Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Meet the Botnet Hunters 194

Posted by ScuttleMonkey
from the volunteer-fun dept.
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
This discussion has been archived. No new comments can be posted.

Meet the Botnet Hunters

Comments Filter:
  • by blinkless (835747) on Tuesday March 21, 2006 @03:14PM (#14966688)
    We don't need their scum.
  • info on botnets (Score:5, Informative)

    by flynt (248848) on Tuesday March 21, 2006 @03:14PM (#14966693)
    Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
  • by putko (753330) on Tuesday March 21, 2006 @03:15PM (#14966703) Homepage Journal
    Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

    This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

    Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
    • by toad3k (882007) on Tuesday March 21, 2006 @03:29PM (#14966825)
      What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

      Or are the backdoors they are using more sophisticated than that?
      • by sumdumass (711423) on Tuesday March 21, 2006 @03:49PM (#14966992) Journal
        I would imagine fear of the law and getting suied or thrown in jail. Not to mention poping open a window might be as unoticed as the popup wanting to increase my member size. It would take some sort of government imunity to prosecution to aviod getting getting tangled in the same laws that make computer tresspass ilegal. Maybe some program that you can sighn up with and keep detailed logs or let them keep the logs.

        Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.

        I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.
        • I would imagine fear of the law and getting suied or thrown in jail.

          So, here's a clue: Don't tell anybody you did it.

          I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.

          Hell, maybe it's a normally available patch that just hasn't been applied, in which case
          • Well we are walking a thin line here. Suppose I start a monitoring station and report everythign to the governments and capture his or your commands. Now you are on the watch list and could be blamed and you didn't "tell anyone".

            As for windows update? From time to time you will see that windows update will break certain aplications and hardware devices. What happenes when this update gets another update that doesn this exactly. Shure a patch might be avalible for the hardware or product but maybe not for
            • I didn't say to actually update the thing. Just make it pop up the website. Let the user run his own update. There's a difference between throwing suggested courses of action in the users face and taking that action for yourself.

              Yes, doing so would be against the law too. Well, you know what? Fuck the law. The law isn't solving the problem. The law is never going to solve the problem. People keep bitching that users are not fixing their shit, and this is true, so I suggest that instead of trying all this le
              • I see and understand what your saying. I just don't think two wrongs actualy make a right. It does make you feel better but if you murder some one because they murdered someone were close to, guess what that still makes you a murderer.

                Notifying the ISP and having them cut thier service off is something that isn't being pursued enough. Time warner would send out emails with deadlines when your computer was thought to be infected and spreading virus's. I'm not sure if they st ill do. As i see the problem, ISP
        • I would imagine fear of the law and getting suied[sic] or thrown in jail. Not to mention poping[sic] open a window might be as unoticed[sic] as the popup wanting to increase my member size. It would take some sort of government imunity[sic] to prosecution to aviod[sic] getting getting tangled in the same laws that make computer tresspass[sic] ilegal[sic].

          I can back you up here. I know some security researchers who monitor botnets and they don't shut them down for legal reasons. They do get the command

        • Maybe [...] they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take more then a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

          From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating out

      • For 90% of the zombies out there even if the computer screams through the speakers "You are infected moron" and displays this on screen permanently the owner will not clean it up. At best they will call Dell and tell that the spanking new PC they bought one week ago has broken speakers.

        Just history repeating itself.

        Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on
      • why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves?

        Those bots "patch" the backdoors so nobody else can get in through the hole
      • by c6gunner (950153) on Tuesday March 21, 2006 @04:04PM (#14967106)
        Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

        They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
        • Are you nuts? I want to keep the damned thongs off my system.
      • I think the ability to popup a message would have to be specifically programmed into whatever backdoor program they are using. AFAIK, the trojans/backdoors are configured to do very specific things such as send spam, install malware, DDoS, etc. I don't think a botnet owner really has full control over a zombie in most cases.

        -matthew
    • Why would a bot master want to use a protocol that likely has packet signatures on IDS/IPS? Or packet shaping signatures on educational/ISP networks that might manage bandwidth but not content?
  • delete themselves (Score:2, Interesting)

    by Anonymous Coward
    There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?
    • by Soporific (595477)
      I believe you would be able to do that, however then you take on the liability of screwing up peoples machines even more or causing some other unforseen problem.

      ~S
    • And what if the zombie computer is running air traffic, or life support monitoring, or some other mission-critical task when the botnet hunter starts tampering with an already compromised system? Will he take responsibility when something lethal happens?
  • They are on the web (Score:5, Informative)

    by 9mm Censor (705379) * on Tuesday March 21, 2006 @03:18PM (#14966723) Homepage
    www.shadowserver.org/
  • by The_REAL_DZA (731082) on Tuesday March 21, 2006 @03:18PM (#14966731)
    "...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."
    Apparently, Mr. Albright doesn't frequent Slashdot [slashdot.org] or watch CNN...
  • Domain.. (Score:4, Insightful)

    by onion2k (203094) on Tuesday March 21, 2006 @03:19PM (#14966733) Homepage
    In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'

    Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
  • Great plot! (Score:5, Funny)

    by Rob T Firefly (844560) on Tuesday March 21, 2006 @03:20PM (#14966744) Homepage Journal
    This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three [wikipedia.org] like this.
  • by Tackhead (54550) on Tuesday March 21, 2006 @03:24PM (#14966787)
    Be vewy vewy quiet! We're hunting botnets!

