Slashdot Mirror
Meet the Botnet Hunters
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
We don't need their scum.
Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
Those first two paragraphs sound like a movie pitch. A wierd movie pitch...
Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
http://www.thebricktestament.com/the_law/when_to_
There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?
www.shadowserver.org/
This space intentionally left (almost) blank.
In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
http://twitter.com/onion2k
This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three like this.
Slashdot Burying Stories About Slashdot Media Owned
So, these guys find botnets, collect the info to have them shut down, and then get the channel shut down? While this is great, it does little to stem the tide of bots. Adware/spyware and viruses are still being made to create more bots. So, while Shadowserver goes after the host servers, there are still millions of computers that are infected and transmitting, including that physician that was sending patient data!! If we really want to shut botmasters down, we need to battle the root of the problem. Unfortunately, we're still not allowed to kill of the bottom of the gene pool. Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix).
"The only constant in the universe is change." - Unknown author
Nice until they run into a mobster-botmaster with a gun.
This is a task for the government, not for pimpled nerds.
Just my 2c...
Damnit Jim, I'm [root@localhost w00t]#, not an AD-Adminstrator(tm) !
.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.
Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.
Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)
Spammer: daffy# shutdown -now
Botnet: *reboots*
Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!
Spammer: daffy# shutdown -now
Botnet: *reboots*
So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.
-- Jim http://www.runfatboy.net/
"However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another botnet hunter article from eWeek.
He who knows best knows how little he knows. - Thomas Jefferson
FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
It will show them how to write a technical article properly.
Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.
Just my 2 cents.
My work here is dung.
Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
I am very small, utmostly microscopic.
Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:
According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
The permanent linnk for the article can be found here.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????
If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.
First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.
I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?
I used to do that back in the day.
1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.
2> Take apart that self-extracting zip and look through the mirc script.
3> Work out where they're sending there zombies. Masquerade as a bot for a bit.
4> Figure out a way to issue commands to the bots if possible.
5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.
6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.
Ahh, the folly of youth.
Then again, this is the US Government we're talking about here.
Warning: Corny karma killing post above.
Call me when they start a group of hunters for the Nintendo R.O.B. . They are the bots we should be really watching out for.
Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
Wasn't this an episode of Stargate: SG-1?
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
Vigilantism is still against the law in this case. Computer tampering is computer tampering.
The solution to this problem is to put a few of these guys in jail. The solution is for the feds to get off their goddam lazy asses and prosecute these people. You don't poke around in someone's compromised computer, for good or evil.
What these people are doing is against the law and it has always been against the law. The problem we have is that the law enforcement authorities seem more obsessed with Tommy Cheech selling bongs online than they are real gangs of organized criminals who are interfering with commerce, privacy and national security. Go figure?!
There's an excellent story about this sort of thing here (via another tech site with a digging-related name).
My sig is too lon
From TFA...
"Now 27, Albright supports his wife and two children..."
" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "
Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.
{} ------ When I think of a good sig, I'll put it here
Know what these guys need? A nice fat ass federal grant, since they're basically taking over where major agencies have failed.
If you've ever seen what kind of shite gets greenlit for grants, you know these guys are deserving of some sort of financial backing.
Most botnets are used for spamming. An analysis of the majority of inbound spam clearly shows most of the traffic coming from unauthorized SMTP relays set up in broadband IP space. The main advantage to setting up botnets is to do mass-mailing from a large pool of IP addresses that have the best chance of getting around RBLs. Spamming is the primary revenue source for botnets and also the primary manner in which machines are infected.
Some ISP recognize this issue and are dealing with it. Some are not.
The solution is very simple: filter port 25 traffic from broadband IP space.
Let me repeat this, because it's real simple.. it's so goddam simple that we're now to a point where any ISP that doesn't do this should be considered grossly negligent and a spammer themselves.
Some ISPs are responsible and some are not. AOL is a good example. AOL started filtering port 25 traffic and this has a dramatic effect on the security of their clients, the performance of their network and the overall safety of the Internet at large. Other ISPs are working on this too, like Bellsouth. These are the good ISPs who recognize that this simple solution can create a dramatic reduction in botnet propagation and spamming.
