Slashdot Mirror
Hunting for Botnet Command and Controls
Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
Now only if they could do this with Skynet, we might just be able to postpone Judgement Day another 6 years.
Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...
To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..
Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.
When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?
In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?
So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.
see a Text Widget
The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.
The only solution is secure software engineering and prompt, reliable patching.
What would be really interesting is if using a combination of honeypot PCs (to match trojans to controllers) and the commands used to control the botnets, these vigilantes could make the zombified PCs download and run a cleaning tool to rid themselves of the trojan.
C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.
The best way to lay waste to someone's economic power in C&C is to destroy their harvesters. Make sure not to send infantry units because they'll suffer tiberium poisoning, or merely be run over by the harvester. Another great way to wreak havoc is to send the engineer into the harvesting facility as the harvester is unloading, you'll get the building, harvester and the tiberium thats being unloaded at the time. Of course, many believe engineering cheese is the cheap way to play C&C, but of course there are too many cheesy plays to count in that game. I suggest you play something like Starcraft. Or Starcraft2, which I have a chance of actually helping with.
God spoke to me.
a group of high-profile security researchers is fighting back, vigilante-style.
This emotionally laden language has been deliberately chosen to make it sound like this activty is a "bad thing [tm]"
I truly believe it is the duty of every person to fight against clearly evil activity.
This includes a mugger hitting an old lady, a middle age man trying to drag a pre-teen girl (or boy) in to a car idiling in the street, and a person trying to kick in the door of the elderly couple down the street.
If the people disabling bot-nets make every effort to be certain they do not harm innocent or uninvolved people (and the standard here is very high), then they are doing a public service. (if they take the attitude, like some "anti-spam" people, of -> 'kill them all, let God sort them out, they are just assholes with very, very small peckers')
Those who believe the gub'mint is going to be johnny on the spot to fix all your boo-boos are sadly misguided: there is neither the manpower or the reaction time to fix everything "bad" in the world. That depends on YOU.
... fighting back the internet scumbags all over the planet, vigilante style...
...
Now if they could just have a cool name, we could have a new hit superheroes movie for this summer.
Any suggestion anyone ?
- The League of Net Shadows
- The League of Extraordinay Nerds
- The Fantastic Fourty
Come on give me something better
So, how is this different from a "Star Chamber"?
/. who might applaud this pro-active white-hattery, who simultaneously strenuously object to the US Patriot act which is pretty much just allowing the government to do the same thing in real life?
I'd be interested to see how many people in
-Styopa
This is a blatant violation of the trojans' EULAs if I ever saw one. The authors put a lot of work into writing those trojans. What gives "security researchers" such a sense of entitlement to that code? If they want to analyze malware, they should write their own!
Yes, but there'll be one trojan per botnet. Script kiddies don't like to share, and in fact the current trend is supposedly groups assembling botnets and then auctioning off their services to spammers. Given that, you can see why the botnet "owner" wouldn't want to allow access to other evildoers.
wish ISPs would hold the lusers (criminally) responsible for this.
You want to throw my mother in the slammer?
You're not nice at all.
Hey guys. Just thought that I would put my $0.02 in.
;)
I am not into botnets anymore, but like most here prolly', I started my internet life on irc. And anyone else who grew up on non dalnet like servers with chan services knows that being on a network without them can be a pain. Especially when smacktards show up for the day
Anyways, knowing a bit about bot's and botnets, I would say that it shouldnt be too hard to take some down. Being irc based, plain text would be one problem. But if you have access to a machine infected, encryption would be pointless since you could just debug the program and find out what it 's protocol is anyways. I think one big issue that was hinted at in one of the above posts was that you should be able to use an infected machine to "take over" the botnet. Well, things dont work that way. For those of you that havent run one or used one before, I will give you a rough idea of what the ones in my day (1.1.15 or so IIRC).
A botnet is basically a shell like environment similar to say a bash shell or a dos prompt. ie: its all text commands using plain ol' ascii. Commands generally start with a ".", like ".help". The botnet also has security systems in place (ie: users with passwords etc) that define who can dcc chat the bot directly, use its !channel commands on irc etc. The eggdrop (sorry, yes, im refering to eggdrop's specifically) bot also has the ability to link multiple bots togethere to form a big "botnet". The is all of course done with special bot accounts with unique passwords.
The reason you cant just take one over (despite it probably being a modified version of this system of bot), is because the other bots are probably only allowed to "take orders" from a specific machine or user. Although for simiplicity sake, I would imagine its just a user and password combo to prevent any traceable information from being gleamed over the botnet traffic. Dont forget to that the botnet would be point to point and most of the traffic would only be coming from a single location (which you would have to find out from a comprimised machine).
In the end, I see the biggest problem in finding the zombies being, how do you tell when a machines infected if the virus tries the best it can to hide itself from non-forensic integrity checking tools. But, over the years I can see software taking a turn to being better checked for authenticity and integrity etc. Once we hit that point, botnets would probably start to disappear. Also consider that the machines themselevs will go offline and be replaced by newer ones that arent suceptable to the same malicious code. This at least forces them to keep active. And keeping them active helps you trace them.
Anyways, hope you had a fun read. Not worth previewing this one, l8r.
No point in treeing it, trees lead to an origin too easily. Cell-style works so much better. Each peer has to discover eachother (Start with the machine that infected it, get the current list of peers from it. randomly ping each peer to see if one drops off, if so send a hint to your other peers. All hints only cause verification, not actually removing. Same for adding new peers this way.
Controlling it is then a matter of keysigned commands. All commands are timestamped to be unique(so you can easily discard duplicate messages), and is verified with the public key. The only way you can be exposed at the leader is if you get caught with the private key.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
No wonder you posted that as AC.
Joe Sixpack doesn't consider it "irresponsible" to connect his machine to the net without a firewall. Infact he probably doesn't even know what a firewall is.
If you're looking for someone to blame, look no further than Microsoft for having everyone run as admin and leaving several easily-exploitable ports open by default on every version of Windows up to XP SP2.
By the way just as a reminder - botnets originally entered the limelight after scriptkiddies on IRC networks started mass-scanning and exploiting remote-root vulns on LINUX machines (via exploits for commonly used & often default services such as wuftpd and bind) in order to accumulate more bandwidth to "takeover" IRC channels.
Linux was the primary OS exploited by botnet kiddies waay before Windows. According to you, the admins of those linux boxes should be held liable for getting rooted. While I agree they are at fault for not being more security-minded, I would never consider holding them criminally responsible for getting hacked.
That's just crazytalk.
smattawichu
The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.
All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.
This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.
So just port filtering doesn't work. The next idea is to do stateful packet inspection. Every router looks at the contents of every packet to determine if it is part of the IRC protocol.
Ok, this would work, except it would be unacceptably expensive to implement. Plus, I beleive that some (most? all?) IRC servers support SSL and possibly IPSEC. So the packets are encrypted using SSL, and using some non-obvious port. (like say, port 443) At this point, it is very hard to distinguish between legitimate HTTPS traffic and IRC traffic. I suppose you could look at the packet sizes and do traffic analysis on the flows, but you'd still have problems with other legitimate services running over HTTPS. (Like VPN proxies or Java Applets, or Flash)
So, even if IRC is the root of all evil in the world, it's not possible to just "not allow" it.
(Sorry for the rant, I'm getting over being sick and still a bit punchy)