Slashdot Mirror
Searching for Botnet Command & Controls
Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."
Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers I am god ... I just need to find the malicious hacker and disable the command-and-control infrastructure.
Spo0nman,
As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?
They're there affecting their effect.
Just filter traffic looking for the string "Sarah Connor".
Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:
Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?
As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?
This: "yvRpS9t6OD9ueF39E8pGSUZCssLO7XmPjyNadWjv"
A botnet command or some other traffic?
Or even noise for the sake of noise? (Ie, spamming the government's ears)
The sea changes color, but the sea does not change.
or: the group is ramping...
This will have to go beyond simple traffic scanning. If not how would they determine whether a group of machines are bots or are simply responding to SETI@home or whatever other distributed systems are running over the 'net?
Seems like at some level there will have to be a human protocol that decides which traffic is naughty and which is nice. Humans can be manipulated and protocols spoofed. If this weren't the case we wouldn't be having this discussion in the first place.
Ah, but group in this case is singular. So "is" is valid if it is the group which is ramping up, or "are" if it is the members which are :)
James P. Barrett
From the article: "The compromised machines are controlled by a 'botmaster' ... If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster."
Somewhere, there is a joke that begins with the quote "I AM TEH BOTMASTER!" and ends with the quote "AND I AM TEH GATEKEEPER!", but alas, I cannot figure it out right now.
Oh slashdot, help me out here.
No messages have been posted to the botlist yet. I subscribed and thought I'd check out the archive... it's empty. Seems like they'd advertise lists that were up and running with content, not lists w/o any. Perhaps it was setup by bot masters so they'd know who to pick-off?
Operating under the theory that if you kill the head, the body will follow...
It contrast, has been found that some zombie PCs are operating under the theory that if you cut off the head, the body will just wander around aimlessly.
He who knows best knows how little he knows. - Thomas Jefferson
...shutting down IRC.
I hate printers.
'Group' is singular; the group is ramping up.
However, it's true that there are different conventions on each side of the Atlantic for things like this, which may confuse things. In the U.S., Microsoft is developing Vista; in the U.K; they are. Does that affect words like 'group?' Anyone from the UK to comment?
You have been defeated by a Grammar Allied Force.
The only change I can believe in is what I find in my couch cushions.
Black Sabbath rocks or Black Sabbath rock?
The government is corrupt or the government are corrupt?
There is a large number of other examples, or there are?
Let the Grammar Nazi Civil War commence!
Obviously grabbing random traffic and scanning it isn't going to work. They need to "capture" one of the bots, and study it. Watch all the traffic coming and going, disassemble the software that receives and executes the commands. Then they'd have a solid base for knowing how to track and/or block traffic like that, at least for that one bot variant. So, they'd have to do that for every bot network out there. And who knows how many there really are, or how different they are.
It is run by this Taco guy...
He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.
Most ingenious! And I bet he profits handsomely from it too!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
When conjugating "to be" for plural or singular you take the plurality of the subject. As the subject in this case is a collective noun, "group", it may seem that "are" is the appropriate form. But "group" is a singular collective noun, as dinstinct from "groups" for multiple groups. Because the noun "group" is singular, the singular conjugation of the "to be" verb is used, that being "is".
Here are some examples:
RIGHT: The group is stupid.
WRONG: The group are stupid.
RIGHT: The bunch of grapes is rotten.
WRONG: The bunch of grapes are rotten.
RIGHT: The Slashdot crowd is bad at grammar.
WRONG: The Slashdot crowd are bad at grammar.
There are cases that may *appear* to be exceptions, and the one that comes to mind is that of the noun "people". People is plural for "person" and appears to be a singular collective noun just like group. However "people", as well as being a singular collective noun, (with plural form being "peoples", often used when referring to multiple distinct groups of people) is also a true plural of "person" ("persons" is not accepted as the correct word, although its use is becoming accepted into contemporary English):
RIGHT: "The group is screwed."