    Buggy bot: Would you like to shut us down now or wait 'till you get home?
    Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
    Buggy bot: You keep out of this. He doesn't have to shut you down now.
    Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

    Spammer: daffy# shutdown -now
    Botnet: *reboots*

    Daffy fuck: Let's read those logs again.
    Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
    Daffy fuck: daffy: shut him down now
    Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
    Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

    Spammer: daffy# shutdown -now
    Botnet: *reboots*

  • Secure SMTP? (Score:4, Interesting)

    by RunFatBoy.net (960072) on Tuesday March 21, 2006 @03:27PM (#14966807)
    So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

    -- Jim http://www.runfatboy.net/ [runfatboy.net]
    • That would help in detection, but what's to stop the bot from using the host-computer's credentials? Most machines are set up to send email already.
    • I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

      Damn, you better tell that idea to the IETF guys ASAP. I'm sure they've never thought of doing *that*!
  • "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

    Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
    Another [eweek.com] botnet hunter article from eWeek.
  • by michaelhood (667393) on Tuesday March 21, 2006 @03:30PM (#14966837)
    FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

    This, unfortunately, is the most common viewpoint from end-users and IT alike.

    It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
    • AFAIK, a program like TCPView [sysinternals.com] will show all incoming and outgoing connections to your windows box.

      I pop it up from time to time just to make sure nothing odd is going on.

      It's also handy because it allows you to close the connection any malicious program is making. Very very useful when the program is stealthed & won't show up in the task manager.
    • The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

      This is part of the problem though. When someone finds an piece of malicious software they often fail to submit it the AV and anti spyware companies so definitions can be updated. I'm guilty of it myself in the past as well but we do need to be responsible community members.

    • by crabpeople (720852) on Tuesday March 21, 2006 @04:46PM (#14967434) Journal
      Ewido [ewido.net] and hijack this, when both run in safe mode (with networking so you can get updates), cleans them up once and for all. I have yet to encounter anything that persisted after these two steps were taken and an antivirus package was installed on the machine. Anything remaining after that point is probably a semi ligitimate (borderline adware) system service or some sort of hard to detect rootkit. At the risk of being flamed, i would recomend the Norton AV Corp 10x series from symantec. Its corportate so none of the gay activation or useless slow features and in this release they have started to detect certain spyware as viruses. Most people are turned off of symantec for there absolutely garbage horid products such as NIS. Symantec is a big company and their corporate shit has been for the most part reliable.

      The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?

      • Symantec is a big company and their corporate shit has been for the most part reliable.

        I haven't use SAV10 but SAV9 was pure, unadulterated garbage. Whether managed or no, clients would stop getting updates and never start again until the client is uninstalled and reinstalled. This went both for program updates and virus definitions. It's also the second-slowest virus scanner in common use (behind Kaspersky Labs' AVP[oo].

        You can recommend anything you like, and I won't even flame you, but SAV is cr


      • ...none of the gay activation...

        I'm not homosexual or bisexual, but I question your use of the word, "gay" as a negative adjective in this context. There are more descriptive words that can communicate your intended meaning much more effectively.
  • by laursen (36210) <laursen&netgroup,dk> on Tuesday March 21, 2006 @03:35PM (#14966883) Homepage
    Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.

    Just my 2 cents.
    • By mac address? Then just infect future systems with software which will try multiple mac addresses as well to get around the blocks.
    • Yes. Some ISPs do just that. SBC blocks outbound port 25 used to send spam. If you run your own sendmail, you can request it be unblocked.

      This reduces the attractiveness of SBC machines to host bots. But SBC cannot block ports like 80 (HTTP), so SBCbots can still be used for DDoS.

  • Like lost sheep without a shepherd, the drones will continually try to reconnect...
    Sounds like my sister when her cell phone cuts out.
  • by gatkinso (15975) on Tuesday March 21, 2006 @03:39PM (#14966914)
    Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).

    So... turn your computer off when you are not using it.

    Hell you will even same some electricity while you are at it.

    Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.

    The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
    • The practice people have developed of leaving their computers on 24/7 should stop

      I don't know about anyone else, but 100% of the hardware failures I have had have been during a cold reboot. Keeping your hardware warm keeps it alive longer.

    • There is a valid reason to keep your computer on continuously. And that is because of thermal expansion. Since the circuitry in a motherboard is rather small, and the same holds true for the CPU and motherboard, then the repeated heating and cooling fo these components may make them brittle and more prone to failure.

      And, well, think of the CPU time wasted by not downloading from bittorrent and emule (or SETI/Folding@home for the more noble ones out there).
      • Well, I have a Celeron 400 downstairs that I have had since 1997. It gets cycled every day. It runs like a clock.

