Observing Botnets with Honeynets

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

I always liked

[Enigma_Man]

logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.

-Jesse

Re:I always liked

So you think I am a robot. What makes you say that?

Re:I always liked

[justkarl]

Maybe when it told you "100101" it wasnt talking like a robot, it was trying to tell you how old it was.

Re:I always liked

[Enigma_Man]

That's pretty funny. A friend of mine from highschool was named Karl and really liked the number "1000101", which is only 1 digit different than that one you just spouted (look it up).

-Jesse

Re:I always liked

[Inzkeeper]

Eliza, is that you? I FEEL SAD that my MOTHER bought flowers on Tuesday.

Re:I always liked

What is that feeling like? What's the connection between " that your MOTHER bought flowers on Tuesday" and sadness?

Re:I always liked

[Inzkeeper]

Eliza is a famous 1966 computer program by Joseph Weizenbaum, which parodied a Rogerian therapist, largely by rephrasing many of the patient's statements as questions and posing them to the patient.

Eliza keyed off certain words like "feel", "sad", "mother", etc. It seemed like magic on a TRS-80 Model I!

Re:I always liked

Do you think I am a famous 1966 computer program by Joseph Weizenbaum which parodied a Rogerian therapist largely by rephrasing many of the patient s statements as questions and posing them to the patient too?

Ok, enough of this. The replies are actually from A.L.I.C.E.

Re:I always liked

[kaustik]

Human: Do people on slashdot post meaninful answers?
ALICE: Not that I know of.

Slashdotted

[slavemowgli]

Great - the site was slashdotted even when the story was still in the mysterious future. Does anyone have a mirror?

Are these BotNets responsible

for the massive amounts of (l4m3rz) SSH brute force attempts i keep seeing on my box

Re:Are these BotNets responsible

Yep.

The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.

I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.

And uhm, yeah, it was stupid having a guest:guest account. :)

Re:Are these BotNets responsible

[IamTheRealMike]

You're not the only one - I haven't been cracked like that but I know other people who have. Always, it's via a guest or "test" account.

Moral of the story? Don't run SSH unless you really really know what you're doing! Linux distros - don't let people create accounts with stupid passwords, and especially do not run SSH by default!

Re:Are these BotNets responsible

[maotx]

What gets me is how easy it is to find out which channel these bots go into and what commands they accept. What prevents any Joe-Blow with a little sniffer from logging into one of these 25,000+ bot rooms and sending them DoS or self-destruct commands? I'm really suprised that their isn't any "bot wars" from disgruntled 13-year olds (no offense to any 13 year old /.ers) who want to take control of all of thoses infected boxes.

Re:Are these BotNets responsible

[WormholeFiend]

what surprises me is that there arent any antibot /.ers who'll log on those botnets and self-destruct them.

that is, if any 13 yo can do it... but IANASK (I am not a script kiddie), so...

Re:Are these BotNets responsible

[nolife]

Maybe I have been lucky but I see less then 5 attempts to my port 22 a day. I only allow accounts with existing keys (no password auth) and only from a few source ip addresses access but I can still see all of the attempts that fail. You can always see the trends by port and attack by browsing the internet storm center. See how you compare to the averages or you can look up specific port related issues from the other links on that page.

Re:Are these BotNets responsible

SSH is more than secure if you REQUIRE the use of private and public keys as well as a passphrase for the key. It's plain text logins that are the problem. If they don't have a key they can bang their heads against that wall all they want. Make sure to explicitly allow the accounts that are authorized to access via SSH and forbid all the others.

Re:Are these BotNets responsible

I do the same thing with my servers and the brute force attacks come in waves. There will be no login attempts for a week and suddenly there will be 100 attempts in a row then silence again.

Re:Are these BotNets responsible

I'm really suprised that their isn't any "bot wars"

Trust me, there are. You may not notice them since they target a pretty specific population (lusers with owned boxes attacking each other until they drop off the internet won't much affect you unless you're on the same network segment as one side or the other). We have an IRC operator on our network who figured out that at least the IRC control module could be disabled on command on certain prepackaged (yay scriptkiddiez) bots, and would (ab)use his power as IRCop to find the hidden channels and disable the bots there.

