Wednesday 24 September 15:00 - 15:30, Red room.Alexandru Maximciuc BitdefenderCristina Vatamanu BitdefenderRazvan Benchea Bitdefender This paper is available online (HTML, PDF). download slides (PDF) Over the years, botnet creators have implemented various methods for protecting their networks, and especially their command and control servers. Since hiding a C&C means that the botnet will remain running for longer, specialized hosting services that are able to hide a server behind many proxies have appeared. During one of our investigations, we discovered a network of this type, which currently has 10 'clients' (10 servers distributing different malware families). This proxy network has two types of redirection, one on the HTTP standard port (protecting the C&C servers) and the other on the UDP standard port (protecting a dedicated server that handles the DNS resolution for domains generated by Domain Generation Algorithms or chosen at will). This infrastructure is designed in such a way as to allow critical changes to be made in the shortest time. So, any abuse report regarding the proxy nodes is handled immediately. The so-called 'cleaning' is done by making some minor changes to the configuration of the proxy nodes. This is usually achieved through changing the proxies between 'clients'. Therefore the financial loss caused by interruption of the malware is very small. In this paper we will emphasize the architecture of this network and the changes made during the time we have been monitoring it. In the end we will present some examples of malware families that make use of it.