WRONG: "The people is screwed."
RIGHT: "The people are screwed."
WRONG: "The group are screwed."
Questions?
I hate printers.
Sigh. Only on Slashdot etc. etc.
When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.
Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.
Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.
Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.
Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.
Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.
This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.
And this business is growing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Operating under the theory that if you kill the head, the body will follow
Imagine were that not the case! Headless bots roaming the net looking for trouble.
In all seriousness, I could imagine some nasty work that could be done to turn disbanded botnets into a bigger problem than active ones.
Do you see what I did there?
Original Ghostbusters movie... and Sigourney Weaver is still HOT! Alien infested or not.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
He's obviously good at getting the spotlight shined on him.
Here's an example of his bot expertise though.
Anyone else wonder if this guy isn't running this list just to get help removing his competition? I think he might be a botmaster himself.
So can we coin a new term for a headless bot?
How about the Chicken Bot? Keeps on going even with it's head cut off. Or the Dead Chicken Bot? Or the Dead Bok Bok Bot? (say that 3 times fast)
How about a zombied zombie PC? Or AWOL bots?
The list of bad jokes goes on!
private irc servers. so obvious i don't know why the question is even asked
What's to stop them from moving to a p2p VPN style system. Good luck seperating that from legit traffic.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
> In the U.S., Microsoft is developing Vista; in the U.K; they are. Does that
o om/1099593.stm
> affect words like 'group?' Anyone from the UK to comment?
I've seen/heard both.
A quick Google reviews this:
http://news.bbc.co.uk/1/hi/programmes/radio_newsr
-----
Collective nouns
can be singular or plural. The only rule is: you must be consistent. "Marks and Spencer is selling a new biscuit. They say it's the best ever made" is the type of rubbish we broadcast far too often. In a sporting context, teams are always plural: "England are in the soup", "Manchester United are finished", "Wales are resurgent".
Half
can be singular or plural: half the oranges were eaten; half the food was eaten.
Plurals
the media remain plural, agenda has become singular. Refrain from unnecessary Latin plurals: call them referendums, formulas. The singular of "criteria" is "criterion". While on the subject, to write: "One in twenty people believe the world is about to end" is wrong; even if that one in twenty IS right.
-----
(I don't understand that last sentence...)
For many reason
First, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.
Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.
Third, the spread is too slow through P2P. The chance that an antivirus or security company has a copy of the virus and can work out an antivirus signature or removal kit (not to mention in depth analysis) BEFORE it has spread widely enough is simply too big.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Look at its insides and you'll know whether the bot would react or consider it garbage.
Granted, if they used some more sophisticated encryption it would probably be near impossible to find out what a "valid" command is and what isn't, unless tested against the bot. So far, they didn't.
KISS principle. If it's not necessary, why bother? Works well without.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!
Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.
When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.
Futile. The only chance is to cut the machines from the 'net that contain those trojans.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I believe that was Skynet not Botnet.
"No fate but what we make."
Support Right To Repair Legislation.
Idiots must stop pumping money into it.
.com biz, where normally smart people thought the 'net was some kind of new big gold rush wonder land, .con could only be stopped by cutting the morons off the 'net.
While this was easy with the
It doesn't take a genius to install a firewall, a virus tool and refrain from clicking every single piece of junk you get sent. If you can't apply 2 brain cells to a task, get outta my net!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'd rather just find a way in, and tell all the computers to destroy themselves (mess up the boot partition, delete some critical files, whatever). That might make the users a little more aware, and remove a lot of the botnet power out there.
The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.
I think these folks are headedd in the right direction when it comes to destroying botnets.
From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits Drives client application to connect to servers
Any changes made to honeyclient system are unauthorized - no false positives!
We can detect exploits without prior signatures
What can honeyclients do for you?
Allows proactive monitoring of malicious servers
Allows discovery of client 0-day
This can be extended beyond just HTTP clients
Any other client-server based protocol will work
"Never underestimate the power of a small tactical nuclear weapon."
