Observing Botnets with Honeynets

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

I always liked

[Enigma_Man]

logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.

-Jesse

Coral to the rescue...

[ControlFreal]

Coral link here.

When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.

Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.

226,585 unique hosts!?

[bigtallmofo]

During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

Re:226,585 unique hosts!?

[EnglishTim]

There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE.

Re:Are these BotNets responsible

Yep.

The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.

I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.

And uhm, yeah, it was stupid having a guest:guest account. :)

WTF?

[Quixote]

FTFA:
In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???

Re:WTF?

[Reene]

I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...

detection of botnets

[kc0re]

For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

Look for IRC rules that are non-standard ports. Very easy to run.

I've had a similar experience

I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.