Slashdot Mirror
Meet the Botnet Hunters
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
We don't need their scum.
Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
http://www.thebricktestament.com/the_law/when_to_
There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?
www.shadowserver.org/
This space intentionally left (almost) blank.
In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
http://twitter.com/onion2k
This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three like this.
Slashdot Burying Stories About Slashdot Media Owned
.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)
Spammer: daffy# shutdown -now
Botnet: *reboots*
Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!
Spammer: daffy# shutdown -now
Botnet: *reboots*
So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.
-- Jim http://www.runfatboy.net/
FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.
Just my 2 cents.
oh no a pimply faced "mobster" might come after you.... give me a break
The phrase "more better" is acceptable English. suck it grammar Nazis
My work here is dung.
Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
I am very small, utmostly microscopic.
Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:
According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
The permanent linnk for the article can be found here.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Would you have RTFineA, you'd have noted the following:
"A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems."
I bet that your plan for security through statistics isn't looking good.
The final and ultimate answer to bots, spyware and such is knowledgeable users. I've been called an extremist when advocating a few years ago for a mandatory licence to get the right to connect a home PC to Internet, and I still think that it should be implemented: given the pile of cash those frickin' viruses and worms cost us, it should no longer look like a stupid idea pretty soon.
--
Arkan
This is a task for the government, not for pimpled nerds.
Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
What part of "shall not be infringed" is so hard to understand?
First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.
I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?
I used to do that back in the day.
1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.
2> Take apart that self-extracting zip and look through the mirc script.
3> Work out where they're sending there zombies. Masquerade as a bot for a bit.
4> Figure out a way to issue commands to the bots if possible.
5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.
6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.
Ahh, the folly of youth.
Then again, this is the US Government we're talking about here.
Warning: Corny karma killing post above.
Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
From TFA...
"Now 27, Albright supports his wife and two children..."
" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "
Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.
{} ------ When I think of a good sig, I'll put it here
"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?
I think your sig says it all!
If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if the gov't started sniffing packets? (OK, OK, I'm sure they already do... and people bitch about it.)
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?
Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.
Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."
There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.
Rather than add another level of bureaucracy (who would be the licensing authority - your local geek?), why not take the real culprits to task? Would you blame the driver or the manufacturer if a car's wheel falls off due to bad design?
This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact
A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!"
I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)
I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.
I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the same security vulnerabilities we heard about all through February. Now, I'm not registered with that site so I couldn't use their site search, but I'm fairly certain I won't find anything there. A botnet running on compromised OS X machines would be too juicy for sites like C|Net and ZDnet to pass up.
I don't want to come across as an Apple apologist. Heck, I was so alarmed by the Safari zip file vulnerability that I dedicated a web site to exploring it. But this casual mention of botnets on Linux and Mac OS X just doesn't add up.
The Splintered Mind - Overcoming
This blog post identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/) says: