Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eavesdropping on a Botnet

Posted by ryuzaki0 on from the like-a-soap-opera-for-geeks dept.

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

20 of 185 comments (clear)

  1. malware-free system? by Anonymous Coward · · Score: 4, Insightful

    "The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
    options abound Linux, BSD, Windo... oh, forget about that last one

    1. Re:malware-free system? by Nutria · · Score: 4, Insightful
      Until someone creates something that can infect the various *nixes that is.

      It's called a rootkit. They've been around for years.

      Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.

      Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.

      Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:malware-free system? by httptech · · Score: 2, Insightful

      The actual quote in my analysis is "unless you are a malware expert..."

      Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

      Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

      -Joe

    3. Re:malware-free system? by linuxwood · · Score: 2, Insightful

      You do not need a rootkit to turn a linux box into a spam-bot... All it takes is one bad cgi/php page in a Web Hosting environment (100+ virtual sites) for a perl spam proxy to get launched from tmp on an unprotected port. Matt Wright has kept all the bad web developers in the business of poor web code for years.

      I cannot tell you how many bad contact me web pages exist on the Internet with many of the worst being on Linux et al. Things like mod_security and PHP safe mode only mitigate certains cases. Its a pain plugging the holes of customer application code no matter how secure the operating system you are using to service them.

  2. To clarify... by Drinian · · Score: 1, Insightful
    The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

    :s/reinstall the operating system/install Linux/g

  3. Makes you wonder what else is going on by perkr · · Score: 5, Insightful

    Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...

    1. Re:Makes you wonder what else is going on by Pantero+Blanco · · Score: 5, Insightful

      You'd also end up with many more dead cops, and much more sympathy for those criminals. If the penalty for dealing pot or prostitution was death or life in prison, I for one would offer safe haven and protection to pot dealers and prostitutes.

  4. Re:It's a bird. It's a plane. It's TC! by mrbcs · · Score: 5, Insightful

    Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.

    --
    I'm not anti-social, I'm anti-idiot.
  5. Need to hold users responsible. by Rotten168 · · Score: 5, Insightful

    If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

  6. Need to hold ISP's responsible by RKBA · · Score: 4, Insightful

    "ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."

    In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.

    The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

    --
    9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
  7. Re:Reinstalling is not always the answer by Thunderbear · · Score: 2, Insightful

    I congratulate you on your efficiency.

    But how can you be _certain_ that you got them all, and that your boss is not still infected?

    --

    --
    Thorbjørn Ravn Andersen "...and...Tubular Bells!"
  8. Re:Reinstalling is not always the answer by leenks · · Score: 4, Insightful

    How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.

  9. For the record... by httptech · · Score: 1, Insightful

    It not like I'm the only one who ever figured out how to spy on botnet control channels. This has been going on for years. Some researchers only spy on the botnet to find out what the botnet is being used for. Some even take it upon themselves to try and "clean" the infected systems of the bots (Mocbot has a "remove" command, by the way, but you have to have the correct user@host mask). Botherders sometimes even spy on each others channels, to try and take control of less-protected botnets from other botherders.

    -Joe

  10. Why do you rob banks? by twitter · · Score: 5, Insightful

    ... because that's where the money is.

    You write about root kits and declare:

    Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

    As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

    On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.

    --

    Friends don't help friends install M$ junk.

    1. Re:Why do you rob banks? by Nutria · · Score: 3, Insightful
      Just by the virtue of the large number of x86 Linux servers exposed ... there must be thousands of systems

      As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.


      Re-read my post, and then think.

      Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

      (I say servers because Linux desktops tend not to expose services to the Internet.)

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Why do you rob banks? by Anonymous Coward · · Score: 5, Insightful

      What do you think the C&C machines are running?

      Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.

      Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.

      And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.

      Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.

      So, don't discount the threat. All operating systems need patching and good security practice to run safely.

      And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.

    3. Re:Why do you rob banks? by Nutria · · Score: 2, Insightful
      So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator?

      What gives you that idea?

      Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?

      --
      "I don't know, therefore Aliens" Wafflebox1
  11. Moo by Chacham · · Score: 2, Insightful

    The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

    Or MD5 everything.

    --
    Have you read my journal today?
  12. Live CD Virus Scanner by Nom+du+Keyboard · · Score: 3, Insightful

    What users need, and I'm continually surprised that it isn't here already, is a Live CD Virus scanner. Download the ISO, burn the CD, boot it on suspect machines, and let it do the job of reading your system disc as a simple data disc. The idea that a program running on an infected system can spot and remove the infection seems questionable at best.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  13. Re:bot free, really... by arivanov · · Score: 2, Insightful

    Flamebait, but I will take it.

    The first time I have seen stealth kernel mode rootkits in the wild for Linux and Solaris was Dec 1996. This is nearly 10 years ago. As a matter of fact in this area Linux and Solaris were first and Windows did not really follow until 2K became commonplace in the home. From there on the malware writers came back and hacked 98 and me.

    So your optimism regarding SloWarez is misplaced and misguided.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/