Slashdot Mirror
Searching for Botnet Command & Controls
Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."
As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?
They're there affecting their effect.
Sometimes when i open my older mailboxes (which sadly have no spamcheckers) and need a calculator to count the spam messages, i really feel like i'd rather disable the hacker himself, literally.
... but it would still be nice :)
I really don't need V!@gr@ nor do i want to buy any other drugs really cheap. And i really don't need the emails that advertise them. Reading e-mail is as private for me as sex is for some other people, if i don't advertise my software products next to your bed while you're having sex, i'd also expect you not to climb into my mailbox to advertise yours.
Isn't it time to dump the current e-mail system as it is and move on to something else that's really private and personal ? Sure you can have zillion filters installed but sometimes the filters take out stuff that you need and sometimes they let in stuff that you don't need, they are not perfect. I do understand that by the time the e-mail protocol was invented, the inventors themselves couldn't imagine spamfarms all over the world sending fake emails but around 30-40 years have passed , maybe it's time to let it go ?
Sure we can't dump the current e-mail mess in one day, but an alternative solution that would slowly take stuff over and be non-anonymous would make very many of us really really happy. If sending out mail would only be authorized to organizations and identified persons, it would make the network a lot cleaner.
PS. I know it's just a dream and utterly non-realistic in the currect circumstances
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.
Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.
I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.
I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.
This is why when I hear about our various governments wanting to sniff everyone's email as a pointless waste of time. A spam run is even better than a numbers station (http://en.wikipedia.org/wiki/Numbers_station) because it's a lot more subtle (unlike a numbers station which you can tell where it is and when a new one pops up, it's obvious, and just like a numbers station there's no way to tell from a message hidden in spam who the intended recipient is).
Any terrorist worth his salt who wants to signal terror cells over the internet can easily just use a spam run to do the job, and have the message hidden in the spam's "hash busters" (which are routine these days) and a one time pad to decrypt the message at the other end.
Oolite: Elite-like game. For Mac, Linux and Windows
So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!
Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.
When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.
Futile. The only chance is to cut the machines from the 'net that contain those trojans.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm not sure you're understanding the previous poster. He/she is talking about control networks for botnets, not about distribution mechanisms. Bots and worms can be coded to look for particular filenames on P2P and get their commands from that source. Then they look for the next filename in their list. This is used to direct the bots, not to compromise them.
So once you're on the channel, set up your own bot to send DDoS commands for any IP that connects to the channel. Now you have a bot-net that pretty much nukes itself.