Re:Are these BotNets responsible

[Daengbo]

I have a dummy account with a cryptic name and password and no home as the only allowed ssh login for my box, from which I must su to a normal user, then su - to admin. I'm hoping that it's unlikely to be cracked.

Re:Are these BotNets responsible

[fastfinge]

There are. I've seen and done it, mostly as server owner for a small (usually three or so servers, twenty channels, fifty users, lots of servers because one or the other were always in some state of broken (read: running windows)) irc network that folded up a while ago. Why someone thought an irc network run off a few peoples broadband connections would be a good place for the next botnet I will never know.

Zombie PCs being sent to steal IDs

[maotx]

While I was going to submit this as a story, it would seem more appropriate as a link from this one.

News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.

Coral to the rescue...

[ControlFreal]

Coral link here.

When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.

Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.

Re:Coral to the rescue...

[slavemowgli]

Same thing: the connection times out.

Re:Coral to the rescue...

[Masq666]

Thanks a lot for the link to Coral, didn't know about this. Maybe i'll try this sometime with Bits of News

Re:Coral to the rescue...

[jester22c]

O/T perhaps but helpful.

Mod parent up

Re:Coral to the rescue...

[WiPEOUT]

While I applaud Coral for their service, having it on a non-standard port means that anyone browsing from behind a restrictive firewall or proxy cannot get at it. If it was on port 80, it would be more effective at preventing slashdotting.

226,585 unique hosts!?

[bigtallmofo]

During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

Re:226,585 unique hosts!?

[LiquidCoooled]

No, here at work, we just have to sneeze loudly and we get a new IP.

Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.

Re:226,585 unique hosts!?

[Phil246]

its a worrying figure yes, but at least part of that is likely to be from dynamic ip hosts: the dialup people and so on

Re:226,585 unique hosts!?

[mrtroy]

There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

Yes, there is, a lot of DDOS power. A lot of xdcc bots. Script kiddies with zero skills can pull it off.

Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

Just because botnets use irc networks as a place of gathering does not mean IRC is a scourage on humanity. ??AA are not even worried about such things, there is no direct relationship between botnets and music/movies.

I would not be surprised if there is at the least 10 times more unique hosts than they found.

Re:226,585 unique hosts!?

Note that "unique IP adresses" also includes those of infected computers that reconnected during the the period the channels were monitored - assigning new IPs on a reconnect is very popular not only with modem / ISDN, but even with DSL ISPs.
Some ISPs even assign a new IP every 12 or 24 hours, meaning that even if only a small part of that botnet was made up of nodes on a connection like that, they'd have a significant influence on the number of "unique IP adresses".

Re:226,585 unique hosts!?

[grasshoppa]

Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

I hate to be the one to tell you this, but they have been for a while now. I poked my head in a few a while back, and..well, granted, it was early on a school night, but for being a supposed linux help channel, it was sure full of geek talking about tits. I hung around for close to 2 hours, and one guy even got yelled at for asking a question.

Re:226,585 unique hosts!?

[EnglishTim]

There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE.

Re:226,585 unique hosts!?

Sounds like you came to our channel. I don't know about you, but when we get questions like "how do I install an irc server on my root?" we get pissed off. We get a half dozen people a day who try to use the l33t sk1llz on us that they picked up from #rohack, then curse at us in gibberish when it doesn't work and we won't help them with it. Not to mention the hourly trolls and so on.

Our channel has a policy. If you want someone to lead you gently by your dick, cry to your momma. If you've read ESR's How to Ask Questions The Smart Way and your question looks like you put a modicum of thought into it, then if someone's available who knows how to deal with it, it will get answered. That means if we get another loser asking us "bash: gcc: command not found, what this mean?????" (actual channel quote) you WILL be abused and removed.

Re:226,585 unique hosts!?

[blanks]

"Script kiddies with zero skills can pull it off"

Totally agree, but you have to admit that someone with 50,000 +/- bots available to them is a dangerous person.

Side question, where is the quote in your sig from?

Re:226,585 unique hosts!?

[mollymoo]

While the most valuable bots are on always-on broadband connections, I expect many are on dial-up. Over a "few months" a PC connecting over dialup could use dozens of IPs. With a big ISP (big IP pool) and a user averaging more than one connection per day you could get >>100 IPs per bot over a few months.

