Slashdot Mirror
Hunting for Botnet Command and Controls
Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
Now only if they could do this with Skynet, we might just be able to postpone Judgement Day another 6 years.
uh, time for me to disconnect to the internets for a while.
Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...
To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..
Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.
C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
How do they disable the C&C infrastructure?
When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?
In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?
So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.
see a Text Widget
They will be here as long as there are vulnerable machines and zombies.
ps
Slow Down Cowboy!
Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 7 minutes since you last successfully posted a comment
DA FUQ
The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.
The only solution is secure software engineering and prompt, reliable patching.
How can this possibly fail?
it's great that industry, when faced with a lack of effort from the law and legislature, has the will and wherewithal to go after the scumbags. it's a great first step to show policymakers how much of a concern this is to internet security.
Internet ages ago, when DDOS was hot and researchers all concentrated on that threat, I tried to tell them that DDOS is nothing. Stuart and the others wrote their paper and based the threat on DDOS which influences computer security research even today. I predicted what is now called botnets would be the more frightening destination of the DDOS train. I didn't catch that IRC would be the covert channel of choice (not very covert). HTTPS seemed much more likely to me - net admins expect to see https traffic.
/. user name
The vigilantes are running into the problem of cut-outs. The original botnets for DDOS all used a three-tier architecture - slaves (bots), masters (IRC servers), and clients. The current incarnation seems to have at least that many layers if not more. Killing the masters is better than trying to stomp on all the bots, but that still leaves the clients. Until the owners of the compromised boxen acting as masters allow access to track back to the clients, the vigilantes are facing the fate of Sisyphus.
Goetz - AC because I can't remember my
What would be really interesting is if using a combination of honeypot PCs (to match trojans to controllers) and the commands used to control the botnets, these vigilantes could make the zombified PCs download and run a cleaning tool to rid themselves of the trojan.
But it doesn't hurt anyone else much either as I'm on a 56k line. Oh, scary DOS comming from that.
What you're saying shows the root of the problem and why it's so hard to solve: you need some level of cooperation from people who do not have a direct interest in solving it simply because it doesn't affect them. Sure, your little 56k is quite harmless, but with 1000 zombies on little 56 lines, you can create quite a flood.
The other problem is with using up bandwidth allotments. Let's say the attacker is using 2KB/s for flooding. You won't notice that, but the other end wastes 5GB/month. Now if you have just 200 56k lines on pumping this on average, you'll be driving the target into unwanted bandwidth bills for sure. Now this analysis is making some assumptions, but you get the picture.
see a Text Widget
They aren't going to accomplish anything. It'll take forever to figure out where the HUGE botnets on IRC are located...
Well, obviously script kiddies with the malice and idiocy to create them. But also, the end users ... the people who irresponsibly leave their machine open to the 'net, get 0wned, and then contribute to whatever DoS is going on.
These end users just *don't care*. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
I wish ISPs would hold the lusers (criminally) responsible for this. I for one look after my home datacentre, including my Gentoo Linux boxen and keep them patched.
a group of high-profile security researchers is fighting back, vigilante-style.
This emotionally laden language has been deliberately chosen to make it sound like this activty is a "bad thing [tm]"
I truly believe it is the duty of every person to fight against clearly evil activity.
This includes a mugger hitting an old lady, a middle age man trying to drag a pre-teen girl (or boy) in to a car idiling in the street, and a person trying to kick in the door of the elderly couple down the street.
If the people disabling bot-nets make every effort to be certain they do not harm innocent or uninvolved people (and the standard here is very high), then they are doing a public service. (if they take the attitude, like some "anti-spam" people, of -> 'kill them all, let God sort them out, they are just assholes with very, very small peckers')
Those who believe the gub'mint is going to be johnny on the spot to fix all your boo-boos are sadly misguided: there is neither the manpower or the reaction time to fix everything "bad" in the world. That depends on YOU.
I'm wondering why they aren't telling bots to self-destruct? It seems pretty obvious to me that the C&C structures could reform fluidly as you take them down? A Black hat has a list of his bots, if you nuke his IRC channel, he just spawns a new one, or moves to a new IRC network...
But if instead you tell all his bots to wipe themselves out, he's got to buy new ones. Yes those machines will surely get reinfected within a few days/weeks, but it will throw a much bigger wrench in the works.
How is this not the obvious approach? Why aren't they doing it? Or maybe they are and aren't stupid enough to tell the media....
Does it come as a surprise to you that people that have access to routers can sniff your packets?
