Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×

Meet the Botnet Hunters 194

Posted by ScuttleMonkey
from the volunteer-fun dept.
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
This discussion has been archived. No new comments can be posted.

Meet the Botnet Hunters

Comments Filter:
  • info on botnets (Score:5, Informative)

    by flynt (248848) on Tuesday March 21, 2006 @04:14PM (#14966693)
    Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
  • They are on the web (Score:5, Informative)

    by 9mm Censor (705379) * on Tuesday March 21, 2006 @04:18PM (#14966723) Homepage
    www.shadowserver.org/
  • by smooth wombat (796938) on Tuesday March 21, 2006 @04:39PM (#14966916) Homepage Journal
    I don't normally check the Washington Post site but after reading the article I went to main page to see what was there. Near the bottom of the page, in a section called Security Fix, Brain Kregs had posted a story on March 9th titled 'Shadowboxing with a Bot Herder' wherein he talks about his conversation with a botnet owner called Witlog.

    Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:

    According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

    The permanent linnk for the article can be found here [washingtonpost.com].

  • Re:Interesting Deal (Score:2, Informative)

    by Arkan (24212) on Tuesday March 21, 2006 @04:41PM (#14966941)
    Would you have RTFineA, you'd have noted the following:

    "A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems."

    I bet that your plan for security through statistics isn't looking good.

    The final and ultimate answer to bots, spyware and such is knowledgeable users. I've been called an extremist when advocating a few years ago for a mandatory licence to get the right to connect a home PC to Internet, and I still think that it should be implemented: given the pile of cash those frickin' viruses and worms cost us, it should no longer look like a stupid idea pretty soon.

    --
    Arkan
  • by Zak3056 (69287) on Tuesday March 21, 2006 @04:45PM (#14966970) Journal
    Nice until they run into a mobster-botmaster with a gun.
    This is a task for the government, not for pimpled nerds.


    Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:

    "Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."


    How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?

  • by kilodelta (843627) on Tuesday March 21, 2006 @04:51PM (#14967009) Homepage
    The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.

    I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
  • Re:delete themselves (Score:2, Informative)

    by Furp (935063) on Tuesday March 21, 2006 @04:58PM (#14967060)
    When you issue a command or code to cause a botnet to self destruct, you are crossing the line from greyhat hacking to blackhat hacking. You're no longer a witness. Which also makes you liable under whatever laws exist in your country of residence for hacking. Because you're gaining illicit access to their computers (the infected botnet) And accessing data (causing the botnet to self destruct)

    Which is why if you're going to do botnet hunting you either get to ally yourself with law enforcement and contact the ISPs, or kill the botnets. Personally I would prefer the safer of the two.
  • by diegocgteleline.es (653730) on Tuesday March 21, 2006 @05:02PM (#14967095)
    why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves?

    Those bots "patch" the backdoors so nobody else can get in through the hole
  • by crabpeople (720852) on Tuesday March 21, 2006 @05:46PM (#14967434) Journal
    Ewido [ewido.net] and hijack this, when both run in safe mode (with networking so you can get updates), cleans them up once and for all. I have yet to encounter anything that persisted after these two steps were taken and an antivirus package was installed on the machine. Anything remaining after that point is probably a semi ligitimate (borderline adware) system service or some sort of hard to detect rootkit. At the risk of being flamed, i would recomend the Norton AV Corp 10x series from symantec. Its corportate so none of the gay activation or useless slow features and in this release they have started to detect certain spyware as viruses. Most people are turned off of symantec for there absolutely garbage horid products such as NIS. Symantec is a big company and their corporate shit has been for the most part reliable.

    The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?

  • Re:info on botnets (Score:2, Informative)

    by Anonymous Coward on Tuesday March 21, 2006 @05:49PM (#14967466)
    Shadowserver have started something [shadowserver.org] akin to what you're looking for.
  • by 99BottlesOfBeerInMyF (813746) on Tuesday March 21, 2006 @06:06PM (#14967624)

    So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

    Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.

    Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."

  • by rob_squared (821479) <rob@@@rob-squared...com> on Tuesday March 21, 2006 @06:51PM (#14967950)
    There is a valid reason to keep your computer on continuously. And that is because of thermal expansion. Since the circuitry in a motherboard is rather small, and the same holds true for the CPU and motherboard, then the repeated heating and cooling fo these components may make them brittle and more prone to failure.

    And, well, think of the CPU time wasted by not downloading from bittorrent and emule (or SETI/Folding@home for the more noble ones out there).
  • Re:Interesting Deal (Score:2, Informative)

    by Dimensio (311070) <darkstar@iglo[ ]om ['u.c' in gap]> on Tuesday March 21, 2006 @06:57PM (#14968001)
    Shell scripts that contain previously unknown root exploits?

    Actually, most of the attachments are Windows executables without any "exploits". They take advantage of the fact that quite a few idiots run as Administrator all the time.

Never let someone who says it cannot be done interrupt the person who is doing it.

Working...