Slashdot Mirror

← Back to Stories (view on slashdot.org)

Searching for Botnet Command & Controls

Posted by ryuzaki0 on from the i-want-them-alive-no-disintegrations dept.

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

11 of 114 comments (clear)

  1. This'll surely stop them, or not. by LordOfTheNoobs · · Score: 5, Insightful

    As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?

    --
    They're there affecting their effect.
  2. Query string by Jordan+Catalano · · Score: 4, Funny

    Just filter traffic looking for the string "Sarah Connor".

  3. What I don't understand by Anonymous Coward · · Score: 4, Informative

    Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

    • Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.
    • Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.
    • Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

    Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

    1. Re:What I don't understand by MustardMan · · Score: 5, Funny

      Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.

    2. Re:What I don't understand by qwijibo · · Score: 4, Insightful

      They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.

      Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.

      I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.

      I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.

  4. Good luck by dknj · · Score: 4, Interesting

    As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?

  5. I'd like to report a huge Botnet... by Dareth · · Score: 4, Funny

    It is run by this Taco guy...

    He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.

    Most ingenious! And I bet he profits handsomely from it too!

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  6. It's a development I can verify by Opportunist · · Score: 5, Interesting

    When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

    Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

    Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

    Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

    Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

    Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

    This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

    And this business is growing.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:What is ..? by tomhudson · · Score: 4, Funny

    It's a Perl script that says "Hello, World!"
    ... so it IS line noise :-)

    FTFA:

    Operating under the theory that if you kill the head, the body will follow ... find and disable the command-and-control infrastructure that powers millions of zombie drone machines

    Here you go: One Microsoft Way Redmond, WA 98052 Phone: (425) 882-8080 Fax: (425) 706-7329.

  8. Worst, it wouldn't help a bit by Opportunist · · Score: 4, Insightful

    So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!

    Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

    When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.

    Futile. The only chance is to cut the machines from the 'net that contain those trojans.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Enforcement? Hello? by mabu · · Score: 4, Informative

    The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.