Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

I've done something similar

[c6gunner]

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.