Slashdot Mirror
Eavesdropping on a Botnet
wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"
"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
options abound Linux, BSD, Windo... oh, forget about that last one
Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.
At my computer club's PC Clinic, I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.
tasks(723) drafts(105) languages(484) examples(29106)
My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog. For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.
Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...
"Until someone creates something that can infect the various *nixes that is."
That's impossible. How do I know. Just "Ask Slashdot".
Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.
I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.
http://jooh.no/root/torrents/trusted-computing.to
Teasing the nobles, and rightfully so!
"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."
I say we take off and nuke 'em all from orbit. It's the only way to be sure.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.
I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...
Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.
Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.
I'm not anti-social, I'm anti-idiot.
I know he may not be the most favourite of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.
Link to the article (...long article warning)
Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.
If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.
How a server got compromised, and ran a Paypal scam site for two days, more technical explanation of what happened, and how to (and how not to) make Yahoo block the accounts involved. Of course, the idea that compromised machine can in any way be trusted, sounds like one of the stupidest things ever thought up by a human.
Contrary to the popular belief, there indeed is no God.
My house was robbed once...
It was one of those cheap houses, you know using old materials and not the best contractors (the doors and windows would not always close properly.)
even with fully locked doors, up to date alarm company subscription, and a dog.
Though that brand of locks use one of five common keys, and the alarm company sometimes works with other companies to let marketers in, and the dog, as vigient as he is is just a dog and frankly pretty stupid.
For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.
Actually it was more like a posh wooded suburb gated-community thing, where all the prices are higher and the selection is more limited, but the cars are to die for. I don't even assoiate with my old neighbors much anymore. My kids ands wife are much more happier and I have a lot less stress about stuff like that.
Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
"ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."
In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.
The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.
My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog.
You probably had Windows...
... because that's where the money is.
You write about root kits and declare:
Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.
As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.
On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.
Friends don't help friends install M$ junk.