Slashdot Mirror
Meet the Botnet Hunters
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
We don't need their scum.
Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
Those first two paragraphs sound like a movie pitch. A wierd movie pitch...
Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
http://www.thebricktestament.com/the_law/when_to_
There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?
www.shadowserver.org/
This space intentionally left (almost) blank.
In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
http://twitter.com/onion2k
This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three like this.
Slashdot Burying Stories About Slashdot Media Owned
So, these guys find botnets, collect the info to have them shut down, and then get the channel shut down? While this is great, it does little to stem the tide of bots. Adware/spyware and viruses are still being made to create more bots. So, while Shadowserver goes after the host servers, there are still millions of computers that are infected and transmitting, including that physician that was sending patient data!! If we really want to shut botmasters down, we need to battle the root of the problem. Unfortunately, we're still not allowed to kill of the bottom of the gene pool. Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix).
"The only constant in the universe is change." - Unknown author
.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.
Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.
Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)
Spammer: daffy# shutdown -now
Botnet: *reboots*
Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!
Spammer: daffy# shutdown -now
Botnet: *reboots*
So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.
-- Jim http://www.runfatboy.net/
"However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another botnet hunter article from eWeek.
He who knows best knows how little he knows. - Thomas Jefferson
FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
I must be the only nerd here who wears a shoulder holster to work. (and no, I'm not a cop)
Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.
Just my 2 cents.
oh no a pimply faced "mobster" might come after you.... give me a break
The phrase "more better" is acceptable English. suck it grammar Nazis
My work here is dung.
Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
I am very small, utmostly microscopic.
Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:
According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
The permanent linnk for the article can be found here.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????
If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.
This is a task for the government, not for pimpled nerds.
Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
What part of "shall not be infringed" is so hard to understand?
First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.
I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?
I used to do that back in the day.
1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.
2> Take apart that self-extracting zip and look through the mirc script.
3> Work out where they're sending there zombies. Masquerade as a bot for a bit.
4> Figure out a way to issue commands to the bots if possible.
5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.
6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.
Ahh, the folly of youth.
Then again, this is the US Government we're talking about here.
Warning: Corny karma killing post above.
Call me when they start a group of hunters for the Nintendo R.O.B. . They are the bots we should be really watching out for.
Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
Which network protocol supports the transmission of bullets?
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Wasn't this an episode of Stargate: SG-1?
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
Vigilantism is still against the law in this case. Computer tampering is computer tampering.
The solution to this problem is to put a few of these guys in jail. The solution is for the feds to get off their goddam lazy asses and prosecute these people. You don't poke around in someone's compromised computer, for good or evil.
What these people are doing is against the law and it has always been against the law. The problem we have is that the law enforcement authorities seem more obsessed with Tommy Cheech selling bongs online than they are real gangs of organized criminals who are interfering with commerce, privacy and national security. Go figure?!
There's an excellent story about this sort of thing here (via another tech site with a digging-related name).
My sig is too lon
From TFA...
"Now 27, Albright supports his wife and two children..."
" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "
Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.
{} ------ When I think of a good sig, I'll put it here
So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?
Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.
Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.
Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we get rid of most of them?
For out of the country BOTs, well I would imagine there has to be a way. I don't care to ever receive anything from anyone in Rwanda, Uganda, or even Russia.
"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?
I think your sig says it all!
If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if the gov't started sniffing packets? (OK, OK, I'm sure they already do... and people bitch about it.)
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
"I would imagine fear of the law and getting suied or thrown in jail."
Based on the number of botnets and spams that doesn't seem to be an issue currently.
There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.
Why not just disallow all incoming port 25 traffic that doesn't have a matching SPF TXT record? It would be computationally more expensive (mailserver has to do the screening) and consume more network resources to boot, but at least those of us who are doing The Right Thing(tm) wouldn't have our internet services marginalized.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
So Botnet hunters are tracking rogue Botnet puppet masters, taking them out using their own ISP, then tracking the Botnet drones who wander the net like 'lost sheep without a shepherd, ... continually try[ing] to reconnect to the hacker's control server, unaware that it no longer exists'?
Sounds like a totally kick ass anime!
Naturally I imagine all these Botnet hunters are hyper-attractive ultra-well-endowed women who's clothes get partially torn off every time they have a Hack-net Battle a Botnet Drone with their emasculatingly over-sized gun/sword!eh?.........no?
Unfortunately some broadband ISPs here in the Netherlands have completely misunderstood the problem, and when blocking port 25 they blocked it on traffic from the Internet to the customer, instead of the other way around...
