Meet the Botnet Hunters 194
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
Botnet Hunters! (Score:5, Funny)
Re:Botnet Hunters! (Score:2)
Re:Botnet Hunters! (Score:2, Insightful)
info on botnets (Score:5, Informative)
Re:info on botnets (Score:2, Informative)
Botmasters will switch to distributed C&C (Score:5, Interesting)
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
Re:Botmasters will switch to distributed C&C (Score:4, Insightful)
Or are the backdoors they are using more sophisticated than that?
Re:Botmasters will switch to distributed C&C (Score:4, Insightful)
Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.
I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.
Re:Botmasters will switch to distributed C&C (Score:3, Insightful)
So, here's a clue: Don't tell anybody you did it.
I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.
Hell, maybe it's a normally available patch that just hasn't been applied, in which case
Re:Botmasters will switch to distributed C&C (Score:2)
As for windows update? From time to time you will see that windows update will break certain aplications and hardware devices. What happenes when this update gets another update that doesn this exactly. Shure a patch might be avalible for the hardware or product but maybe not for
Re:Botmasters will switch to distributed C&C (Score:2)
Yes, doing so would be against the law too. Well, you know what? Fuck the law. The law isn't solving the problem. The law is never going to solve the problem. People keep bitching that users are not fixing their shit, and this is true, so I suggest that instead of trying all this le
Re:Botmasters will switch to distributed C&C (Score:2)
Notifying the ISP and having them cut thier service off is something that isn't being pursued enough. Time warner would send out emails with deadlines when your computer was thought to be infected and spreading virus's. I'm not sure if they st ill do. As i see the problem, ISP
Re:Botmasters will switch to distributed C&C (Score:2)
I would imagine fear of the law and getting suied[sic] or thrown in jail. Not to mention poping[sic] open a window might be as unoticed[sic] as the popup wanting to increase my member size. It would take some sort of government imunity[sic] to prosecution to aviod[sic] getting getting tangled in the same laws that make computer tresspass[sic] ilegal[sic].
I can back you up here. I know some security researchers who monitor botnets and they don't shut them down for legal reasons. They do get the command
Re:Botmasters will switch to distributed C&C (Score:3, Interesting)
From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating out
Re:Botmasters will switch to distributed C&C (Score:2)
Just history repeating itself.
Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on
Re:Botmasters will switch to distributed C&C (Score:3, Informative)
Those bots "patch" the backdoors so nobody else can get in through the hole
I've done something similar (Score:5, Interesting)
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
Once you get one on your system (Score:2)
Re:I've done something similar (Score:4, Interesting)
Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.
The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!
Re:Botmasters will switch to distributed C&C (Score:2)
-matthew
Re:Botmasters will switch to distributed C&C (Score:2)
delete themselves (Score:2, Interesting)
Re:delete themselves (Score:3, Insightful)
~S
Re:delete themselves (Score:2, Informative)
Which is why if you're going to do botnet hunting you either get to ally yourself with law enforcement and contac
Re:delete themselves (Score:2, Insightful)
Again, that's a lot of risk to be taking on. Because there *are* convictions for people running botnets, which means that there *are* governmental agencies monitoring some of them, tr
Re:delete themselves (Score:2)
They are on the web (Score:5, Informative)
Bitter irony, Slashdot is thy home (or hangout...) (Score:5, Funny)
Domain.. (Score:4, Insightful)
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
Re:Domain.. (Score:2)
Issue a reformat command
Great plot! (Score:5, Funny)
Oh, I don't know... (Score:3, Funny)
Be vewy vewy quiet... (Score:5, Funny)
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)
Spammer: daffy# shutdown -now
Botnet: *reboots*
Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!
Spammer: daffy# shutdown -now
Botnet: *reboots*
Secure SMTP? (Score:4, Interesting)
-- Jim http://www.runfatboy.net/ [runfatboy.net]
Re:Secure SMTP? (Score:2)
Re:Secure SMTP? (Score:2)
Re:Secure SMTP? (Score:2)
Damn, you better tell that idea to the IETF guys ASAP. I'm sure they've never thought of doing *that*!
botnets remain undetected (Score:2)
Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another [eweek.com] botnet hunter article from eWeek.
Spyware Scanners Don't Work (Score:4, Insightful)
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
Re:Spyware Scanners Don't Work (Score:2)
I pop it up from time to time just to make sure nothing odd is going on.