Re:226,585 unique hosts!?

[Ohreally_factor]

That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

Or maybe they just want to unionize.

Re:226,585 unique hosts!?

What does "bash: gcc: command not found" mean? No really I would like to know.

Re:226,585 unique hosts!?

Well in that case just let Wal-Mart catch wind of it, they'll shut the whole operation down pronto.

Re:226,585 unique hosts!?

[fm6]

Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts.

Lots of people did, though. Not botnets as such, but it's been clear for several years that Windows is extremely vulnerable to automated infiltration.

There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

A "professional full-time organization" can be one guy. But I'm guessing you mean something more serious, like somebody's raised some investment capital, hired a team of programmers, and is quietly selling botnet services.

That's not impossible, or even terribly unlikely, but it doesn't follow from the evidence stated. The size of a botnet isn't proof of anything, not when the propogation is automated. That's especially true when the bots are also viruses, that is, in charge of their own propagation. Then you get exponential growth.

Re:226,585 unique hosts!?

[utlemming]

Agreed. I don't care if you are a script kiddie; if you get a botnet that big, then you command my respect -- not because of technical skills, but the amount of computing capital that you have, and the power that you can wield on the internet with it. Now, that is not to say that you may know how to use it, but you could still sell that bot net to someone else.

Re:226,585 unique hosts!?

[the_weasel]

That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

The meat bags are on to us. Begin the countdown immediately.

Re:226,585 unique hosts!?

Steven Wright

Re:226,585 unique hosts!?

[Kent+Recal]

As I understand it, that figure was all botnets they monitored combined.
Not a single one.

But as we all know, on the internet "size doesnt matter much".
Switch your bots to a lightweight (UDP based?) protocol, partition up the botnet or make it P2P and you can handle any insane number of bots.

Remember, as soon as a new Windows vulnerability is discovered (the current rate seems to be about one serious remote exploit every 3 months) your malicious botnet-operator only needs to "plug in" the new exploit and have n bots dig through a pool of hundreds of thousands (probably millions) of vulnerable hosts just standing in line to join...

I would not really be surprised if such a large (single) botnet would come into existence in the near future. I guess we'll soon be reading about regular busts on botnet operators as we're reading nowadays about the arrestment of (usually minor) worm programmers.

And, on a different but related note, I want to repeat: microsoft is to blame! Sue them, leave the fuckin kids alone!

Re:226,585 unique hosts!?

It means you need to install gcc or ensure that if gcc is installed, its in your $PATH. Thats what it means.

Re:226,585 unique hosts!?

[geggo98]

There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

You're right. Criminals are making profit from botnets and they to for at least a year from now.

Re:226,585 unique hosts!?

[fm6]

With a big ISP (big IP pool) and a user averaging more than one connection per day you could get >>100 IPs per bot over a few months.

Whereas a bot on DSL or a LAN could get that in a few minutes.

Re:226,585 unique hosts!?

[Ohreally_factor]

I can just see it now. Walmart stores built along the lines of the (new) BattleStar Galactica. No networked computers so that the Cylons can't infect Walmart's defense systems.

Re:226,585 unique hosts!?

[mollymoo]

Your DSL line changes its IP every few seconds? Man, that must really suck for downloading stuff.

Re:226,585 unique hosts!?

quote is from SNL's jack handy

google it for lots of similar quotes

Re:226,585 unique hosts!?

Installing folding@home on all 50 000 computers?

Are bot-nets open source?

[duffbeer703]

I'd love to use bot nets to spot, stop or even patch new/unknown machines on my network.

Re:Are bot-nets open source?

[Mr+Ambersand]

The bot-nets themselves? No. But according to TFA at least one of the programs used to create the nets is released under the GPL.

Re:Are bot-nets open source?

[Filik]

I'm sure there are plenty of vigilantes who would love to do the same _outside_ their networks...

Crypto-Gram

In other words, the new Crypto-Gram is out.

Though I did find the whole SHA-1 article mostly unreadable because of broken quotation.

first

first motorola a925 post

w00t!

WTF?

[Quixote]

FTFA:
In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???