Of course they can but the question is : are they allowed to do it ? It's very easy to tap a phone call in any exchange but admitting you did it without the proper legal papers would get you in a whole lot of trouble, I guess.
Liar.
The botnets represent a serious threat in all sorts of different ways. Spamming. Phishing. DDOS attacks. Extortion. Money laundering. Child pornography. These large armies of zombie PCs can be use for a variety of evil purposes.
Yah.. this should be the remit of law enforcement agencies.. but guess what. Nothing much is happening. Law enforcement is either waaay outta their league or swamped with other issues. So as good citizens of the internet, what should we do?
Well.. those people who keep moaning about "vigilantes" will do nothing.. expect moan some more when their business is taken out by a DDOS-wielding extortionist. One basic obligation of all citizens it to protect others and to not ignore crimes when they are in progress. So, it is absolutely right and proper that people take direct action if it is clear that law enforcement agencies cannot.
You can target the botnet's C&C system. And there are a variety of ways you can do this - not all of which require immense technical skills. Sometimes that means you have to be slightly more "grey hat" than "white hat" in your approach.
But even if you are technically breaking the law to shut down a botnet.. exactly *who* are the victims? Nobody important, that's who - and they are usually hiding behind layer upon layer of false domain registrations, hijacked IP addresses and worse. In fact, most of the time there are no identifiable victims of this type of anti-botnet action at all - no valid names, companies or organisations. So who's gonna complain?
Personally, I'm not part of this group, but independently I have managed to shut down two large botnets.. at least temporarily. And I would do it again. But.. well, let's just say if you are involved in this sort of thing then it's better to stay an "Anonymous Coward".
I can't find it on his site, but the guy who runs DShield was under a DDOS attack a few years ago and he managed to crack into the IRC channel the attacker used to control his bot network.
Apparently the attacker about crapped his drawers when instead of the usual bot replies to his commands an actual person started talking to him in his IRC channel.
http://dshield.org/
Wax on, wax off baby!
... fighting back the internet scumbags all over the planet, vigilante style...
...
Now if they could just have a cool name, we could have a new hit superheroes movie for this summer.
Any suggestion anyone ?
- The League of Net Shadows
- The League of Extraordinay Nerds
- The Fantastic Fourty
Come on give me something better
So, how is this different from a "Star Chamber"?
/. who might applaud this pro-active white-hattery, who simultaneously strenuously object to the US Patriot act which is pretty much just allowing the government to do the same thing in real life?
I'd be interested to see how many people in
-Styopa
What sort of things are you discussing with your friends and associates? Are you talking about penises, scrotums and vaginas? Well, are you?
Seriously, you need to protect yourself. Don't depend on others to protect you while you're on the Internet. That's why you do certain things like not running Windows, run a solid, well-tested Linux or *BSD firewall, and practice encryption of all of your communication. The power of the Internet includes many responsibilities: one of those responsibilities is to ensure your own safety by taking the appropriate measures.
Cyric Zndovzny at your service.
The name actually used is "drone hunters"
THey should write a book about this. It will be like a modern day Cuckoo's Egg.
Well you might have signed a contract that stipulated you wouldn't sniff in order to purchase your connection. But I don't think there are laws related to sniffing like there would be for telephones. More like using a radio to listen to your neighbor's cordless phone conversations, which is both legal and provides admissable info. No expectation of privacy there. So the better cordless phones do encryption. Cellphones have an expectation of privacy. But email is like old time CB.
This isn't flamebait, he's making a point.
Most 'normal' users really don't seem to give a damn if their computeris being hijacked, as long as they don't notice it. And the same users won't undertand that their 56k line is one of many, which adds up to an enormous amount of bandwidth.
...and likely because their wares are useless until activated by an idiot enduser but mostly because government neither is competent enough to go after this or should be trusted enough, then I don't see why extending antibodies to the malware problem doesn't deserve a shot.
With honeypots and careful use of infectable machines, the code that makes up these beasts can be examined and anti-malware can be released into the wild to destroy the infections whereever the anti-malware gets installed by an end-user.
"Wow, I just cleaned spyware off my machine by looking for pr0n." Sort of like accidentally giving yourself life-saving medication because someone knew you were a pill popping idiot and they put the right stuff where you'd find it.
The question is, how would the corporate antimalware forces of right now react? "Symantec finds the W32.SpamZapFly2 to be a highly dangerous worm capable of closing far too many open smtp relays (which is eating into our business) and recommends using our new tool to remove it as well as purchasing our latest antivirus software (which will be as ineffective as the last one) instead of relying on accidental infection with this so-called anti-bodyware (because while it has equal chance of happening, we'd prefer to be paid).
