Eavesdropping on a Botnet

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

bot free, really...

[MeatFlap3]

I would imagine this applies only to the BORG boxes out there... So if you are running Solaris on SPARC, are you safe from these bots?

-r

Re:bot free, really...

[arivanov]

Flamebait, but I will take it.

The first time I have seen stealth kernel mode rootkits in the wild for Linux and Solaris was Dec 1996. This is nearly 10 years ago. As a matter of fact in this area Linux and Solaris were first and Windows did not really follow until 2K became commonplace in the home. From there on the malware writers came back and hacked 98 and me.

So your optimism regarding SloWarez is misplaced and misguided.

malware-free system?

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
options abound Linux, BSD, Windo... oh, forget about that last one

Re:malware-free system?

[JamesTRexx]

Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

Until someone creates something that can infect the various *nixes that is.

Re:malware-free system?

[Nested]

Until someone creates something that can infect the various *nixes that is. Or an asteroid destroys Earth.

Re:malware-free system?

[marcello_dl]

How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.

Re:malware-free system?

[Nutria]

Until someone creates something that can infect the various *nixes that is.

It's called a rootkit. They've been around for years.

Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.

Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

Re:malware-free system?

[httptech]

The actual quote in my analysis is "unless you are a malware expert..."

Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

-Joe

Re:malware-free system?

[linuxwood]

You do not need a rootkit to turn a linux box into a spam-bot... All it takes is one bad cgi/php page in a Web Hosting environment (100+ virtual sites) for a perl spam proxy to get launched from tmp on an unprotected port. Matt Wright has kept all the bad web developers in the business of poor web code for years.

I cannot tell you how many bad contact me web pages exist on the Internet with many of the worst being on Linux et al. Things like mod_security and PHP safe mode only mitigate certains cases. Its a pain plugging the holes of customer application code no matter how secure the operating system you are using to service them.

It's a bird. It's a plane. It's TC!

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'""

Trusted Computing to the rescue!

Re:It's a bird. It's a plane. It's TC!

[l33t+gambler]

Trusted Computing to the rescue!

Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

http://jooh.no/root/torrents/trusted-computing.tor rent

Re:It's a bird. It's a plane. It's TC!

[The+MAZZTer]

Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.

I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...

Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.

Re:It's a bird. It's a plane. It's TC!

[mrbcs]

Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.

Next opportunity

[QuantumFTL]

Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.

Re:Next opportunity

[Enoxice]

I can see it now: In the future there will only be one botnet, then the entire hacking community will just be a big game of RootThisBox (http://rootthisbox.org/) (hmm...RTBs website seems to be redirecting to HackThisSite for some reason).

PC Clinic

[Short+Circuit]

At my computer club's PC Clinic, I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.

Re:PC Clinic

[Short+Circuit]

are you sure you can tell what's going on?

Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.

I'm looking around for a way to prevent machines on our network from talking to each other...putting each one on its own subnet seems like a good idea, but I don't know how to set up Linux dhcp to do it.

"Post to Slashdot"

[Gopal.V]

It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

(yeah, I pretty much forgive the Digg one, everybody has those ...)

Re:Happened to me.

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog. For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Makes you wonder what else is going on

[perkr]

Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...

Re:Makes you wonder what else is going on

[Lusa]

Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of like a live CD but personalised. Of course, this would require an overhaul of the way things are done. But it needs to be done. Now, if we could get offensive firewalls as in Ghost in the Shell we could have some fun :D

Re:Makes you wonder what else is going on

[Pantero+Blanco]

You'd also end up with many more dead cops, and much more sympathy for those criminals. If the penalty for dealing pot or prostitution was death or life in prison, I for one would offer safe haven and protection to pot dealers and prostitutes.

malware-free system?-Linux.

"Until someone creates something that can infect the various *nixes that is."

That's impossible. How do I know. Just "Ask Slashdot".

Be sure...

[shmlco]

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

I say we take off and nuke 'em all from orbit. It's the only way to be sure.

so many only/lonely ways.

[mapkinase]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

Steve Gibson did something akin to this

[BertieBaggio]

I know he may not be the most favourite of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.

Link to the article (...long article warning)

Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.

Need to hold users responsible.