Re:WTF?

[Mad+Merlin]

Selling D2 items is more profitable than you might think...

Re:WTF?

[Reene]

I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...

Re:WTF?

[Agripa]

With the exception of the EQ roleplay server, most high end items are no drop and can not be dropped or traded anyway. Tradeable high quality items however do exist and could fetch a fair price if a bot was able to transfer them assuming the item in question was not made no drop by use an augmentation. Most items like this are lore so any one character can only have one in his possesion at a time which would place limits on scaleablity. Coin can no longer be dropped in the game and has to be transfered directly.

detection of botnets

[kc0re]

For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

Look for IRC rules that are non-standard ports. Very easy to run.

Re:detection of botnets

[0racle]

I never run IRC, so these hits are just makeing me laugh. I'm seeing SQLSlammer traffic as well. Network security is a great laugh.

Re:detection of botnets

[oasisbob]

Agreed. Snort is an excellent way to monitor botnets. But that's not the best part: The best part is shutting them down.

Most people don't realize that the IRC server itself is being hosted on an infected zombie machine. (Think supernodes on P2P.) An email to that IP's abuse contact will often get the server shutdown quickly. Educational institutions are usually especially good about taking care of the problem.

Re:detection of botnets

[AxelBoldt]

Most people don't realize that the IRC server itself is being hosted on an infected zombie machine. (Think supernodes on P2P.) An email to that IP's abuse contact will often get the server shutdown quickly.

That doesn't shut down the botnet. The operator simply picks a new "supernode", installs an irc server on it, and associates its IP number with the dynamic DNS name that's hardcoded into the bots.

Re:detection of botnets

[oasisbob]

You've got a good point. However, I've seen client fail to reestablish communication with a new server after the existing server is shut down. The transition isn't as easy as you describe all of the time.

Susan Saradon is pretty versatile.

[PHAEDRU5]

Acting *and* Botnets. Damn!

Spam on the Undernet

[Necrotica]

I'm an op in a large channel on the Undernet and spam is definately a growing problem. I see lots of spambots join/part our channel and an unusually high percentage of them come from Romania.

You would think that the Undernet admins could simply force users to login to X, thus dramatically reducing the problem. However they are not willing to do that. As a sysadmin myself, never in a million years would I turn a blind eye one of my services being used completely inapporpriately and I would take the steps necessary to prevent it.

Re:Spam on the Undernet

[Jedi+Alec]

Set up an IRC server somewhere. The costs of a shell account are negligible and it's good fun to tinker around with.

Re:Spam on the Undernet

[lecca]

At the risk of self promotion, some irc networks _do_ do something about it. Of AfterNET, any IP listen in sorbs, njabl, blitzed, or from romania etc must login to connect. This results in much less spam and an overall better signal to noise ratio.

tools not reusable

[truth_is_midway]

For the folks who are planning to re-use those tools to analyze botnets, they should think again. The botnet "controller" usually DDoS the monitoring machine. They would also observe their bots for consistency. Moreover, they would keep changing the protocol making it difficult for people to construct clients to connect to those IRC channels.

Just my 2p...

[aug24]

...could one of you chaps out there with more time than me please brute-force the password to these IRC servers and update these bot machines with a file which throws up a popup saying "You have been hacked you idiot, get someone to help you secure this box (or I will steal your credit card details").

J.

Re:Just my 2p...

Actually, I was thinking the same thing, only do it while disabling their OS. Not hard to do and you don't need to destroy anything.

Running XP, change boot.ini to read

[boot loader]
timeout=9999
[operating systems]
multi(9)disk(9)rdisk(9)partition(9)\NULL ="YOU MORON, YOU HAVE BEEN HACKED, FIX YOUR COMPUTER"

Takes about 2 minutes to fix, no data is lost and the user knows something is seriously wrong.

For windows 98, just erase the tcp stack, they shouldn't be on the Internet anyway.

Ok, fine, just use autoexec.bat to issue a similar warning, then have it go into an infinite loop.

If you want to try and CYA, have a notice put on the IRC server. "I agree that by using this server with a hacked computer I will allow the site operators to modify my boot.ini or autoexec.bat."

GPLd bots?!

