Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Botmasters will switch to distributed C&C

[putko]

Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.

delete themselves

[Anonymous Coward]

There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?

Drones

[Anonymous Coward]

Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.

Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?

Secure SMTP?

[RunFatBoy.net]

So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

-- Jim http://www.runfatboy.net/ [runfatboy.net]

Sad...but true.

[RagingFuryBlack]

"Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."

I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime are in fact being procecuted.

Then again, this is the US Government we're talking about here.

I've done something similar

[c6gunner]

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.

Unusual, but Not Impossible

[Quantam]

A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.

How to fix this easily

[JustNiz]

There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.

Re:Botmasters will switch to distributed C&C

[plover]

Maybe [...] they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take more then a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating outside of the USA.

Many of these operators work out of countries that have police who can barely keep up with the local street crime. Their police certainly don't have time to worry about some rich guy's PC in the USA. And given the current state of dislike for the U.S. that's found across the world, it's possible the local police would refuse to cooperate with an American investigation.

And if they do say they'll cooperate, chances are not bad that if one of these officers was tasked with busting someone running a botnet from a cafe, they'd say "I hear you're hacking PCs in the USA and made $10,000. For $5,000 I'll let you know if Interpol starts asking about you."

Re:I've done something similar

[plover]

Some are moving that way already. The botnet developers are beginning to realize the monetary value of their little operations, and are moving to protect their investments. There has been enough published crypto that these guys can basically drop in a secure signalling system. And one of the botnet researchers has said some are already using encrypted channels.

Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.

The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!

Relevant Article

[glas_gow]

This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact [newyorker.com] A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!"

from one who works with shadowserver

[app13b0y]

I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project

SS == shadowserver

* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.

* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar

* most of the trojans are found by running nepenthes

* SS has a HUGE repository of botnet scripts and C&C information.

* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)

* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)

Not Probable

[Absentminded-Artist]

I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.

I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the same security vulnerabilities we heard about all through February. Now, I'm not registered with that site so I couldn't use their site search, but I'm fairly certain I won't find anything there. A botnet running on compromised OS X machines would be too juicy for sites like C|Net and ZDnet to pass up.

I don't want to come across as an Apple apologist. Heck, I was so alarmed by the Safari zip file vulnerability that I dedicated a web site [cootey.com] to exploring it. But this casual mention of botnets on Linux and Mac OS X just doesn't add up.

Don't kid yourself. Security needs some paranoia!

[wild_berry]

A bit of googling [google.co.uk] finds a comment attributed to David Taylor at http://blog.washingtonpost.com/securityfix/2005/10 /it_must_be_zombie_season.html [washingtonpost.com]. It spreads by making use of a PHP vulnerability, so may have be harmful to OSX systems too.

This blog post [blogspot.com] identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/ [honeynet.org]) says:

Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more. In the version we have captured, spreaders are missing. But presumably versions of this bot exist which also include spreaders.