Meet the Botnet Hunters 194
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
Botmasters will switch to distributed C&C (Score:5, Interesting)
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
delete themselves (Score:2, Interesting)
Drones (Score:1, Interesting)
Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.
Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?
Secure SMTP? (Score:4, Interesting)
-- Jim http://www.runfatboy.net/ [runfatboy.net]
Sad...but true. (Score:2, Interesting)
Then again, this is the US Government we're talking about here.
I've done something similar (Score:5, Interesting)
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
Unusual, but Not Impossible (Score:4, Interesting)
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
How to fix this easily (Score:3, Interesting)
Re:Botmasters will switch to distributed C&C (Score:3, Interesting)
From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating outside of the USA.
Many of these operators work out of countries that have police who can barely keep up with the local street crime. Their police certainly don't have time to worry about some rich guy's PC in the USA. And given the current state of dislike for the U.S. that's found across the world, it's possible the local police would refuse to cooperate with an American investigation.
And if they do say they'll cooperate, chances are not bad that if one of these officers was tasked with busting someone running a botnet from a cafe, they'd say "I hear you're hacking PCs in the USA and made $10,000. For $5,000 I'll let you know if Interpol starts asking about you."
Re:I've done something similar (Score:4, Interesting)
Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.
The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!
Relevant Article (Score:2, Interesting)
from one who works with shadowserver (Score:3, Interesting)
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)
Not Probable (Score:3, Interesting)
I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the same security vulnerabilities we heard about all through February. Now, I'm not registered with that site so I couldn't use their site search, but I'm fairly certain I won't find anything there. A botnet running on compromised OS X machines would be too juicy for sites like C|Net and ZDnet to pass up.
I don't want to come across as an Apple apologist. Heck, I was so alarmed by the Safari zip file vulnerability that I dedicated a web site [cootey.com] to exploring it. But this casual mention of botnets on Linux and Mac OS X just doesn't add up.
Don't kid yourself. Security needs some paranoia! (Score:3, Interesting)
This blog post [blogspot.com] identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/ [honeynet.org]) says: