Slashdot Mirror
Meet the Botnet Hunters
An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"
We don't need their scum.
Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.
Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.
This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.
Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.
http://www.thebricktestament.com/the_law/when_to_
www.shadowserver.org/
This space intentionally left (almost) blank.
In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'
Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..
http://twitter.com/onion2k
This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three like this.
Slashdot Burying Stories About Slashdot Media Owned
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)
Spammer: daffy# shutdown -now
Botnet: *reboots*
Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!
Spammer: daffy# shutdown -now
Botnet: *reboots*
So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.
-- Jim http://www.runfatboy.net/
FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.
This, unfortunately, is the most common viewpoint from end-users and IT alike.
It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.
Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.
Just my 2 cents.
My work here is dung.
Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).
So... turn your computer off when you are not using it.
Hell you will even same some electricity while you are at it.
Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.
The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.
I am very small, utmostly microscopic.
Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:
According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
The permanent linnk for the article can be found here.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
This is a task for the government, not for pimpled nerds.
Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:
How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
What part of "shall not be infringed" is so hard to understand?
First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.
This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.
I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.
Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.
They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.
A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.
As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
They said it in the article. Data handed to the fuzz by a civilian isn't admissible before a judge. They can only use the information to aid in launching their own investigation, which of course requires resources.
So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?
Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.
Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."
I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project
SS == shadowserver
* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.
* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar
* most of the trojans are found by running nepenthes
* SS has a HUGE repository of botnet scripts and C&C information.
* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)
* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)