Hunting for Botnet Command and Controls

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

Re:Violation of My Privacy?

[wcdw]

At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).

Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.

Unless, of course, you're sending Aunt Martha that e-mail over IRC....

Re:Violation of My Privacy?

[deep44]

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

Umm.. they're not looking at "all the data passing through routers". Flow data is a sampling of information (source, dest, proto, port, etc) from a designated collection point. Even without the actual "data" portion of the packet, it's impractical to collect anything more than a small percentage of the total traffic.

So you can put the gun down- your privacy is safe.

Re:Why allow IRC?

[Halo-]

I'm not going to argue the merits or faults of IRC, because it doesn't matter. The problem is that even if you say "IRC is bad" there isn't really a way to "not allow" it. Generally IRC uses ports around the range 6669-7000 (IIRC). So everyone firewalls those off... And the owners of the server move to port 3456 (or whatever...)

So just port filtering doesn't work. The next idea is to do stateful packet inspection. Every router looks at the contents of every packet to determine if it is part of the IRC protocol.

Ok, this would work, except it would be unacceptably expensive to implement. Plus, I beleive that some (most? all?) IRC servers support SSL and possibly IPSEC. So the packets are encrypted using SSL, and using some non-obvious port. (like say, port 443) At this point, it is very hard to distinguish between legitimate HTTPS traffic and IRC traffic. I suppose you could look at the packet sizes and do traffic analysis on the flows, but you'd still have problems with other legitimate services running over HTTPS. (Like VPN proxies or Java Applets, or Flash)

So, even if IRC is the root of all evil in the world, it's not possible to just "not allow" it.

(Sorry for the rant, I'm getting over being sick and still a bit punchy)