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Wel luring the bots on your own net and analysing them there seems fine. So that would be more or less the same as receiving broadcasted things.
However they talk about a bunch of experts calling themselves the good guys and playing vigilante. (Which in itself is already a bit worrying)
Furter on they talk about actively sniffing routers. If an ISP admits it monitors traffic contents wouldn't it then lose its
rights as being a "carrier" ? Wouldn't that make them reasponsible for the content too, illegal content for example ?
Happens frequently. Line workers just tap right onto your loop... Central office folks can do the same.. or they can use the functions in the switch. They often do so...
SIG: HUP
I wish ISPs would hold the lusers (criminally) responsible for this.
LOL:
1) think what that would mean for most ISP's because they would need to be accountable on their turn too.
2) they could try to pull the plug on that kind of users but they are a majority. So the isp won't bite the hand that feeds it.
I know a user who I'm certain his system is totally 0wn3d. Its an unpatched windows 98 machine, no firewall, nothing. I put an EICAR string on his machine, and 6 months later, its still there. He calls them "Cheezy Viruses that don't hurt me" if they don't interfere with his day-to-day operations. Only when he got a dialer and built up $10,000 worth of phone bills one month did he care. The moral of the story: Users don't give a damn. I know a guy who happens to run a rather large botnet and he says 90% of his victims know there is a virus on their computers, they just can't be arsed to do anything about it.
Waffles rock.
I thought there was no such thing as a central C&C on botnets. An infected pc, can be a member of many botnets. Today a pc is doing the bidding of joe hax0r, tomorrow is doing the bidding of billy rox0r. Even if you shut down one C&C, the thousands of infected pcs, remain infected and ready to join another botnet.
The only sollution is user education.
VStrider.
It should. There are wiretapping laws against this. It's no different than the phone company listening in on your conversations.
"I assumed blithely that there were no elves out there in the darkness"
In TA, in a skirmish game against computer controlled apponants, you build a basic airbase, send over as many lifters as you can build fast, and capture the enemy commander/s.
Then you have free range to build an inpenetrable base in peace before releasing them to inevitable defeat.
Bwahahahaha etc....
yes it happens, yes it's as easy as reading one 's mail if you're at the right place. It doesn't make it legal though and can get you in serious trouble if you admit doing it.
I know my University monitors student use, including browsing and email. Whether that makes them responsible, I don't know. But don't get caught using P2P software (regardless of what you download) or you'll lose your connection. No servers of *any* kind, be they ftp, ssh, mail, or http. P2P is viewed as a type of server. So is bittorret.
This is a blatant violation of the trojans' EULAs if I ever saw one. The authors put a lot of work into writing those trojans. What gives "security researchers" such a sense of entitlement to that code? If they want to analyze malware, they should write their own!
Call yourself the good guy or the hero of the day and your allowed to do anything ? Think:
Clear evil activity is much harder to define. Even 2 of the 3 examples you gave are clearly broken. The mugger seemed evil to to me. The middle aged man could be the father of the girl. And the person kicking in the door could be yourself reacting on a call for help of the eldely couple.
The lack of control makes vigilante actions moslty contribute more to the problem than to the solution.
seeing C&C in the article took me back to the good ol' days of DOS and Westwood Studios...
fuckin Electronic Arts.
"What does slashdotting mean?"
"You've never heard of slashdot?"
"I know it makes websites not work."
I know people who do this kind of botnet tracing, they are looking at flow data, which is NOT the actual packets for most of their hunting.. they look for patterns in the flows, which are basicaly source/destination IP and ports, and protocols.
If I were a Blackhat, my counter to this would be to have the members of the botnet relay my commands among themselves like a telephone relay tree where one person calls 5 who each then call 5 who each then ... To find Mr. Big, you'd have to find the headwaters of the stream, which would be a difficult task.
I'm sure the research they're doing is quite intriguing, but when are we going to stop wasting time and money on clueless users that obviously don't understand the importance of clicking on "Windows Update" every couple weeks? That type of negligence is unacceptable in almost every other facet of everyday life, so why aren't businesses holding the actual users responsible for the damage they cause?
You know what I'd like to see for once? How about a vigilante team of lawyers that work with the businesses who regularly pay $many thousands of dollars to deal with these botnet attacks. Work with the ISPs involved to get customer names, through *legal channels* (so they'll cooperate), and then file civil lawsuits against every single one of negligent computer owners. Hmm, what's that? Oh, now you've got everyone's attention.
