 1024w\" sizes=\"auto, (max-width: 1337px) 100vw, 1337px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>However, the solution does not mandate that repetitive activity should be seen at these fixed intervals. If we choose to monitor within a larger window. We could detect more stealthy activities. The following flowchart represents a possible sequence of operations.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/flowchart1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-30757\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/flowchart1.png\" alt=\"flowchart\" width=\"499\" height=\"329\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/flowchart1.png 693w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/flowchart1-300x197.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>The first few checks are important to determine whether the host is talking too much. First, Total URI &gt; Threshold determines that we have enough traffic to look into. Next, Total Domain access &gt;\/= Y determines that the number of domains accessed is not too large. The final check is to see if Total unique URIs &lt; Z. The source ends up on the suspicious list if we believe it has generated repetitive connections.<\/p>\n<p>For instance, if the Total URIs = 30, Total Domain access = 3, and Total Unique URI accessed = 5, we guarantee a repetitive URI access from the host. Now if the number of repetitive accesses to any particular URI crosses the threshold (for example, 1 URI accessed 15 times within a window), we can further examine the connection and apply some of heuristics to increase our confidence level and eliminate false positives. Some heuristics we can apply:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">Minimal HTTP headers sent in the request<\/span><\/li>\n<li>Absence of UA\/referrer headers<\/li>\n<li>Small server responses lacking structure of usual web page<\/li>\n<\/ul>\n<p>Let&#8217;s look at an example of SpyEye sending minimal HTTP headers without a referrer header:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-30666\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye11.png\" alt=\"spyeye1\" width=\"669\" height=\"203\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye11.png 669w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye11-300x91.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>We implemented a proof of concept for this approach and detected repetitive activity over the network with relative ease.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-30668\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye21.png\" alt=\"spyeye2\" width=\"436\" height=\"318\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye21.png 681w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spyeye21-300x218.png 300w\" sizes=\"auto, (max-width: 436px) 100vw, 436px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>We applied this approach to several top botnet families that exhibit this behavior. We found we could detect them with a medium to high level of confidence.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/results1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-30669\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/results1.png\" alt=\"results1\" width=\"449\" height=\"278\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/results1.png 449w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/results1-300x185.png 300w\" sizes=\"auto, (max-width: 449px) 100vw, 449px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Behavioral detection methods will be key to detecting next-generation threats. Given the complexity and sophistication of the recent advanced attacks, such detection approaches can address threats proactively&#8211;without waiting for signature updates&#8211;and will prove to be much faster.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee&#8230;<\/p>\n","protected":false},"author":1088,"featured_media":102121,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411],"coauthors":[786],"class_list":["post-30548","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-advanced-persistent-threats"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog<\/title>\n<meta name=\"description\" content=\"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-10-24T17:09:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T04:33:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"768\" \/>\n\t<meta property=\"og:image:height\" content=\"432\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chintan Shah\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chintan Shah\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\"},\"author\":{\"name\":\"Chintan Shah\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\"},\"headline\":\"Periodic Connections to Control Server Offer New Way to Detect Botnets\",\"datePublished\":\"2013-10-24T17:09:21+00:00\",\"dateModified\":\"2025-06-04T04:33:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\"},\"wordCount\":1010,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"keywords\":[\"advanced persistent threats\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\",\"name\":\"Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"datePublished\":\"2013-10-24T17:09:21+00:00\",\"dateModified\":\"2025-06-04T04:33:29+00:00\",\"description\":\"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"width\":768,\"height\":432},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Periodic Connections to Control Server Offer New Way to Detect Botnets\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\",\"name\":\"Chintan Shah\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"caption\":\"Chintan Shah\"},\"description\":\"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog","description":"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog","og_description":"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2013-10-24T17:09:21+00:00","article_modified_time":"2025-06-04T04:33:29+00:00","og_image":[{"width":768,"height":432,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","type":"image\/jpeg"}],"author":"Chintan Shah","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Chintan Shah","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/"},"author":{"name":"Chintan Shah","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569"},"headline":"Periodic Connections to Control Server Offer New Way to Detect Botnets","datePublished":"2013-10-24T17:09:21+00:00","dateModified":"2025-06-04T04:33:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/"},"wordCount":1010,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","keywords":["advanced persistent threats"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/","name":"Periodic Connections to Control Server Offer New Way to Detect Botnets | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","datePublished":"2013-10-24T17:09:21+00:00","dateModified":"2025-06-04T04:33:29+00:00","description":"A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","width":768,"height":432},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/periodic-links-to-control-server-offer-new-way-to-detect-botnets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Periodic Connections to Control Server Offer New Way to Detect Botnets"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569","name":"Chintan Shah","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","caption":"Chintan Shah"},"description":"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.","url":"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1088"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=30548"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30548\/revisions"}],"predecessor-version":[{"id":215041,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30548\/revisions\/215041"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/102121"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=30548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=30548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=30548"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=30548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}