Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Re:delete themselves

[Soporific]

I believe you would be able to do that, however then you take on the liability of screwing up peoples machines even more or causing some other unforseen problem.

~S

Domain..

[onion2k]

In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'

Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..

Re:Botmasters will switch to distributed C&C

[toad3k]

What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

Or are the backdoors they are using more sophisticated than that?

Spyware Scanners Don't Work

[michaelhood]

FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

This, unfortunately, is the most common viewpoint from end-users and IT alike.

It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

A different approach

[laursen]

Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.

Just my 2 cents.

Turn your computer off

[gatkinso]

Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).

So... turn your computer off when you are not using it.

Hell you will even same some electricity while you are at it.

Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.

The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.

And he didn't get a visit?

[SomeoneGotMyNick]

Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????

If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.

Better ways to stop them...

[Otto]

First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.

Re:Botmasters will switch to distributed C&C

[sumdumass]

I would imagine fear of the law and getting suied or thrown in jail. Not to mention poping open a window might be as unoticed as the popup wanting to increase my member size. It would take some sort of government imunity to prosecution to aviod getting getting tangled in the same laws that make computer tresspass ilegal. Maybe some program that you can sighn up with and keep detailed logs or let them keep the logs.

Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.

I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

Re:A different approach

[Anonymous Coward]

Why not simply convince the ISP's to block infected machines from accessing the internet to start with?

'Cause they are too busy throttling that nasty VoIP traffic that might compete with their "business partner", the local telco.

Re:Botmasters will switch to distributed C&C

[Otto]

I would imagine fear of the law and getting suied or thrown in jail.

So, here's a clue: Don't tell anybody you did it.

I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.

Hell, maybe it's a normally available patch that just hasn't been applied, in which case opening Windows Update in a browser window might be enough to get the user to apply the patches, thinking that Windows did it itself, like it's actually prone to do sometimes.

I can think of dozens of ways to avoid prosecution. Hell, this guy has a hard enough time getting the botnet OWNER in trouble, injecting a few commands into the network that you know will do some good and not do any actual harm should be freakin' trivial.

The first rule of not getting in trouble is not getting caught.

Re:Botnet Hunters!

[Anonymous Coward]

I think I'd have them swarm karma whores who respond to unrelated first posts so they can get their "insight" near the top of the page.

At what cost?

[trazom28]

From TFA...

"Now 27, Albright supports his wife and two children..."

" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "

Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.

Re:delete themselves

[Furp]

Unless the FBI or some other TLA is involved (Either from the USA or other countries), and are already monitoring the botnet and gathering evidence for prosecution? Quite honestly, issuing a command like self destruction would seem like the criminal is ditching and running, and they would have your IP address at that point...

Again, that's a lot of risk to be taking on. Because there *are* convictions for people running botnets, which means that there *are* governmental agencies monitoring some of them, trying to catch the ringleader(s).

Re:Sad...but true.

[CagedBear]

They said it in the article. Data handed to the fuzz by a civilian isn't admissible before a judge. They can only use the information to aid in launching their own investigation, which of course requires resources.

Re:Danger, Will Robinson

[ArcherB]

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."

How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?


I think your sig says it all!

If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if the gov't started sniffing packets? (OK, OK, I'm sure they already do... and people bitch about it.)

Not an Issue

[Anonymous Coward]

"I would imagine fear of the law and getting suied or thrown in jail."

Based on the number of botnets and spams that doesn't seem to be an issue currently.

Re:Interesting Deal

[OldeTimeGeek]

Why is it the users' fault? Computers are vulnerable to attack because almost all of the security measures that have been added to consumer-grade operating systems have been added as an afterthought. Why should users be trained to react to something that shouldn't be there in the first place?

Rather than add another level of bureaucracy (who would be the licensing authority - your local geek?), why not take the real culprits to task? Would you blame the driver or the manufacturer if a car's wheel falls off due to bad design?