How appropriate.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Agreed. I had a small game server business that I ran on the side to make a few bucks and as a hobby. Our revenue per month was only a few thousand dollars. We were hit by a large and coordinated botnet ddos attack that disabled our servers for a day causing us to lose customers.
We notified the FBI the conversation went something like this:
FBI: How much money did your company lose as a result of this attack?
Us: Well maybe a thousand dollars from lost customers, etc.
FBI: If there wasnt $10,000 in damage we can't help you.
Actually, I believe it is "Gramm a r Nazi!"
{Since no one had yet pointed this out... the task falls to me. (sigh)}
{Shame on you, Slashdotters!}
Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.
I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.
see, you should have just lied, and told them you lost $10,000
The phrase "more better" is acceptable English. suck it grammar Nazis
I think you make a good point.. The same research as stated above to "study" these botnets could also be used to take controll of ones with "no heads" ... ha
Kill your TV
People write bots and operate bot nets because there is money to be made from this kind of operation. Numerous stories have been posted here and elsewhere about botnets bringing down big companies' servers or being used to extort money. This means there is a lot of money to be earned (especially in countries with no decent judical system and/or high levels of corruption), so obviously it attracts talented folks.
What this whole story brings to us is not, that AV and security experts deal with botnets (they've been doing this for many years, this would not at all be news worthy in the year of 2006). It means that some higher level folks got pissed off by this situation and start pouring significant amounts of money into the anti-botnet effort.
Rest assured, that the people who are sent to hunt down botnets are not beginners who just know ROT13 and XOR, they know what they are doing and because they will be in high demand, they will get paid well, which brings more smart people into the field.
Don't forget, the italian mafia was able to operate for decades without significant interference from the FBI and the government. But when the mob got too obnoxious, RICO was passed and a number of these suckers went to prison for good.
"You insensitive prick! Do you have any idea how much that stings?"
//Information does not want to be free; it wants to breed.
First off this is a flat out lie:
"Evron, who serves as CERT manager in Israel's Ministry of Finance"
Want some more information on your fearless leader:
http://tinyurl.com/mnbk4
Yeah, I wonder what he's doing with all the information these people are trusting him with.
"...malicious hackers", better known as criminals.
porn != spam
my password really is 'stinkypants'
is a guy whose internet connection is a bit slow, wondering if it's because his computer is 'too old'.
if you take down the ip or the machine, you're also attacking this guy, who's never even heard of botnets.
my password really is 'stinkypants'
startkeylogger
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
welcome to missing the joke, einstein
my password really is 'stinkypants'
Solution is simple. Tell the Feds botnets are being used by terrorists. Once they get the idea that these bot nets are being used to distribute terrorist information, crack military encryption for the terrorists and target American soldiers, and fund terrorists, Homeland security will be busting down doors. Or they will create the "Patriotic Computer Act" which forces all computers to run Federally approved anti-terrorist software, you know, the stuff to keep these evil botnets from occuring on your computer and analyzing and reporting anything suspicious on your computer.
You can participate in this effort via mail list. Go to http://www.whitestar.linuxbox.org/mailman/listinfo /botnets to sign up.
Ignorance is curable, stupid is forever.
Isn't it time to dump the current e-mail system as it is and move on to something else that's really private and personal ?
:(
2 or more (trusted) parties sign up for a free dns name from places like no-ip, comunicate the dns name to the other parties by phone/fax/mail/smoke signals, then use these (hopefully) secure/obscure dns names to send/recieve (secure) web/traffic on port 80/443. if all the parties are on static ip addresses that do not/rarely change, you can forego the DNS bit altogether.
This bypasses the current email system on ports 25/110 alltogether.
If the spammers subvert this method then other well-known ports will have to be used instead in a 'rotating frequency' fashion.
The ISPs can't block ALL the well known ports -- that would 'break' the Internet!
Spam email and postal junk mail can't be stopped, only filtered out/discarded/recycled.