Meet the Botnet Hunters

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Tuesday March 21, 2006 @08:11AM from the volunteer-fun dept.

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

6 of 194 comments (clear)

Min score:

Reason:

Sort:

Botnet Hunters! by blinkless · 2006-03-21 08:14 · Score: 5, Funny

We don't need their scum.
They are on the web by 9mm+Censor · 2006-03-21 08:18 · Score: 5, Informative

www.shadowserver.org/
Bitter irony, Slashdot is thy home (or hangout...) by The_REAL_DZA · 2006-03-21 08:18 · Score: 5, Funny

"...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."
Apparently, Mr. Albright doesn't frequent Slashdot or watch CNN...

--

This space intentionally left (almost) blank.
Be vewy vewy quiet... by Tackhead · 2006-03-21 08:24 · Score: 5, Funny

Be vewy vewy quiet! We're hunting botnets!
Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

Spammer: daffy# shutdown -now
Botnet: *reboots*

Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

Spammer: daffy# shutdown -now
Botnet: *reboots*
Hey, I've seen that mentality before! by eldavojohn · 2006-03-21 08:38 · Score: 5, Funny

Like lost sheep without a shepherd, the drones will continually try to reconnect...
Sounds like my sister when her cell phone cuts out.

--
My work here is dung.
I've done something similar by c6gunner · 2006-03-21 09:04 · Score: 5, Interesting

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.