[Rotten168]

If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

Reinstalling is not always the answer

[electronerdz]

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a handful of tools (where AdAware is NOT included), and a little bit of creative thinking. For example, recently, I booted a computer into safe mode and used AVG Free to check for viruses. It picked up about 3000 "Trojan.Downloaders." Once it found them, I hit delete for all of them. It took about 30 seconds a file (you do the math). Well, I had two hours before the guy got on a plane. So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run. They were deleted in about 20 seconds.

Re:Reinstalling is not always the answer

[Thunderbear]

I congratulate you on your efficiency.

But how can you be _certain_ that you got them all, and that your boss is not still infected?

Re:Reinstalling is not always the answer

[leenks]

How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.

Re:Reinstalling is not always the answer

You are a pseudo-geek with a handful of windoze skills who has no idea how much he doesn't know. Congratulations on writing some crappy .bat script, you are officially eligible to work in the tech support department at Best Buy.

Windows LiveCD

[Coopjust]

The Windows live CD you are thinking about is BartPE, but it's not as easy to use or setup as a Linux LiveCD.

I did set up one myself. It works pretty well once setup.

Re:Windows LiveCD

Actually, I think the one you are thinking of is Ultimate Boot CD for Windows http://www.ubcd4win.com/ which is a very functional live cd. Also has numerous other tools that make cleaning an infected system, creating admin accounts, and other cool maintenance a breeze.

Re:Windows LiveCD

[poolmeister]

UBCD for Windows is just a collection of Barts PE plugins to help you build your own Windows Live CD from Barts PE and your Windows disk, even then it's only really a maintenance CD, you wouldn't want to use it as a Live boot OS, I've tried it on many PCs in the past and I've never been able to get networking going once.
Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.

Linux distros are now miles ahead of Windows when it comes to hardware detection on first boot.

Re:Windows LiveCD

[ozmanjusri]

Windows is NOT like Linux in many respects, one is that you actually have to pay over and over and over again for someone elses hard work

Fixed that for you.

Server counterpart to this

[Alex+Belits]

How a server got compromised, and ran a Paypal scam site for two days, more technical explanation of what happened, and how to (and how not to) make Yahoo block the accounts involved. Of course, the idea that compromised machine can in any way be trusted, sounds like one of the stupidest things ever thought up by a human.

Re:Happened to me.

[JoeCommodore]

This needs some re-working

My house was robbed once...

It was one of those cheap houses, you know using old materials and not the best contractors (the doors and windows would not always close properly.)

even with fully locked doors, up to date alarm company subscription, and a dog.

Though that brand of locks use one of five common keys, and the alarm company sometimes works with other companies to let marketers in, and the dog, as vigient as he is is just a dog and frankly pretty stupid.

For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Actually it was more like a posh wooded suburb gated-community thing, where all the prices are higher and the selection is more limited, but the cars are to die for. I don't even assoiate with my old neighbors much anymore. My kids ands wife are much more happier and I have a lot less stress about stuff like that.

Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.

Need to hold ISP's responsible

[RKBA]

"ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."

In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.

The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

Too easy...

[MoogMan]

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog.

You probably had Windows...

Why do you rob banks?

[twitter]

... because that's where the money is.

You write about root kits and declare:

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.

Re:Why do you rob banks?

[Nutria]

Just by the virtue of the large number of x86 Linux servers exposed ... there must be thousands of systems

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

Re-read my post, and then think.

Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

(I say servers because Linux desktops tend not to expose services to the Internet.)

Re:Why do you rob banks?

What do you think the C&C machines are running?

Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.

Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.

And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.

Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.

So, don't discount the threat. All operating systems need patching and good security practice to run safely.

And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.

Re:Why do you rob banks?

[Nutria]

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator?

What gives you that idea?

Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?

Re:Why do you rob banks?

[Nutria]

someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages.

Sacrilege! Sacrilege, you Windows fanboi!!!! How dare you criticize the Holy Penguin!!!!!!!!!!

Moo

[Chacham]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

Or MD5 everything.

Live CD Virus Scanner

[Nom+du+Keyboard]

What users need, and I'm continually surprised that it isn't here already, is a Live CD Virus scanner. Download the ISO, burn the CD, boot it on suspect machines, and let it do the job of reading your system disc as a simple data disc. The idea that a program running on an infected system can spot and remove the infection seems questionable at best.

reinstall troubles...

[Tom]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

Yes, and your average user will quickly encounter another funny problem: He has a good chance to be infected again before the download of SP2 and/or other security updates he needs to not be re-infected, is finished...