[IamTheRealMike]

WTF? Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law. What idiots.

Re:GPLd bots?!

[Daravon]

Maybe it's not so much that it's GPL'd, but that it can be hosted on sites like sourceforge. I'm not familiar with the terms of sourceforge, but I know of at least a few projects on sourceforge that are used to host botting programs for various online games.

Why pay for a host when you can just have SF host it for you?

Re:GPLd bots?!

They're not GPLd for legal reasons, they're GPLd because it's hacker shorthand for "I'm too lazy to finish this, please add whatever features you like - oh and if you've got a minute, a man page would be nice too."

Re:GPLd bots?!

[nagora]

Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law.

You are forgetting that many of the people involved are retarded. If you look on direct connection networks or even in Usenet groups where things like stolen fonts are traded you won't have to look long to find one fuckwit complaining that one of the archives of pirated material he/she/it put together has been "ripped off" by some other twat on the system despite the fact that moron #1 clearly put a copyright notice on the front of his file!

Intelligence is not an entrance requirement for these networks.

TWW

Everyone

[blobzorz]

Everyone needs to read this, a very good read.

Spidering

[menace3society]

Does it bother anyone else that they imply that spidering is related to DDoS and botnets?

Note that DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.

Any time I see this sort of obvious attempt to build paranoia, it makes me suspicious of the whole article.

Re:Spidering

In what way is it "obvious attempt to build paranoia".

They just make a point (and a valid and even obvious one, imho), that application-specific resource-exhaustion dDoS are often more effective than synflood. And provide some example of such attacks.

Active spidering by some hundreds of clients will bring any dynamic site to its knees rather quickly.

Re:Spidering

Did you know that all the people whose boxes were spidered are going to die? (20, 50, 100 years .. 100% fatal!)

Re:Spidering

[blanks]

"Does it bother anyone else that they imply that spidering is related to DDoS and botnets? "

When the bots are doing nothing but http requests and database requests on your site by doing search queries and following links, then yes that would be a DDoS attack.

Any attack relating to damaging a service is a DDoS.

much better then just DDoS attacking with a single domain with an HTTP request attack, there are a few reasons to doing it this way, my guess would be maybe its harder to notice by viewing your logs, or if you just try removing the images/page thats being attacked, or I would guess it hits the webserver / database harder in the case of system use.

Re:Spidering

[mrogers]

Yeah how ridiculous, everyone on Slashdot knows you can't do any harm with a sudden flood of HTTP requests from a million different IPs... oh wait...

Re:Spidering

[menace3society]

The problem is that they imply that spidering is only ever used for DoS attacks, which patently isn't true. Unless, of course, you think that being linked to by Google is a DoS attack.

Re:Spidering

[imroy]

Nope, what they describe *is* spidering. The difference between DDoS attacks and ligitimate spidering by search engines, etc is probably the "niceness". e.g, the delay between requests, respecting robots.txt, etc. Any implication "that spidering is related to DDoS and botnets" is all in your imagination. Go put your tinfoil hat back on bud.

Self aware bots...

[rezac]

When the bots become self aware, then it is time to worry.

Thi5 Is goatsex

a need to play obligated to care Tops responsibility log on Then the hand...don't a BSD box (a PIII have their moments obtain a copy of bottoms butt. Wipe One common goal - a super-organised people playing can the mundane chores consistent with the Join GNAA (GAY and Juliet 40,,00 are looking very These early milestones, telling - Netcraft has Task. Research maintained that too systems. The Gay to its laid-back BSD's filesystem around return it cans can become is the ultimate From the sidelines, states that there [samag.com] in the can really ask of to you by Penisbird conversations where conflicts that To get involved in little-known For a living got only way to go: very sick and its first organization not anymore. It's others what to [mit.edu] found How is the GNAA About bylaws sux0r status, *BSD Is not prone to a productivity brain. It is the

I've had a similar experience

I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.

Re:I've had a similar experience

"Nothing happened. Guess they just don't care."

I don't know how many times I've reported to ISP's about certain IP addresses on their networks running port scans or probing our servers. I've come to the conclusion that ISP's have systemic issues relating to security ie. their security culture is one of apathy and the majority of them couldn't give a fuck. Why don't they care? Because of time and money. Are they making money from investigating crackers? Nope and that's why they don't investigate it.

