Eavesdropping on a Botnet

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

Next opportunity

[QuantumFTL]

Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.

"Post to Slashdot"

[Gopal.V]

It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

(yeah, I pretty much forgive the Digg one, everybody has those ...)

Re:malware-free system?

[JamesTRexx]

Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

Until someone creates something that can infect the various *nixes that is.

Re:It's a bird. It's a plane. It's TC!

[l33t+gambler]

Trusted Computing to the rescue!

Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

http://jooh.no/root/torrents/trusted-computing.tor rent

Re:Makes you wonder what else is going on

[Lusa]

Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of like a live CD but personalised. Of course, this would require an overhaul of the way things are done. But it needs to be done. Now, if we could get offensive firewalls as in Ghost in the Shell we could have some fun :D

Re:malware-free system?

[marcello_dl]

How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.

Reinstalling is not always the answer

[electronerdz]

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a handful of tools (where AdAware is NOT included), and a little bit of creative thinking. For example, recently, I booted a computer into safe mode and used AVG Free to check for viruses. It picked up about 3000 "Trojan.Downloaders." Once it found them, I hit delete for all of them. It took about 30 seconds a file (you do the math). Well, I had two hours before the guy got on a plane. So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run. They were deleted in about 20 seconds.

Windows LiveCD

[Coopjust]

The Windows live CD you are thinking about is BartPE, but it's not as easy to use or setup as a Linux LiveCD.

I did set up one myself. It works pretty well once setup.

Re:PC Clinic

[Short+Circuit]

are you sure you can tell what's going on?

Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.

I'm looking around for a way to prevent machines on our network from talking to each other...putting each one on its own subnet seems like a good idea, but I don't know how to set up Linux dhcp to do it.