Eavesdropping on a Botnet

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

PC Clinic

[Short+Circuit]

At my computer club's PC Clinic, I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.

Re:It's a bird. It's a plane. It's TC!

[The+MAZZTer]

Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.

I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...

Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.

Steve Gibson did something akin to this

[BertieBaggio]

I know he may not be the most favourite of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.

Link to the article (...long article warning)

Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.

Re:Windows LiveCD

Actually, I think the one you are thinking of is Ultimate Boot CD for Windows http://www.ubcd4win.com/ which is a very functional live cd. Also has numerous other tools that make cleaning an infected system, creating admin accounts, and other cool maintenance a breeze.

Server counterpart to this

[Alex+Belits]

How a server got compromised, and ran a Paypal scam site for two days, more technical explanation of what happened, and how to (and how not to) make Yahoo block the accounts involved. Of course, the idea that compromised machine can in any way be trusted, sounds like one of the stupidest things ever thought up by a human.

Re:Windows LiveCD

[poolmeister]

UBCD for Windows is just a collection of Barts PE plugins to help you build your own Windows Live CD from Barts PE and your Windows disk, even then it's only really a maintenance CD, you wouldn't want to use it as a Live boot OS, I've tried it on many PCs in the past and I've never been able to get networking going once.
Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.

Linux distros are now miles ahead of Windows when it comes to hardware detection on first boot.

reinstall troubles...

[Tom]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

Yes, and your average user will quickly encounter another funny problem: He has a good chance to be infected again before the download of SP2 and/or other security updates he needs to not be re-infected, is finished...