Maybe this was done after they read about the "open relay used for spamming" problem, mostly something of the past.
Anyway, blocking port 25 on outgoing connects would have solved that just as well.
So when you ask them to filter port 25, make sure they understand which direction you mean!
Because most domains still don't have an SPF record, and worse: many domain registration & DNS services do not offer the creation of TXT records. So even when the owner of the domain knows about SPF, they cannot install it.
We're only talking about disallowing traffic from well-known blocks of Dynamic IPs. How is that a problem? These people always have the option to use a real mailserver if they really must send SMTP from their local machine to the 'net at large, and not use their ISP's mailserver.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
They should spend their time doing something more useful.
Like tagging botmasters for the kill.
"My God...it's full of trolls!"
This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact
A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!"
AOL had a very simple approach: use port 587 instead of 25. As a result of their bold and aggressive move, most e-mail clients now have easy ways to change the smtp port if they didn't already.
;p Not my fault you guys SUCK.
Obviously, someone who works at Verizon or Earthlink modded me down
Speaking as an Evil Genius with standards, and one who's read the Warhol Worm paper, I'd say any "decent" botnet doesn't take orders from just any old Bill, Fred, or Otto who wanders by waving an executable at it. A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.
So, all of your plans should work just fine... once you determine how to recover a GPG private key of the 4096-bit keypair needed to sign the RUNME code, using the public key taken from the sample bot.
HANGE. (Have A Nice Geologic Epoch.)
(Note: I have better projects to occupy my Evil Genius than botnets.)
//Information does not want to be free; it wants to breed.
" Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix)."
From TFA:
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success..
I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)
I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.
I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the same security vulnerabilities we heard about all through February. Now, I'm not registered with that site so I couldn't use their site search, but I'm fairly certain I won't find anything there. A botnet running on compromised OS X machines would be too juicy for sites like C|Net and ZDnet to pass up.
I don't want to come across as an Apple apologist. Heck, I was so alarmed by the Safari zip file vulnerability that I dedicated a web site to exploring it. But this casual mention of botnets on Linux and Mac OS X just doesn't add up.
The Splintered Mind - Overcoming
no. the problem is more that many LEAs are quite dumb when it comes to handling this stuff. Luckily, shadowserver has just recently come into contact with a few good guys that are learning quite fast about what is going on. The other problem is how can they trust the data in court? somebody could argue falsification of logs. Now, when it comes to what Albright is talking about, I'm not quite sure what he means about that in relation to the 4th amendment.
The other problem is the jurry. when they're dumb and you're trying to explain a bunch of techincal stuff to them which they could care less about, then what are you supposed to do?
I think "static" or "dynamic" IP has nothing to do with the issue.
All ADSL and most Cable providers here give you a static IP, yet the number of bots and infected PC's here is the same as in the US, where dynamic IP seems to be the norm.
This is of course to be expected. When the bot writer uses a clever enough protocol to be able to control a PC on a dynamic IP, it will certainly work on a static IP.
This blog post identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/) says:
Are you nuts? I want to keep the damned thongs off my system.
Best Slashdot Co
Well, I didn't really mean to say dynamic I guess, but here in the states, it's almost impossible to get static without paying extra, and/or getting a business-class account which of course also costs more. And most cable providers won't give you static for love nor money. Well, maybe you could go in and give the execs a ride or something... What I mean to say is home users, who almost without exception have another SMTP server to use; their ISP's.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I understand, but this makes it clear that the situation is not that black-white.
I think a good solution would be to block outgoing (and maybe incoming) port 25 traffic by default, and have some option per customer to enable the port, with a webpage that explains the risks. Most customers will never notice what they are missing with filtered port 25, but for the few that need it, it is very inconvenient when it is closed for everyone.
Unfortunately the infrastructure does not always make it simple to do this (no separate access list per customer, and a combined accesslist would get much too long)
An ISP's SMTP server is not always a solution. I am running a mailserver on my own system (and use the same setup at work) to which the MX records for my domain are pointing, and which uses callbacks to verify source addresses whenever mail comes in. The callbacks require outgoing port 25 access and cannot be done via the ISP server.
Advantage of sending mail directly instead of via ISP server is that you can watch the queue. Mail that is not getting delivered is apparent because it sits in your own queue. ISP queues are of course not visible to ordinary customers.
But for the average Windows user with Outlook Express and a POP account this is not important and blocking port 25 is no problem.
Interesting freudian slip/unintentional double entendre in my previous post...
Best Slashdot Co