Forgot your password?
typodupeerror

Searching for Botnet Command & Controls 114

Posted by Zonk
from the i-want-them-alive-no-disintegrations dept.
Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."
This discussion has been archived. No new comments can be posted.

Searching for Botnet Command & Controls

Comments Filter:
  • by LordOfTheNoobs (949080) on Friday March 03, 2006 @09:45AM (#14842023) Homepage
    As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?
    • That is assuming those systems are not already using such distributed mechanisms.
    • For many reason

      First, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.

      Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.

      Third, the spread is too slow through P2P. The chance that an an
      • I'm not sure you're understanding the previous poster. He/she is talking about control networks for botnets, not about distribution mechanisms. Bots and worms can be coded to look for particular filenames on P2P and get their commands from that source. Then they look for the next filename in their list. This is used to direct the bots, not to compromise them.

        • What keeps me, as the one trying to shoot that botnet down, from uploading exactly what the 'bot is looking for and tell him to suicide?

          If the bot wants an attack script from me, I tell it to attack 127.0.0.1. Or I tell it to attack me, so I can inform the corresponding ISP of infected machines.
          • steganography [google.com] to hide the information from you. That isn't a bot command, it's a 14 byte larger than normal pornographic picture. The extra bytes? 'Author:Deadman'. Surely that's doesn't mean to activate a prescripted attack.

            asymmetric encryption [google.com] to keep you from seeing anything. Now it has an extra 27 bytes that say 'dkd74jdlsid03jj663dw128db4h'. Oh, and they appear to just line it up to a word boundry.

            virtual private networks [google.com] to punch through the net. Of course you could just block all of the
      • Well first off, don't assume that what the article says is taking place is actually what is taking place. If I knew a good way to catch bot herders I would not start by telling the bot herders how I am going about it.

        The real botnet controllers are people. The DOJ has been arresting a few botherders recently, I blogged about this a week ago [blogspot.com]. I do not know how this is being done but I think its much more likely that they are following the money, not following the bits.

        I still think that the way to bring b

  • by Jordan Catalano (915885) on Friday March 03, 2006 @09:46AM (#14842026) Homepage
    Just filter traffic looking for the string "Sarah Connor".
  • by Anonymous Coward on Friday March 03, 2006 @09:49AM (#14842043)

    Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

    • Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.
    • Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.
    • Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

    Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

    • Can't be bothered (Score:3, Insightful)

      by archeopterix (594938)
      Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples: [snip]
      Like they actually need to. If the effort described in the article takes off, then perhaps it will become necessary. For now, the botnets thrive without going to such great lengths.
    • Many of them lack the skills required to do this. Most botnet operators don't make their own bots. The ones that do are the ones you'll never hear about.
      • Many of them lack the skills required to do this. Most botnet operators don't make their own bots. The ones that do are the ones you'll never hear about.

        So far the perps have been very willing to share attacks. Now that there is money to be made and they are in competition there is a good reason not to share new goodies. It is in the interests of the professional botherders to have lots of script kiddies doing idiotic attacks, being caught and prosecuted. I bet they would even write bots that report the o

    • by MustardMan (52102) on Friday March 03, 2006 @10:10AM (#14842174)
      Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.
    • by qwijibo (101731) on Friday March 03, 2006 @10:22AM (#14842236)
      They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.

      Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.

      I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.

      I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.
    • Are all botnet operators dumb?

      No, just most of them. Anything you do to raise the barrier to entry reduces the number of people doing it.
    • Agreed,

      The largest percentage of my calls as a consultant are compromised systems,
      mostly via malware and virii .

      It is a good thing none of the botnets are run by ppl that are insidiously intelligent .

      It would be horrendous what could be done .

      The botnet could just become a VPN for command and control aspects, and then to make
      matters worse it could pickup its "orders" from any website or p2p network .

      They could run encrypted e-mail as part of the botnet and recv its commands
      via anon-remailers .

      It could also
  • Good luck (Score:5, Interesting)

    by dknj (441802) on Friday March 03, 2006 @09:50AM (#14842047) Journal
    As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?
    • by Anonymous Coward
      The following paper might be of interest, it does a nice dissection of the capabilities of a few popular botnet families:
      An Inside Look at Botnets (http://www.cs.wisc.edu/~pb/botnets_final.pdf [wisc.edu])
    • People write bots and operate bot nets because there is money to be made from this kind of operation. Numerous stories have been posted here and elsewhere about botnets bringing down big companies' servers or being used to extort money. This means there is a lot of money to be earned (especially in countries with no decent judical system and/or high levels of corruption), so obviously it attracts talented folks.