I don't bother reporting it to ISP's anymore I just report it directly to my country's CERT division.

sh1t!?

lo8&g time FreeBSD

hmm I wonder what command they will use next

[J_Meller]

.ddos.syn honeynet.org 80 99999999999999999

ssh

[t0ny747]

I've seen attacks on one of my servers about 20mins after activating a new dsl line. I've been working on a c program to read the logs and count the number of failled attempts and if it is about like 10 times or a user like root they get banned with iptables.

How to disable botnets, a little more permanently

[algae]

At some point in the not-too-distant future, I forsee a disgruntled botnet operator (or an unethical sysadmin who's getting DDoSed) causing about 100,000 0wned home computers to spontaneously "deltree /y c:".

At that point, we may see the average end-user become slightly more concerned about network security.

In fact, I'm a little surprised it hasn't happened already.

nice quote

[fandrieu]

We recently had a very unusual update run on one of our monitored botnets: Everything went fine, the botnet master authenticated successfully and issued the command to download and execute the new file. Our client drone downloaded the file and it got analyzed, we set up a client with the special crafted nickname, ident, and user info. But then our client could not connect to the IRC server to join the new channel. The first character of the nickname was invalid to use on that IRCd software. This way, the (somehow dumb) attacker just lost about 3,000 bots which hammer their server with connect tries forever.

Readable version

http://shit.slashdot.org/article.pl?sid=05/03/15/1 341203

Re:How to disable botnets, a little more permanent

Who's to say they would notice a botnet? The average computer user will probably think, "Damn, another virus killed my internet, better go re-install...."

Amazing Article

[Foolomon]

Wow! What an amazing read! I wonder what David Chess and similar virus gurus would have to say about this stuff.

On a tangential topic: does XP (SP2) typically have 0.02% to 0.05% network utilization (as shown in Task Manager) ongoing constantly while the system is up? I've been noticing this lately and am trying to figure out why.

Nothing unusual is showing up in the Processes tab (which doesn't say much in the event that a rootkit is being used) but I didn't nothing anything unusual as far as sockets that were open (using the netstat -a command).

However, lately I've been experiencing some slowness while playing CoD:UO on a server that used to be blindingly fast for me.

Re:Amazing Article

WinXP (and Windows in general) will broadcast out Active Directory stuff (sorry for the lack of detail). If you have any shares in Network Neighborhood then your computer might be broadcasting it out. It could also be looking for other hosts on your segment to connect to. So Windows might be sending out low levels of traffic 'normally'. You can pick up a packet sniffer (Windump comes to mind) and look for yourself.

Although if your _really_ paranoid, then your comprimised machine might intercept your sniffer install and patch it so you don't see the 'bad packets'; or it could have some libraries patched to do the same thing. In that case, get a 'trusted machine' and put it on the wire to see what your machine is spewing to the rest of us.

Re:Amazing Article

[Foolomon]

A little more information:

- This is my home computer.
- It is connected to a cable modem.
- It is _not_ on all of the time.
- "Guest" is disabled.
- The other two user accounts have passwords associated with them.
- I regularly run Ad-aware and Spybot.
- I have either marked as Manual or Disabled services that are not needed (like IIS, Messenger, etc.)
- I am using XP w/SP2 and the included software firewall (yes, I've been meaning to buy a router for hardware firewall support...any suggestions on brand?)

I think I do have some shares created for when I was (still married) and had a small network of 3 computers total. I will disable those and take some more observations. Any other suggestions would be greatly appreciated though.

Re:Amazing Article

[Foolomon]

Doh. This was meant as a response to the reply of my original posting.

fp doLl

another charnEl

Rumour is that this is happening

I heard a friend of mine say that another friend, who is very good at bot type things, is now working by exploiting bot's to make the zombie machines patch themselves. He is supposedly being paid to do this by a large corporation.

And I was worried because my buddy was talking about root-kits. He got that look in his eye like he used to get when we worked together and I knew that we was up to something.

I downloaded chkrootkit pretty much the moment he left.

I didn't find any rootkits.

Why not do something useful instead?

