Slashdot Mirror
Observing Botnets with Honeynets
Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."
logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
While I was going to submit this as a story, it would seem more appropriate as a link from this one.
News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.
I'm a virgo and on Slashdot. Coincidence? Yes.
Coral link here.
When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.
Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.
Support a Europe-related section on Slashdot!
During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed
Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.
Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.
I'm a big tall mofo.
Yep.
:)
The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.
I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.
And uhm, yeah, it was stupid having a guest:guest account.
I'd love to use bot nets to spot, stop or even patch new/unknown machines on my network.
Conformity is the jailer of freedom and enemy of growth. -JFK
In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.
What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???
For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort
Look for IRC rules that are non-standard ports. Very easy to run.
What gets me is how easy it is to find out which channel these bots go into and what commands they accept. What prevents any Joe-Blow with a little sniffer from logging into one of these 25,000+ bot rooms and sending them DoS or self-destruct commands? I'm really suprised that their isn't any "bot wars" from disgruntled 13-year olds (no offense to any 13 year old /.ers) who want to take control of all of thoses infected boxes.
I'm a virgo and on Slashdot. Coincidence? Yes.
I'm an op in a large channel on the Undernet and spam is definately a growing problem. I see lots of spambots join/part our channel and an unusually high percentage of them come from Romania.
You would think that the Undernet admins could simply force users to login to X, thus dramatically reducing the problem. However they are not willing to do that. As a sysadmin myself, never in a million years would I turn a blind eye one of my services being used completely inapporpriately and I would take the steps necessary to prevent it.
J.
You're only jealous cos the little penguins are talking to me.
what surprises me is that there arent any antibot /.ers who'll log on those botnets and self-destruct them.
that is, if any 13 yo can do it... but IANASK (I am not a script kiddie), so...
Maybe I have been lucky but I see less then 5 attempts to my port 22 a day. I only allow accounts with existing keys (no password auth) and only from a few source ip addresses access but I can still see all of the attempts that fail. You can always see the trends by port and attack by browsing the internet storm center. See how you compare to the averages or you can look up specific port related issues from the other links on that page.
Bad boys rape our young girls but Violet gives willingly.
Note that DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.
Any time I see this sort of obvious attempt to build paranoia, it makes me suspicious of the whole article.
I'm really suprised that their isn't any "bot wars"
Trust me, there are. You may not notice them since they target a pretty specific population (lusers with owned boxes attacking each other until they drop off the internet won't much affect you unless you're on the same network segment as one side or the other). We have an IRC operator on our network who figured out that at least the IRC control module could be disabled on command on certain prepackaged (yay scriptkiddiez) bots, and would (ab)use his power as IRCop to find the hidden channels and disable the bots there.
I have a dummy account with a cryptic name and password and no home as the only allowed ssh login for my box, from which I must su to a normal user, then su - to admin. I'm hoping that it's unlikely to be cracked.
Put identity in the browser.
I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.
I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.
The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicate. If they didn't do this little project, then the communcation methods wouldn't be understood. The value of having this information is far more useful than deleting the bot off a computer. Saying that you should delete them is akin to telling anti-virus firms that they should merely delete the virii and not study them at all.
The views expressed are mine own and do not express the views of my employer.