Even a DirecTV/RIAA-style letter campaign would probably do more to fight the problem than this team of bot-busters will.
Note: no disrespect to the research team. I applaud their efforts, even though I think there's a better solution to this problem.
The only solution is user education.
You obviously don't have anything to do with end user support in your line of work. I've got the same people asking the same questions all the time. They don't want to be bothered to learn how to do anything on a computer other than the absolute minimum knowledge they need to get things done for work or school. There are millions of people out there who don't know anything more than how to turn their computers on and off, and use the basic features of Word, IE, and Outlook Express. They are ignorant of and/or apathetic about the nasty stuff that can happen to their PCs if they don't maintain them. Even if you try to put the fear of God into them about identity theft and whatnot, their "it can't/won't happen to me" attitude means they STILL won't care.
If you want to increase the percentage of computer users who actively maintain their systems, you'd get better/faster results just by going around killing the people who don't.
~Philly
Laws against eavesdropping does not give us privacy. Encryption can, but laws don't make your conversations private.
Well, lets beat this guy until he tells us who runs that botnet. There's a starting point!
Just run your sshd on a higher-than-1024 port and tunnel it over HTTP. The "intrusion" "detection" system that they use will see it as you visiting a web page :)
My other car is first.
I decided to go botnet-breaking a few months ago (when someone "invited" my webserver)-- no need to sniff stuff. Simply edit/clean the botnet script and run it. Take note of the hostnames used by all the other bots in the channel and begin scanning them for contact info. Usually SMTP or such will give a hostname and from there you just contact the admin of it.
Luke-Jr
I've had numerous trojans sent to me over time, my current way of dealing with them has been to run them in wine, use ettercap to find out where they join, then email the data-centre/isp about my findings and what's been going on.
If there was an email where we could send what we find to be trojan bots so the experts could take care of it, it would make things alot easier.
but his botnet seeds torrents! Where else will I get my free pr0n and mp3's?!?
Waffles rock.
Let me see. Somebody wants to use my gear to access a network that I have access to. I, as the carrier, have the right and the respnsibility to know what my gear is up to. I know most telcos frequently "tapp" phones listening for faults. Most of the time they don't care abut the contents of the call, only the effect on line quality. Why should ISPs be any different? They have a duty of care to their customers to provide a service. If they are not allowed to monitor real live traffic over THEIR OWN EQUIPMENT, then how are they supposed to do that? And if you don't like your carrier listening in, either stop using public networks (such as the Internet) or make it hard for third parties to do listen in. But do not pretend that because you have some tenuous connection to the information being transported, that a carrier who owns the physical equipment has no rights to that information.
A sig is placed here
To display how futile
English Haiku is
Sounds like a new spin on something Steve Gibson did a few years ago. Very interesting read.
Hey guys. Just thought that I would put my $0.02 in.
;)
I am not into botnets anymore, but like most here prolly', I started my internet life on irc. And anyone else who grew up on non dalnet like servers with chan services knows that being on a network without them can be a pain. Especially when smacktards show up for the day
Anyways, knowing a bit about bot's and botnets, I would say that it shouldnt be too hard to take some down. Being irc based, plain text would be one problem. But if you have access to a machine infected, encryption would be pointless since you could just debug the program and find out what it 's protocol is anyways. I think one big issue that was hinted at in one of the above posts was that you should be able to use an infected machine to "take over" the botnet. Well, things dont work that way. For those of you that havent run one or used one before, I will give you a rough idea of what the ones in my day (1.1.15 or so IIRC).
A botnet is basically a shell like environment similar to say a bash shell or a dos prompt. ie: its all text commands using plain ol' ascii. Commands generally start with a ".", like ".help". The botnet also has security systems in place (ie: users with passwords etc) that define who can dcc chat the bot directly, use its !channel commands on irc etc. The eggdrop (sorry, yes, im refering to eggdrop's specifically) bot also has the ability to link multiple bots togethere to form a big "botnet". The is all of course done with special bot accounts with unique passwords.
The reason you cant just take one over (despite it probably being a modified version of this system of bot), is because the other bots are probably only allowed to "take orders" from a specific machine or user. Although for simiplicity sake, I would imagine its just a user and password combo to prevent any traceable information from being gleamed over the botnet traffic. Dont forget to that the botnet would be point to point and most of the traffic would only be coming from a single location (which you would have to find out from a comprimised machine).
