Hunting for Botnet Command and Controls

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

Easy way to catch them.

[Elshar]

Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...

To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..

Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.

pessimistic

[moz25]

So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.

Re:Violation of My Privacy?

[TCM]

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

You, by encrypting them.

Shutting down botnets is a pointless effort..

[Alascom]

The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.

The only solution is secure software engineering and prompt, reliable patching.

Re:Shutting down botnets is a pointless effort..

[sweetooth]

and until then we'll just let the botnets run rampant....

Unfortunately that's not a very good solution. While creating more secure software from the ground up is definately thew ay to go for the future you have to have some plan to deal with the current problems. Keep in mind that the vast majority of people aren't going to upgrade to the latest and greatest OS, web browser, or whatever if thier existing one works. So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.

Re:Violation of My Privacy?

[justforaday]

Does it come as a surprise to you that people that have access to routers can sniff your packets?

Re:What causes botnets?

wish ISPs would hold the lusers (criminally) responsible for this.

You want to throw my mother in the slammer?

You're not nice at all.

Re:What causes botnets?

[majest!k]

No wonder you posted that as AC.

Joe Sixpack doesn't consider it "irresponsible" to connect his machine to the net without a firewall. Infact he probably doesn't even know what a firewall is.

If you're looking for someone to blame, look no further than Microsoft for having everyone run as admin and leaving several easily-exploitable ports open by default on every version of Windows up to XP SP2.

By the way just as a reminder - botnets originally entered the limelight after scriptkiddies on IRC networks started mass-scanning and exploiting remote-root vulns on LINUX machines (via exploits for commonly used & often default services such as wuftpd and bind) in order to accumulate more bandwidth to "takeover" IRC channels.

Linux was the primary OS exploited by botnet kiddies waay before Windows. According to you, the admins of those linux boxes should be held liable for getting rooted. While I agree they are at fault for not being more security-minded, I would never consider holding them criminally responsible for getting hacked.

That's just crazytalk.

How my botnet would work.

[josh3736]

If I were a blackhat, my botnet would run thusly:

The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.

All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.

This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.