Meet the Botnet Hunters 194
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
Re:delete themselves (Score:3, Insightful)
~S
Domain.. (Score:4, Insightful)
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
Re:Botmasters will switch to distributed C&C (Score:4, Insightful)
Or are the backdoors they are using more sophisticated than that?
Spyware Scanners Don't Work (Score:4, Insightful)
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
A different approach (Score:3, Insightful)
Just my 2 cents.
Turn your computer off (Score:4, Insightful)
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
And he didn't get a visit? (Score:2, Insightful)
If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.
Better ways to stop them... (Score:5, Insightful)
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
Re:Botmasters will switch to distributed C&C (Score:4, Insightful)
Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.
I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.
Re:A different approach (Score:1, Insightful)
Re:Botmasters will switch to distributed C&C (Score:3, Insightful)
So, here's a clue: Don't tell anybody you did it.
I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.
Hell, maybe it's a normally available patch that just hasn't been applied, in which case opening Windows Update in a browser window might be enough to get the user to apply the patches, thinking that Windows did it itself, like it's actually prone to do sometimes.
I can think of dozens of ways to avoid prosecution. Hell, this guy has a hard enough time getting the botnet OWNER in trouble, injecting a few commands into the network that you know will do some good and not do any actual harm should be freakin' trivial.
The first rule of not getting in trouble is not getting caught.
Re:Botnet Hunters! (Score:2, Insightful)
At what cost? (Score:2, Insightful)
"Now 27, Albright supports his wife and two children..."
" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "
Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.
Re:delete themselves (Score:2, Insightful)
Again, that's a lot of risk to be taking on. Because there *are* convictions for people running botnets, which means that there *are* governmental agencies monitoring some of them, trying to catch the ringleader(s).
Re:Sad...but true. (Score:3, Insightful)
Re:Danger, Will Robinson (Score:2, Insightful)
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?
I think your sig says it all!
If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if the gov't started sniffing packets? (OK, OK, I'm sure they already do... and people bitch about it.)
Not an Issue (Score:1, Insightful)
Based on the number of botnets and spams that doesn't seem to be an issue currently.
Re:Interesting Deal (Score:2, Insightful)
Rather than add another level of bureaucracy (who would be the licensing authority - your local geek?), why not take the real culprits to task? Would you blame the driver or the manufacturer if a car's wheel falls off due to bad design?