Slashdot Mirror


Observing Botnets with Honeynets

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

5 of 118 comments (clear)

  1. Zombie PCs being sent to steal IDs by maotx · · Score: 4, Interesting

    While I was going to submit this as a story, it would seem more appropriate as a link from this one.

    News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  2. Re:Are these BotNets responsible by Anonymous Coward · · Score: 5, Interesting

    Yep.

    The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.

    I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.

    And uhm, yeah, it was stupid having a guest:guest account. :)

  3. Re:226,585 unique hosts!? by LiquidCoooled · · Score: 4, Interesting

    No, here at work, we just have to sneeze loudly and we get a new IP.

    Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.

    --
    liqbase :: faster than paper
  4. Re:WTF? by Reene · · Score: 5, Interesting

    I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

    The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...

    --
    "He does look a bit Oompa like, even if his Loompa is a bit off-kilter."
  5. I've had a similar experience by Anonymous Coward · · Score: 5, Interesting

    I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

    I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.