On the other hand, you still have many ISPs who don't seem to give a shit and are part of the problem. I'm not talking about the foreign ISPs... we know they're irresponsible. TDE, Brazil, China, Korea... it's easier to just wholesale block their IP ranges, but domestic ISPs like EARTHLINK and Verizon continue to be a major source of spam and botnet propagation.
Earthlink particularly annoys me because they constantly advertise how great they are at keeping spam and viruses out. Ironically, they are one of the largest sources of spam, phshing scams and worms in the United States. Thanks Earthlink! Get your fucking act together you morons. Take a few of those goddam leprechans and pink unicorns you have hanging around and replace your existing IT staff!! Filter port 25 so we don't have to deal with spam, worms, system probes and wasted bandwidth from your badly-managed networks!
Filtering port 25 takes a lot of the incentive out of creating a botnet. Everyone who really understands the dynamics of the spam/worm problem recognizes this.
So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?
Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.
Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.
Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we get rid of most of them?
For out of the country BOTs, well I would imagine there has to be a way. I don't care to ever receive anything from anyone in Rwanda, Uganda, or even Russia.
"I would imagine fear of the law and getting suied or thrown in jail."
Based on the number of botnets and spams that doesn't seem to be an issue currently.
There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.
is dotnet for botnet
So Botnet hunters are tracking rogue Botnet puppet masters, taking them out using their own ISP, then tracking the Botnet drones who wander the net like 'lost sheep without a shepherd, ... continually try[ing] to reconnect to the hacker's control server, unaware that it no longer exists'?
Sounds like a totally kick ass anime!
Naturally I imagine all these Botnet hunters are hyper-attractive ultra-well-endowed women who's clothes get partially torn off every time they have a Hack-net Battle a Botnet Drone with their emasculatingly over-sized gun/sword!eh?.........no?
What about those botnet 'command center' servers hosted on personal/home IRC servers that use dyndns (or other dynamic dns services)?
What about ISP's in China, or other countries w/ different laws?
What about the botnets that are run on major/public IRC networks, such as freenode, rizon, or efnet?
There is no (legal) way they can get a major Public IRC Network 'taken down' because of a botnet that is connected to it, and believe me, there are plenty running on efnet!
I wish all you 'botnet hunters' the best of luck.
the only permanence in existence, is the impermanence of existence.
Some of you guys might be interested.
A Homeland Security solicitation about BOTNET DETECTION AND MITIGATION was posted a few days ago.
Up to $100K for Phase I, $750K for Phase II. I often bid on this kind of things, but botnets is a bit outside my area (unless a University or non-profit research institute is interested in teaming up -- the program requires a small business to be involved).
Rather competitive too: about 1 out of 8-12 proposals get awarded in average.
They should spend their time doing something more useful.
Like tagging botmasters for the kill.
"My God...it's full of trolls!"
This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact
A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!"
How can I tell if my W2K machine is a drone?
Speaking as an Evil Genius with standards, and one who's read the Warhol Worm paper, I'd say any "decent" botnet doesn't take orders from just any old Bill, Fred, or Otto who wanders by waving an executable at it. A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.
So, all of your plans should work just fine... once you determine how to recover a GPG private key of the 4096-bit keypair needed to sign the RUNME code, using the public key taken from the sample bot.
HANGE. (Have A Nice Geologic Epoch.)
(Note: I have better projects to occupy my Evil Genius than botnets.)
//Information does not want to be free; it wants to breed.
" Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix)."
From TFA:
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success..
I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)
I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.
I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the same security vulnerabilities we heard about all through February. Now, I'm not registered with that site so I couldn't use their site search, but I'm fairly certain I won't find anything there. A botnet running on compromised OS X machines would be too juicy for sites like C|Net and ZDnet to pass up.
I don't want to come across as an Apple apologist. Heck, I was so alarmed by the Safari zip file vulnerability that I dedicated a web site to exploring it. But this casual mention of botnets on Linux and Mac OS X just doesn't add up.
The Splintered Mind - Overcoming
This blog post identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/) says:
Are you nuts? I want to keep the damned thongs off my system.
Best Slashdot Co
Interesting freudian slip/unintentional double entendre in my previous post...
Best Slashdot Co
im startin to have to grease my door frame just to get thru
/. GET CODIN !!!
NO MORE WAISTIN TIME ON
NOOOOW !!!!!!!!!!11111111111111111oneoneoneoneoneone