It's also handy because it allows you to close the connection any malicious program is making. Very very useful when the program is stealthed & won't show up in the task manager.
Re:Spyware Scanners Don't Work (Score:2)
This is part of the problem though. When someone finds an piece of malicious software they often fail to submit it the AV and anti spyware companies so definitions can be updated. I'm guilty of it myself in the past as well but we do need to be responsible community members.
Re:Spyware Scanners Don't Work (Score:5, Informative)
The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?
Re:Spyware Scanners Don't Work (Score:2)
I haven't use SAV10 but SAV9 was pure, unadulterated garbage. Whether managed or no, clients would stop getting updates and never start again until the client is uninstalled and reinstalled. This went both for program updates and virus definitions. It's also the second-slowest virus scanner in common use (behind Kaspersky Labs' AVP[oo].
You can recommend anything you like, and I won't even flame you, but SAV is cr
Re:Spyware Scanners Don't Work (Score:2)
I'm not homosexual or bisexual, but I question your use of the word, "gay" as a negative adjective in this context. There are more descriptive words that can communicate your intended meaning much more effectively.
A different approach (Score:3, Insightful)
Just my 2 cents.
Re:A different approach (Score:2)
Re:A different approach (Score:2)
This reduces the attractiveness of SBC machines to host bots. But SBC cannot block ports like 80 (HTTP), so SBCbots can still be used for DDoS.
Re:A different approach (Score:2)
More likely is that the user is unaware of what their system is doing. Most users are dolts, not malignant henchmen. If the ISP could bring this to their intention perhaps they'd take some interest in keeping a more secure computer system.
Re:A different approach (Score:2)
Maybe educating the users will make them less incompotent?
As for the moderation... metamoderate more often, there are a lot of people who throw around these kinds of mods with little cause.
Hey, I've seen that mentality before! (Score:5, Funny)
Turn your computer off (Score:4, Insightful)
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
Re:Turn your computer off (Score:2)
I don't know about anyone else, but 100% of the hardware failures I have had have been during a cold reboot. Keeping your hardware warm keeps it alive longer.
Re:Turn your computer off (Score:2)
<offtopic>
Well... I killed a machine by stepping on a power strip once.
Who the hell thought it was a good idea to make power strips out of metal!?
Lovely flame or plasma cloud or whatever it was though...
Re:Turn your computer off (Score:2)
Most during a warm boot, in my experience.
Re:Turn your computer off (Score:3, Informative)
And, well, think of the CPU time wasted by not downloading from bittorrent and emule (or SETI/Folding@home for the more noble ones out there).
Re:Turn your computer off (Score:2)
Stories aside, your reason has been proven to be BS in many forums.
More information on same subject (Score:5, Informative)
Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:
According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
The permanent linnk for the article can be found here [washingtonpost.com].
And he didn't get a visit? (Score:2, Insightful)
If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.
Better ways to stop them... (Score:5, Insightful)
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
Wrong (Score:2)
The solution to this problem is to put a few of these guys in jail. The solution is for the feds to get off their goddam lazy asses and prosecute these people. You don't poke around in someone's compromised computer, for good or evil.
What these people are doing is against the law and it has always been against the law. The problem we have is that the law enforcement authorities seem more obsessed with Tommy Cheec
Re:Wrong (Score:2)
"Stop me? BWAHAHAHAHA" (Score:2)
Speaking as an Evil Genius [sjgames.com] with standards [eviloverlord.com], and one who's read the Warhol Worm [icir.org] paper, I'd say any "decent" botnet doesn't take orders from just any old Bill, Fred, or Otto who wanders by waving an executable at it. A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.
So, all of your plans should work j
Re:"Stop me? BWAHAHAHAHA" (Score:2)
No, that would be a "well-designed" bot. Most botnets are being controlled by script-kiddies running code that they didn't write or possibly even read. Half of them wouldn't be able to pronounce "cryptography", much less use it.
Re:"Stop me? BWAHAHAHAHA" (Score:2)
Formerly accurate; however, the trend has been increasingly that the botnets are run by professional criminals of increasing sophistication intent on extortion, spamming, and other lucrative criminal capers.
Why the FBI doesn't act (Score:4, Informative)
I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
An analogy.. (Score:2, Funny)
Great fun for geek kids! (Score:2, Funny)
1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.
2> Take apart that self-extracting zip and look through the mirc script.
