Slashdot Mirror

← Back to Stories (view on slashdot.org)

Observing Botnets with Honeynets

Posted by CmdrTaco on from the know-thine-enemy dept.

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

11 of 118 comments (clear)

  1. I always liked by Enigma_Man · · Score: 5, Funny

    logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
  2. Zombie PCs being sent to steal IDs by maotx · · Score: 4, Interesting

    While I was going to submit this as a story, it would seem more appropriate as a link from this one.

    News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  3. Coral to the rescue... by ControlFreal · · Score: 5, Informative

    Coral link here.

    When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.

    Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.

    --
    Support a Europe-related section on Slashdot!
  4. 226,585 unique hosts!? by bigtallmofo · · Score: 5, Insightful

    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

    Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

    Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

    --
    I'm a big tall mofo.
    1. Re:226,585 unique hosts!? by LiquidCoooled · · Score: 4, Interesting

      No, here at work, we just have to sneeze loudly and we get a new IP.

      Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.

      --
      liqbase :: faster than paper
    2. Re:226,585 unique hosts!? by EnglishTim · · Score: 5, Funny

      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

      THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE.

  5. Re:Are these BotNets responsible by Anonymous Coward · · Score: 5, Interesting

    Yep.

    The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.

    I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.

    And uhm, yeah, it was stupid having a guest:guest account. :)

  6. WTF? by Quixote · · Score: 5, Funny
    FTFA:
    In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

    What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???

    1. Re:WTF? by Reene · · Score: 5, Interesting

      I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

      The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...

      --
      "He does look a bit Oompa like, even if his Loompa is a bit off-kilter."
  7. detection of botnets by kc0re · · Score: 5, Informative

    For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

    Look for IRC rules that are non-standard ports. Very easy to run.

  8. I've had a similar experience by Anonymous Coward · · Score: 5, Interesting

    I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

    I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.