        Stories aside, your reason has been proven to be BS in many forums.
  • by smooth wombat (796938) on Tuesday March 21, 2006 @03:39PM (#14966916) Homepage Journal
    I don't normally check the Washington Post site but after reading the article I went to main page to see what was there. Near the bottom of the page, in a section called Security Fix, Brain Kregs had posted a story on March 9th titled 'Shadowboxing with a Bot Herder' wherein he talks about his conversation with a botnet owner called Witlog.

    Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:

    According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

    The permanent linnk for the article can be found here [washingtonpost.com].

  • Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????

    If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.

  • by Otto (17870) on Tuesday March 21, 2006 @03:46PM (#14966973) Homepage Journal
    First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

    This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
    • by mabu (178417)
      Vigilantism is still against the law in this case. Computer tampering is computer tampering.

      The solution to this problem is to put a few of these guys in jail. The solution is for the feds to get off their goddam lazy asses and prosecute these people. You don't poke around in someone's compromised computer, for good or evil.

      What these people are doing is against the law and it has always been against the law. The problem we have is that the law enforcement authorities seem more obsessed with Tommy Cheec
      • Except that, as was mentioned in the article, the people running these botnets are sitting in countries like Taiwan and Morocco, which have even weaker computer crime laws than the U.S., and require international law enforcement co-operation to attack. The practical barrier to prosecution is simply too high for a crime who's priority is too low.
    • And with any decent botnet, you can make the things run arbitrary code.

      Speaking as an Evil Genius [sjgames.com] with standards [eviloverlord.com], and one who's read the Warhol Worm [icir.org] paper, I'd say any "decent" botnet doesn't take orders from just any old Bill, Fred, or Otto who wanders by waving an executable at it. A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.

      So, all of your plans should work j

      • A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.

        No, that would be a "well-designed" bot. Most botnets are being controlled by script-kiddies running code that they didn't write or possibly even read. Half of them wouldn't be able to pronounce "cryptography", much less use it.
        • Most botnets are being controlled by script-kiddies running code that they didn't write or possibly even read.

          Formerly accurate; however, the trend has been increasingly that the botnets are run by professional criminals of increasing sophistication intent on extortion, spamming, and other lucrative criminal capers.

  • by kilodelta (843627) on Tuesday March 21, 2006 @03:51PM (#14967009) Homepage
    The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.

    I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
  • So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?
  • by Anonymous Coward
    I used to do that back in the day.

    1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.

    2> Take apart that self-extracting zip and look through the mirc script.

    3> Work out where they're sending there zombies. Masquerade as a bot for a bit.

    4> Figure out a way to issue commands to the bots if possible.

    5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.

    6> Send it and laugh l
    • Yeah, you're a step or two behind in the arms race now. Most of the botkits send encrypted, self decoding binaries that make them a bit harder to reverse engineer. They also, occasionally cull the herd by doing things like sending updates, then quickly running a check and booting anyone who does not respond correctly, or update control channels twice in rapid succession. You have to a little better at reverse engineering. Given the right tools, however, I know at least one person who can turn around the

  • Sad...but true. (Score:2, Interesting)

    "Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."

    I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime

    • Re:Sad...but true. (Score:3, Insightful)

      by CagedBear (902435)
      They said it in the article. Data handed to the fuzz by a civilian isn't admissible before a judge. They can only use the information to aid in launching their own investigation, which of course requires resources.
  • Wasn't this an episode of Stargate: SG-1?
  • by Quantam (870027) on Tuesday March 21, 2006 @04:11PM (#14967165) Homepage
    A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

    As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
    • I don't think many people make the claim that "Unix" and OSX are _sufficiently_ secure out of the box, though that may be the perception. Security is always _comparitive_; OSX is more secure than XP out of the box. Also, saying "Unix" doesn't mean much unless we are talking about a particular distribution of Linux or a particular variety of UNIX (BSDs, HP, Sun). In both cases, the out-of-the-box security varies vastly from distribution to distribution.
    • This has nothing to do with how secure the underlying OS is. These botnets aren't created by system vulnerabilities. They are created by users who execute untrustworthy code.

      • Well, actually, botnets ARE sometimes created through worms that exploit insecurities in the host OS. It's just that it's more commonly done the other way, and we have no way of knowing how these particular systems were exploited at the moment.
    • Not Probable (Score:3, Interesting)

      I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.

      I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the sa
  • At what cost? (Score:2, Insightful)

    by trazom28 (134909)
    From TFA...

    "Now 27, Albright supports his wife and two children..."

    " "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "

    Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions t
  • So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

    Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.

    Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.

    Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we
    • by 99BottlesOfBeerInMyF (813746) on Tuesday March 21, 2006 @05:06PM (#14967624)

      So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

      Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.

      Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."

  • by JustNiz (692889) on Tuesday March 21, 2006 @05:17PM (#14967716)
    There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.
  • Relevant Article (Score:2, Interesting)

    by glas_gow (961896)
    This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact [newyorker.com] A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e
  • by app13b0y (767720) on Wednesday March 22, 2006 @01:00AM (#14969841)
    I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project

    SS == shadowserver

    * SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.

    * there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar

    * most of the trojans are found by running nepenthes

    * SS has a HUGE repository of botnet scripts and C&C information.

    * SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)

    * botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe

Working...