Eavesdropping on a Botnet

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

Next opportunity

[QuantumFTL]

Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.

"Post to Slashdot"

[Gopal.V]

It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

(yeah, I pretty much forgive the Digg one, everybody has those ...)

Re:malware-free system?

[JamesTRexx]

Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

Until someone creates something that can infect the various *nixes that is.

Re:It's a bird. It's a plane. It's TC!

[l33t+gambler]

Trusted Computing to the rescue!

Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

http://jooh.no/root/torrents/trusted-computing.tor rent

Re:Makes you wonder what else is going on

[Lusa]

Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of like a live CD but personalised. Of course, this would require an overhaul of the way things are done. But it needs to be done. Now, if we could get offensive firewalls as in Ghost in the Shell we could have some fun :D

Re:malware-free system?

[marcello_dl]

How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.

Reinstalling is not always the answer

[electronerdz]

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a handful of tools (where AdAware is NOT included), and a little bit of creative thinking. For example, recently, I booted a computer into safe mode and used AVG Free to check for viruses. It picked up about 3000 "Trojan.Downloaders." Once it found them, I hit delete for all of them. It took about 30 seconds a file (you do the math). Well, I had two hours before the guy got on a plane. So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run. They were deleted in about 20 seconds.

Windows LiveCD

[Coopjust]

The Windows live CD you are thinking about is BartPE, but it's not as easy to use or setup as a Linux LiveCD.

I did set up one myself. It works pretty well once setup.

My ISP does this.

[PotatoHead]

I've one XP home box running.

(We play online poker ok?)

It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

Within a few hours I got a call on my cell. Asked me what I wanted to do. I said pull the plug if the box is still spewing in a few hours. (That was time enough for me to get home and deal.) I arrived home, pulled the plug on the offending box, started archiving data in preparation for a re-image. Shot off a quick e-mail asking them to check for baddies on their end just to be sure. All done, next.

This is exactly why the ISP consolidation is just horrible. Had we continued to have a high percentage of live and local ISP's, people would have someone they could trust to let them know things are not as they seem.

I know my ISP sysadmins by name. Most people should. I don't talk with them much, but when I need to, it's always worthwhile. Nice folks --we need more of them.

BTW: Joey http://www.spiretech.com/ If you are in PDX, give them a call.

Re:PC Clinic

[Short+Circuit]

are you sure you can tell what's going on?

Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.

I'm looking around for a way to prevent machines on our network from talking to each other...putting each one on its own subnet seems like a good idea, but I don't know how to set up Linux dhcp to do it.

Re:Why do you rob banks?

[twitter]

An oversized rat tells me to think, and offers an lesson in proportions and exponents:

Re-read my post, and then think. Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator? Help me out Nutria, what are you trying to tell me? I don't see anything worth pondering above.

Sometimes even a reinstall won't help

> The only way to be [completely] sure the system is
> malware-free is to completely wipe the hard drive
> and reinstall the operating system.'"

I am not sure of this. What about those hardware devices where one can upgrade the firmware without setting a jumper? In other words, everything happens in software. What if, say, a malware replaces the BIOS on one such device? Then even an OS reinstall won't help. You are owned on a lower level than the OS. AFAIR, some modems were suspectible for this.

Vilmos