3> Work out where they're sending there zombies. Masquerade as a bot for a bit.
4> Figure out a way to issue commands to the bots if possible.
5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.
6> Send it and laugh l
Re:Great fun for geek kids! (Score:2)
Yeah, you're a step or two behind in the arms race now. Most of the botkits send encrypted, self decoding binaries that make them a bit harder to reverse engineer. They also, occasionally cull the herd by doing things like sending updates, then quickly running a check and booting anyone who does not respond correctly, or update control channels twice in rapid succession. You have to a little better at reverse engineering. Given the right tools, however, I know at least one person who can turn around the
Sad...but true. (Score:2, Interesting)
I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime
Re:Sad...but true. (Score:3, Insightful)
rerun (Score:2)
Unusual, but Not Impossible (Score:4, Interesting)
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
Re:Unusual, but Not Impossible (Score:2)
Re:Unusual, but Not Impossible (Score:2)
Re:Unusual, but Not Impossible (Score:2)
Not Probable (Score:3, Interesting)
I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the sa
Don't kid yourself. Security needs some paranoia! (Score:3, Interesting)
This blog post [blogspot.com] identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/ [honeynet.org]) says:
At what cost? (Score:2, Insightful)
"Now 27, Albright supports his wife and two children..."
" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "
Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions t
ISPs "Detect & Destroy"? (Score:2)
Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.
Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.
Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we
Re:ISPs "Detect & Destroy"? (Score:4, Informative)
So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?
Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.
Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."
How to fix this easily (Score:3, Interesting)
Relevant Article (Score:2, Interesting)
from one who works with shadowserver (Score:3, Interesting)
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)
Re:Danger, Will Robinson (Score:2, Funny)
Re:Danger, Will Robinson (Score:4, Informative)
This is a task for the government, not for pimpled nerds.
Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
Re:Danger, Will Robinson (Score:2, Insightful)
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?
I think your sig says it all!
If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if t
Re:Interesting Deal (Score:2, Informative)
"A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems."
I bet that your plan for security through statistics isn't looking good.
The final and ultimate answer to bots, spyware and such is knowledgeable users. I've been called an extremist when advocating a few years ago for a mandatory licence to get the right to connect a home PC to Internet, and I still think
Re:Interesting Deal (Score:2, Insightful)
Rather than add another level of bureaucracy (who would be the licensing authority - your local geek?), why not take the real culprits to task? Would you blame the driver or the manufacturer if a car's wheel falls off d
Re:Interesting Deal (Score:2)
Re:Interesting Deal (Score:2)
As a Linux user, I find this rather disturbing. Even on Linux, I never open attachments from unknown senders and even known senders' attachments go into a kind of quarantine, but up till now I had assumed that there was little cause for concern. Maybe MS Word file
Re:Interesting Deal (Score:2, Informative)
Actually, most of the attachments are Windows executables without any "exploits". They take advantage of the fact that quite a few idiots run as Administrator all the time.
Re:Drones (Score:2)
Re:Easy way to shut down value of botnets (Score:2)
Re:Easy way to shut down value of botnets (Score:2)
Re:Easy way to shut down value of botnets (Score:2)
Re:Easy way to shut down value of botnets (Score:2)
All ADSL and most Cable providers here give you a static IP, yet the number of bots and infected PC's here is the same as in the US, where dynamic IP seems to be the norm.
This is of course to be expected. When the bot writer uses a clever enough protocol to be able to control a PC on a dynamic IP, it will certainly work on a static IP.
Re:Easy way to shut down value of botnets (Score:2)
Re:Easy way to shut down value of botnets (Score:2)
I think a good solution would be to block outgoing (and maybe incoming) port 25 traffic by default, and have some option per customer to enable the port, with a webpage that explains the risks. Most customers will never notice what they are missing with filtered port 25, but for the few that need it, it is very inconvenient when it is closed for everyone.
Unfortunately the infrastructure does not always make it simple to do thi
Re:Easy way to shut down value of botnets (Score:2)
Obviously, someone who works at Verizon or Earthlink modded me down
Re:Easy way to shut down value of botnets (Score:2)
Maybe this was done after they read about the "open relay used for spamming" problem, mostly something of the past.
Anyway, blocking port 25 on outgoing connects would have solved that just as well.
So when you ask them to filter port 25, make sure they understand which direction you mean!