Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Re:Botmasters will switch to distributed C&C

[toad3k]

What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

Or are the backdoors they are using more sophisticated than that?

Better ways to stop them...

[Otto]

First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.