      What this whole story brings to us is not, that AV and security experts deal with botnets (they'v
    • Re:Good luck (Score:4, Interesting)

      by asuffield (111848) <asuffield@suffields.me.uk> on Friday March 03, 2006 @02:06PM (#14843811)
      a lot of these botnet creators employ "features" such as

      Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.

      Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.

      Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.

      But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.

      None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.
      • Granted, you're always going to be able to reverse engineer a comprimised host. The issue is that it doesn't matter - the aim is to make it take long enough that the return on investment is made, then the bad guys win.
    • whereas I respect your oppinion, I doubt that they are as sophisticated as you say. I mean, what if the authorities analyze the network traffic in and out of all ISPs? Controlling a massive DDoS attack has quite a different pattern than browsing for sports or news or downloading a movie.
      • user logs into computer and connects to banking site to check balances. trojan sends a similiar https packet to decentralized bot network. bot network responds with host to attack and time to do it. trojan later begins attacking host, which could be at a time months in the future. sure if you're logging all traffic from that machine you can tell when it first occurred, but how do you know a few days/weeks/months in the past who they are going to hit and when?
  • This: "yvRpS9t6OD9ueF39E8pGSUZCssLO7XmPjyNadWjv"

    A botnet command or some other traffic?

    Or even noise for the sake of noise? (Ie, spamming the government's ears)
    • It's a Perl script that says "Hello, World!"
    • Look at its insides and you'll know whether the bot would react or consider it garbage.

      Granted, if they used some more sophisticated encryption it would probably be near impossible to find out what a "valid" command is and what isn't, unless tested against the bot. So far, they didn't.

      KISS principle. If it's not necessary, why bother? Works well without.
      • Take the bot, break it apart

        this reminds me of an old article [grc.com] over at GRC which covers this subject. interesting read.

        • That's an attack that could easily be countered. DDoSs are so 90s. :)

          Seriously now. A DDoS can be stopped. Not at the source, but at the ISP connecting you. You can't of course stop the attack from happening, but you can use powerful and sophisticated filtering and load sharing systems to stay online. A number of attacks, together with an accompanying blackmail ("pay or else we flood you"), has happened to a few services that rely heavily on internet access, namely online betting shops.

          Currently phishing is
  • This will have to go beyond simple traffic scanning. If not how would they determine whether a group of machines are bots or are simply responding to SETI@home or whatever other distributed systems are running over the 'net?

    Seems like at some level there will have to be a human protocol that decides which traffic is naughty and which is nice. Humans can be manipulated and protocols spoofed. If this weren't the case we wouldn't be having this discussion in the first place.
  • From the article: "The compromised machines are controlled by a 'botmaster' ... If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster."

    Somewhere, there is a joke that begins with the quote "I AM TEH BOTMASTER!" and ends with the quote "AND I AM TEH GATEKEEPER!", but alas, I cannot figure it out right now.

    Oh slashdot, help me out here.
  • No messages have been posted to the botlist yet. I subscribed and thought I'd check out the archive... it's empty. Seems like they'd advertise lists that were up and running with content, not lists w/o any. Perhaps it was setup by bot masters so they'd know who to pick-off?
    • Actually they are looking for valid email addresses to add to their spam lists. Looks like they have yours.

      1. setup fake web site describing new security initiative
      2. get article published on slashdot about new web site
      3. collect slashdot users email addresses to add to spam list
      4. ????
      5. Profit!
  • Operating under the theory that if you kill the head, the body will follow...

    It contrast, has been found that some zombie PCs are operating under the theory that if you cut off the head, the body will just wander around aimlessly.
  • ...shutting down IRC.
    • by Opportunist (166417) on Friday March 03, 2006 @11:06AM (#14842489)
      So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!

      Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

      When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.

      Futile. The only chance is to cut the machines from the 'net that contain those trojans.
      • Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice

        Or from right here on slashdot.... Ive seen the pages come across, usually has something like HELLO WOLRD on the first couple of lines, then a series of numbers/characters obviously formatted in a pattern, then ends with another obvious terminator. It looks so blatently like a crypted message I reported it to Taco/other maintainers, but they just closed the ticket with "securit

      • Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

        Good luck trying to find an unmoderated usenet group that isn't full of garbage ... and I'm not referring to the spam therein, either.