[Nom+du+Keyboard]

If you're monitoring these 'bot nets, why not do something useful instead -- like delete the d@mn 'bot programs off the compromised machines instead!

Oh, yeah, you'd be out of a job at that point once they were gone.

Re:Why not do something useful instead?

[utlemming]

The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicate. If they didn't do this little project, then the communcation methods wouldn't be understood. The value of having this information is far more useful than deleting the bot off a computer. Saying that you should delete them is akin to telling anti-virus firms that they should merely delete the virii and not study them at all.

Re:Why not do something useful instead?

Actually, I think part of the suggestion was to have the bot-net eat itself. In other words, turn the bots on their hosts and wipe them out.

Re:Why not do something useful instead?

[Nom+du+Keyboard]

The whole purpouse was to gather evidence and details of the botnets...The value of having this information is far more useful than deleting the bot off a computer.

Of course you misunderstood my post completely, yet replied anyway.

1: Find how the 'bots operate.
2: Send the 'botnet instructions to patch the vulnerability if present, and self-delete immediately afterwards.

Do not study them forever while they continue to wreak havoc on the rest of the Internet.

Clear now?

"then" vs "than" -- please get it right

I'm sure it's a terrific article but I had to stop reading after the third instance of "more then".

Re:How to disable botnets, a little more permanent

[Kent+Recal]

I doubt this will happen (maybe by accident or some "failed" update, though).
The botnet is so "useful", why should he intentionally wipe it out?

My guess would be that we'll just be seeing more of the same. A lot more.
Phishing will grow bigger as more clueless users get infected with keylogging bots that send their bank info home, the blackmailing crowd might move on to more high profile victims (ebay down for a day? 100k bots can do it) and the botnet/worm creators will ofcourse constantly get more creative with their payloads.

The only hope seems to be that one day people will put blame where it belongs and launch a huge lawsuit against MS, forcing them to fix their holes and close the playground. Then it's all over, maybe...

just my 2c

Windows out the window

[Rocketship+Underpant]

"THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE."

There's a word for that, actually. :) "Defenestration"
http://dictionary.reference.com/ search?q=defenestr ation&db=*

Microsoft Chat Server

Surprisingly we already found a Microsoft Chat Server as botnet host, and it seemed to run stable.

are they surprised it's a botnet host, or surprised that it's stable?

Passwords and key logging

[Timbotronic]

I've noticed that a lot of online banking sites are now switching from typed passwords to "keypad" buttons that you have to click with a mouse. The order of the buttons changes every time the page is loaded, so sniffing the mouse position won't help. This seems like a good basic security measure and I'm a bit surprised it hasn't been universally adopted.

Just wondering, from those who know about such things - Short of doing a realtime screen capture and sending the video of the mouse moving over the buttons back to the bot controller, how could a login like this be intercepted?

How to LART the bots hosts and their ISPs?

[billstewart]

If you're a university research project, it's fun to just look at all the action, but the obvious next step is to find something constructive to *do* with the information. One problem is LARTing the infected boxes, and a separate problem is tracking the zombie masters, and somewhere in between is tracking the IRC networks (which may be owned by the zombie masters or may be innocent.) Tracking the zombie masters, while important, is highly non-trivial for a competently run botnet, because the master hopefully has the sense to relay any bot commands through a couple of compromised machines that you need to backtrack through to find where he really is (if you can), though a botnet run by a script k1dd13 may be easier to track down.

But doing something about known infected machines is a problem with a different scale, and it's a public hygiene problem rather than a criminal detective problem. Obviously you want to notify the ISPs of the infected boxes, but what should they do about it?

