Slashdot Mirror
Observing Botnets with Honeynets
Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."
While I was going to submit this as a story, it would seem more appropriate as a link from this one.
News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.
I'm a virgo and on Slashdot. Coincidence? Yes.
Yep.
:)
The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.
I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.
And uhm, yeah, it was stupid having a guest:guest account.
No, here at work, we just have to sneeze loudly and we get a new IP.
Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.
liqbase
I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).
The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...
"He does look a bit Oompa like, even if his Loompa is a bit off-kilter."
Maybe I have been lucky but I see less then 5 attempts to my port 22 a day. I only allow accounts with existing keys (no password auth) and only from a few source ip addresses access but I can still see all of the attempts that fail. You can always see the trends by port and attack by browsing the internet storm center. See how you compare to the averages or you can look up specific port related issues from the other links on that page.
Bad boys rape our young girls but Violet gives willingly.
Note that DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.
Any time I see this sort of obvious attempt to build paranoia, it makes me suspicious of the whole article.
I'm really suprised that their isn't any "bot wars"
Trust me, there are. You may not notice them since they target a pretty specific population (lusers with owned boxes attacking each other until they drop off the internet won't much affect you unless you're on the same network segment as one side or the other). We have an IRC operator on our network who figured out that at least the IRC control module could be disabled on command on certain prepackaged (yay scriptkiddiez) bots, and would (ab)use his power as IRCop to find the hidden channels and disable the bots there.
I have a dummy account with a cryptic name and password and no home as the only allowed ssh login for my box, from which I must su to a normal user, then su - to admin. I'm hoping that it's unlikely to be cracked.
Put identity in the browser.
I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.
I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.