        • Spam doesn't matter, actually. Just pick a specific subject line and let the bot search for this token before reading a message.

          Or have the bot follow some major online forum and have him wait for a message there.

          Or let the bot read some blog.

          Or open your own forum at something like myfreeforum, there you can even let your bot create an account and have it log in, perfect for having an accurate number of bots available.

          Or... a few other options. But this is not "Botnetting 101". :)
  • Obviously grabbing random traffic and scanning it isn't going to work. They need to "capture" one of the bots, and study it. Watch all the traffic coming and going, disassemble the software that receives and executes the commands. Then they'd have a solid base for knowing how to track and/or block traffic like that, at least for that one bot variant. So, they'd have to do that for every bot network out there. And who knows how many there really are, or how different they are.
    • Obviously grabbing random traffic and scanning it isn't going to work. They need to "capture" one of the bots, and study it.
      One Word: "Honeypot"

      All they have to do is setup a computer with XP (original, no patches) and connect it to the internet. Give it 45 minutes and you'll have all the bots you want!
  • by Dareth (47614) on Friday March 03, 2006 @10:14AM (#14842195)
    It is run by this Taco guy...

    He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.

    Most ingenious! And I bet he profits handsomely from it too!
  • by Opportunist (166417) on Friday March 03, 2006 @10:25AM (#14842252)
    When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

    Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

    Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

    Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

    Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

    Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

    This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

    And this business is growing.
    • It's sad to hear that the ".con" boom is still going on. Let's hope their market bottoms out like the .com did in the '90s.
      • Idiots must stop pumping money into it.

        While this was easy with the .com biz, where normally smart people thought the 'net was some kind of new big gold rush wonder land, .con could only be stopped by cutting the morons off the 'net.

        It doesn't take a genius to install a firewall, a virus tool and refrain from clicking every single piece of junk you get sent. If you can't apply 2 brain cells to a task, get outta my net!
  • Operating under the theory that if you kill the head, the body will follow

    Imagine were that not the case! Headless bots roaming the net looking for trouble.

    In all seriousness, I could imagine some nasty work that could be done to turn disbanded botnets into a bigger problem than active ones.

  • private irc servers. so obvious i don't know why the question is even asked
  • by UU7 (103653)
    What's to stop them from moving to a p2p VPN style system. Good luck seperating that from legit traffic.
  • "Operating under the theory that if you kill the head, the body will follow,"


    S.H.I.E.L.D. has leared that this is not true. If you kill the head, two more will take it's place. Hail HYDRA!
  • Enforcement? Hello? (Score:5, Informative)

    by mabu (178417) on Friday March 03, 2006 @11:21AM (#14842575)
    The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.
    • Solution is simple. Tell the Feds botnets are being used by terrorists. Once they get the idea that these bot nets are being used to distribute terrorist information, crack military encryption for the terrorists and target American soldiers, and fund terrorists, Homeland security will be busting down doors. Or they will create the "Patriotic Computer Act" which forces all computers to run Federally approved anti-terrorist software, you know, the stuff to keep these evil botnets from occuring on your com
  • Honeyclients (Score:2, Interesting)

    by SparcPlug (911168)
    I think these [honeyclient.org] folks are headedd in the right direction when it comes to destroying botnets.

    From their page:
    Kathy Wang ToorCon 2005
    So, what's a honeyclient?
    Honeyclients provide the capability to
    proactively detect client-side exploits Drives client application to connect to servers
    Any changes made to honeyclient system are unauthorized - no false positives!
    We can detect exploits without prior signatures


    What can honeyclients do for you?
    Allows proactive monitoring of malicious servers
    Allows d
  • "Never underestimate the power of a small tactical nuclear weapon."

    How appropriate.
  • It's not that hard. (Score:4, Informative)

    by TwistedSpring (594284) on Friday March 03, 2006 @11:59AM (#14842819) Homepage
    Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.

    I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.
    • by Anonymous Coward
      So once you're on the channel, set up your own bot to send DDoS commands for any IP that connects to the channel. Now you have a bot-net that pretty much nukes itself.
  • Operating under the theory that if you kill the head, the body will follow...

    "You insensitive prick! Do you have any idea how much that stings?" [imdb.com]

  • startkeylogger

  • You can participate in this effort via mail list. Go to http://www.whitestar.linuxbox.org/mailman/listinfo /botnets [linuxbox.org] to sign up.

The Tao doesn't take sides; it gives birth to both wins and losses. The Guru doesn't take sides; she welcomes both hackers and lusers.

Working...