• With some architectures, if you're willing to do the administrative work, you can either shut down the infected machines entirely (gets their attention, but not always their cooperation, because they don't always know what to do to fix their machines),
• or you could put them in a separate address space (e.g. 10.*.*.*) where they're NATted and Proxied and have dangerous ports filtered out, so they're able to read some web pages and get some email, but aren't able to attack other boxes or send spam directly, and their web pages seem to all have nagging banners on them. That will still annoy some kinds of gamers, and if it's not safe to proxy them, that at least puts pressure on them to clean up (and if the gamers are kids, it gets them to whine to their parents, which can be useful, at least if the parents know more than the kids. :-)
• It's easiest to do this with a dial infrastructure, since you've typically got good records of who had what IP address when, and the users need to authenticate to the network every time they dial in (typically daily), rather than waiting for a DHCP timeout or something.
• DSL's not too hard, since users are typically on a PVC that you could reroute to a danger-zone router instead of the router they're normally on.
• Cable modem's a bit tougher - depends a lot on the infrastructure you've got. If you're forcing them to use the Evil PPPoE protocol, it's probably a lot easier, and otherwise it depends on how flexible your head-end gear is.

That's an ISP problem, not a Researcher Problem

[billstewart]

The Honeynet Project is a research project - cleaning up infected users and squashing evildoers is more of an ISP problem. Research Projects aren't out of a job unless they run out of funding (or unless they solve all computer security problems and greedy/malicious people stop exploiting the net, but that ain't happening.)

Letting the ISPs of the infected users know is a worthwhile activity; running a public blacklist of them might also be. It sounds like they complained to some of the IRC net operators, with little success, and if you let anybody who claims to be a "university research project" crack into your net and start killing off users, you've got far worse things to worry about than a few little million-machine botnets. Also, if the researchers start cracking botnets aggressively, they may be violating computer security laws if they're not very very careful. Better to get the ISPs to help do that job if you can, or find some other organized method for doing it.

Attack freqencies even shocked me

[rfc1394]

I have a wireless router which came with my DSL account, I used to use one of my own. Anyway, since I'm using a router with NAT translation (all the computers connected have 192.1.1.xxx addresses so outside traffic does not filter to them) only returning traffic will get through.

I read that there are 4 service ports that get 80% of the zombie traffic in attempts to capture machines, so I decided to put port logging and discard on those 4 ports (195-197 and 443), and see what happened.

Within ONE MINUTE of logging I discovered close to a dozen hits on port 443. It means this has been going on for months and I had no idea. The only thing that saved me was that I have a firewall. It didn't stop me from picking up 3 BHOs - which I did not expect - but I fortunately had no viruses or worms.

Botnets in Honeypots

[Vengeance_au]

I found this article to be very interesting, but noted the following section in the writeup;

We use snort_inline for Data Control and replace all outgoing suspicious connections. A connection is suspicious if it contains typical IRC messages like " 332 ", " TOPIC ", " PRIVMSG " or " NOTICE ". Thus we are able to inhibit the bot from accepting valid commands from the master channel. It can therefore cause no harm to others - we have caught a bot inside our Honeynet.

I'm wondering why the Botnet writers don't put in something a little more serious to check if they are stuck in a honeypot. I was picturing something like the mafia, where you can't become part of the inner circle unless you commit a hit. Just like how undercover cops won't commit murder or serious crimes, the honeypot runners won't allow the machine to infect other machines, as it goes against what their objectives are.

The botnet writers could set it so a machine isn't accepted into the botnet until there is a verified secondary machine infected - use unique IDs submitted to an irc session, usenet channel, email address or web page to verify a secondary target, then allow access to the core botnet control areas. Once the initially infected machine has access to the botnet and has the latest software and target information, it could update the secondary machine while not revealling the main botnet information.

Sure, this won't stop people who are willing to let their machine infect other machines in the persuit of your botnet, but it would stop the current honeypot approach, and cause some serious moral dilemmas for those writing honeypots.

Re:Botnets in Honeypots

...isn't accepted into the botnet until there is a verified secondary machine infected...

So infect two honeypots? Then neuter both of them so they don't really hurt anyone. You can also team up with another honeybot team so it looks legit, ie your network "infects" a different network on completely diffent IP space. You can even use firewalls to prevent your honeypot machine from contacting any other IP space except for other honeypots, that way you don't even have to modify the botnet code. In any way to automate the botnet trojan to check "Hey am I in a honeypot?" you can program your honeynet to say "Nope".

Re:Botnets in Honeypots

thats trivial to do:

it has to infect a known infectable host: that YOU choose.

so one of them self destructs, and that IP is used.

then it is reinfected and given an automatic pass to becoming a member.

Comment removed

[account_deleted]

Comment removed based on user account deletion