Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meet the Botnet Hunters

Posted by ryuzaki0 on from the volunteer-fun dept.

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

6 of 194 comments (clear)

  1. Botmasters will switch to distributed C&C by putko · · Score: 4, Interesting

    Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

    This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

    Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  2. Secure SMTP? by RunFatBoy.net · · Score: 3, Interesting

    So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

    -- Jim http://www.runfatboy.net/

  3. I've done something similar by c6gunner · · Score: 5, Interesting

    Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

    They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.

    1. Re:I've done something similar by plover · · Score: 3, Interesting
      Some are moving that way already. The botnet developers are beginning to realize the monetary value of their little operations, and are moving to protect their investments. There has been enough published crypto that these guys can basically drop in a secure signalling system. And one of the botnet researchers has said some are already using encrypted channels.

      Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.

      The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!

      --
      John
  4. Unusual, but Not Impossible by Quantam · · Score: 4, Interesting

    A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

    As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.

    --
    You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
  5. from one who works with shadowserver by app13b0y · · Score: 3, Interesting

    I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project

    SS == shadowserver

    * SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.

    * there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar

    * most of the trojans are found by running nepenthes

    * SS has a HUGE repository of botnet scripts and C&C information.

    * SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)

    * botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)