Searching for Botnet Command & Controls

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

This'll surely stop them, or not.

[LordOfTheNoobs]

As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?

Re:What I don't understand

[MustardMan]

Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.

It's a development I can verify

[Opportunist]

When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

And this business is growing.