Searching for Botnet Command & Controls

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

Good luck

[dknj]

As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?

It's a development I can verify

[Opportunist]

When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

And this business is growing.

P2P is no good way for trojans

[Opportunist]

For many reason

First, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.

Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.

Third, the spread is too slow through P2P. The chance that an antivirus or security company has a copy of the virus and can work out an antivirus signature or removal kit (not to mention in depth analysis) BEFORE it has spread widely enough is simply too big.

Honeyclients

[SparcPlug]

I think these [honeyclient.org] folks are headedd in the right direction when it comes to destroying botnets.

From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits Drives client application to connect to servers
Any changes made to honeyclient system are unauthorized - no false positives!
We can detect exploits without prior signatures


What can honeyclients do for you?
Allows proactive monitoring of malicious servers
Allows discovery of client 0-day
This can be extended beyond just HTTP clients
Any other client-server based protocol will work

Re:Good luck

[asuffield]

a lot of these botnet creators employ "features" such as

Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.

Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.

Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.

But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.

None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.