Searching for Botnet Command & Controls

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

What I don't understand

[Anonymous Coward]

Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

• Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.
• Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.
• Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

Re:What I don't understand

[Afecks]

Many of them lack the skills required to do this. Most botnet operators don't make their own bots. The ones that do are the ones you'll never hear about.

Enforcement? Hello?

[mabu]

The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.

Re:Enforcement? Hello?

[bermudatriangleoflov]

Agreed. I had a small game server business that I ran on the side to make a few bucks and as a hobby. Our revenue per month was only a few thousand dollars. We were hit by a large and coordinated botnet ddos attack that disabled our servers for a day causing us to lose customers.

We notified the FBI the conversation went something like this:

FBI: How much money did your company lose as a result of this attack?

Us: Well maybe a thousand dollars from lost customers, etc.

FBI: If there wasnt $10,000 in damage we can't help you.

It's not that hard.

[TwistedSpring]

Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.

I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.