In the end, I see the biggest problem in finding the zombies being, how do you tell when a machines infected if the virus tries the best it can to hide itself from non-forensic integrity checking tools. But, over the years I can see software taking a turn to being better checked for authenticity and integrity etc. Once we hit that point, botnets would probably start to disappear. Also consider that the machines themselevs will go offline and be replaced by newer ones that arent suceptable to the same malicious code. This at least forces them to keep active. And keeping them active helps you trace them.
Anyways, hope you had a fun read. Not worth previewing this one, l8r.
I do this as well (mainly dealing with irc-borne malware), and I do it on an open list. I'm not convinced that closed lists are the way to go about this sort of thing. As it is, the open format helps attract talent, and it's far worth the risk of the s'kiddiots knowing what we're up to (look at it this way - they already know the information we're disseminating).
The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.
All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.
This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.
"Apparently the attacker about crapped his drawers..."
Oh, and how do we know he nearly crapped his draws ?
Sound like bullshit to me.
I swear, I have not seen this cheat online: but on the original command and conquer, if you throw a grenade, and then keep clicking madly, the grenade will start homing in on your mouse cursor.
Win any battle by making grenadiers, and then getting about 100 of them to ctrl-target the ground near them, but then click and make the SWARM of granades follow your mouse, until your hit their power plants - other buildings, etc. Very rewarding.
If you could use this tactic to catch hackers, by all means do so
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
It's a zombie! Aim for the head!
I may be missing something here, but if IRC is used to control malicious programs, then why allow IRC? /dev/null (or a logging system) and then annihilate any IRC bot-controllers in your system.
Call me a stick in the mud, but I have simply never seen the purpose of IRC. I've installed programs for it, logged into the LUG's channels because I'm told it's the best thing since sliced bread, found it to be a an utter waste of time, and removed the IRC client. Three times. I simply can't see any purpose to it that is worth either the massive time waste (people don't think before they reply to questions), or the huge security hole that it appears to be. [BTW for people on AberLUG, I know there's a no-install Java access route too. But there's no content.]
So why are people (network administrators, specifically) allowing the packets to pass? You've got a problem with, say, your AS chunk of routing space being full of IRC-controlled robot machines. So set your router to forward all IRC packets (in- or out-bound) to
If IRC has some value (which I have yet to be shown an argument for, let alone be convinced by such an argument ; "Look at this, it's kewl!" is not an argument), then tell the developers who claim so to come up with an IRC-like system which is provably secure and that provides the functionality they want without the security risks. Any of the security risks. Which returns to the original point - what is the "value" of IRC that people tolerate the security risks that appear to be inherent in the model.
Question: What did people do for rapid networked communication between self-selected groups before someone (whoever) invented IRC? Answer : mailing lists and/or private newsgroups on non-peering, non-usenet NNTP servers.
Question: What is still a major method of rapid networked communication amongst self-selected groups? Answer: mailing lists (and private newsgroups too, but often less visible than the lists). Did you notice that SourceForge provides this functionality? You think it's there to make the menus longer, or for some other reason?
If it causes pain, and you've got an alternative, stop doing it.
BTW, who was responsible for this junk? I remember something similar being available on Compuserve when I joined in 1992, but it was unusable then and hasn't got any better since.
It is possible that the security risks of IRC are consequent on the possibility of being anonymous on the communication system. That may account for a lot of the junk too. Although the IRC-like stuff in Compuserve was on a private network with personal accountability through credit-card-backed account identifiers, and that was pretty content-free.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Holy shit.
We're screwed.
So if they are now able to shut down C&C , what will the next round of innovation bring to malware?
Will next generation botnets probably use XOR metrics to receive their instructions, similar to serverless p2p nets?
I think that's just a pyrrhic victory
"Strike the shepard, and the sheep will scatter"
That's not true at all, sheep generally hang around in big mobs regardless of whether a shephard is present or not.
Even if what you said was true there is no evidence it would work for anything other than shephards and sheep.
Word on what street ?
How about if you "poisoned" the pool of botnets. Since there has to be a master machine sending the "attack" signal, perhaps one could make them turn upon that master. That is to say, modify the botnet binaries running on infected machines and replace them with a modified version.
Next time the botnet master says 'attack IP 192.168.253.1' the botnets instead turn on whomever issues the attack command. This would likely be an "owned" machine and not the attacker's home, but at least it gets knocked off and disabled. Another idea might just be to have the machines redirect the floods to 127.0.0.1, thus incapacitating themselves instead.
Why do all your threads including the instant one get their subject renamed to "Look"?
Note: running a ssh client is ok. Running *any* server of any kind is not. So I can't run sshd without violating my TOS.