Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Botnet Hunters!

[blinkless]

We don't need their scum.

Hmmmm

[Anonymous Coward]

Those first two paragraphs sound like a movie pitch. A wierd movie pitch...

Bitter irony, Slashdot is thy home (or hangout...)

[The_REAL_DZA]

"...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."

Apparently, Mr. Albright doesn't frequent Slashdot [slashdot.org] or watch CNN...

Great plot!

[Rob T Firefly]

This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three [wikipedia.org] like this.

Oh, I don't know...

[Channard]

.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.

Be vewy vewy quiet...

[Tackhead]

Be vewy vewy quiet! We're hunting botnets!

Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

Spammer: daffy# shutdown -now
Botnet: *reboots*

Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

Spammer: daffy# shutdown -now
Botnet: *reboots*

Re:Danger, Will Robinson

[Tweekster]

oh no a pimply faced "mobster" might come after you.... give me a break

Hey, I've seen that mentality before!

[eldavojohn]

Like lost sheep without a shepherd, the drones will continually try to reconnect...

Sounds like my sister when her cell phone cuts out.

An analogy..

[mattpointblank]

So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?

Great fun for geek kids!

[Anonymous Coward]

I used to do that back in the day.

1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.

2> Take apart that self-extracting zip and look through the mirc script.

3> Work out where they're sending there zombies. Masquerade as a bot for a bit.

4> Figure out a way to issue commands to the bots if possible.

5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.

6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.

Ahh, the folly of youth.