Slashdot Mirror
Is the Botnet Battle Already Lost?
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
I don't think that bots are invited. This wouldn't make sense from an administrative view. The channels are probably password-protected. Nothing a little sniffing can't fix.
After all, the bot is code running locally. So if it contains any channel names, channel keys or cryptographic keys, you can get to them.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall? I think for every somewhat bright for-profit trojan creator, there are thousands of brighter people that can come up with an intelligent plan to do this effectively. Use all spreading techniques that the best of the worst use, but minimize the wasted & bloated traffic, while fixing as many computers as possible. Should be simple!!
Only issue I see is legality. Technically however, I see this as very feasible.
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Meanwhile, we may need some brutal firewalls:
We're probably going to see some companies going to a locked down firewall like that.
Modern botnets clients are pretty adaptable; they will download patches, modifying themselves to beat disinfectors. With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel. Should that fail, one should be able to determine what fallback channels the botnet clients use and disable those before killing the current command channel.
What we need is a large number of ISPs to get together and say, "We trust each other to deal with botnets." Then, with a single command, any trusted ISP within the network could instantly send a command to another ISP to shutdown a site or server that is running a botnet. All of these actions would be logged and would be reviewed to make sure that it is only being used against botnets; any sort of abuse (like using it to shut down protest sites or copyright violation sites) would result in an instant revocation of privileges. This system would be much better than what we currently have: trying to call the other ISP, trying to get them to listen to you, trying to get them to trust you ... it can take days, if ever, to shut down a botnet on another network.
Cyde Weys Musings - Scrutinizing the inscrutable
There is no easy solution
http://images.slashdot.org/hc/07/4a6fece962b0.jpg
[Fuck Beta]
o0t!
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.
I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.
I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.
It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.
PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.
Please help metamoderate.
This was done with klez... a good Samaritan wrote a virus that would spread to computers as effectively as klez, look for it, and then eliminate it if found. You know how you knew if you had the Good Samaritan virus? Klez like symptoms. That is a major system slow down, as well as many, many bugs/crashes.
Good times. Viruses like that operate at levels that were only really meant for system tasks, and yet they are were never part of that system. Windows being the careful balancing act that it already is will topple over readily when you add anything to the base.
Go ahead and call me unreliable; reliable is just a synonym for predictable.
No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do
Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?
While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.
Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards. Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box. Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____
But as someone who doesn't run Windows, I don't really care. Well, I do care, because a lot of the bandwidth I pay for is crowded by the spam that my hosts filter for me. Not to mention, the bandwidth wasted and the increased cost of network service that comes from millions of unsecurable windows machines trying to infect each other with the malware of the minute. If anyone ever sets up a "no windows allowed" ISP, I'd be a customer in a heartbeat. -jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
This was the subject of "As the worm turns", in the first Stealing the Network (an AWESOME book). The protagonist disassembles a worm and then figures out how to fix, with some unintended consequences. A great read, the story is fictional but the technology is VERY real. Almost a HOWTO in fact.
"Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.
This would have the added benefit of stopping a lot of spam.
Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security?
-Daniel
Ownyourphone.com. Custom ringtones, cheap and easy
Unitl people are punished for their system's behavior, nothing is ever going to happen. Yeah it's annoying for most people to get rooted, but other than that, why should they care? Now if you were legally liable for the damages your system did, regardless of whether or not it was rooted, we'd see a major change in botnets, and a LOT less people with rooted machines.
People only react to that which causes them difficulty, punish them for not taking care of their responsibilities and things will get better. But until then, it will only get worse.
You're part of a botnet? Pay a fine! Didn't know? Too bad. Just like your dog getting out and destroying property, if you don't care enough to protect others from your wanton disregard, it's going to cost you.
It already does. It's called Underrated. Still waiting for -1 Wrong, personally (not that it applies here).
Remember RFC 873!
when high technology was its own idiot filter are long gone.
It is illegal to drive a car on any public road without a drivers licence, for the safety of other road users. Why shouldn't it be illegal to connect a computer to the internet without the proper qualifications, again for the common good? Keep all the stupid off the internet and the situation is bound to improve because there will be less opportunity for the greedy to exploit them.
If companies know the means of advertising (i.e. malware) are illegal, why aren't we going after the companies that use such methods? Admittedly, some viagra knock off company in Mexico is difficult to go after, but wouldn't it be easier to get rid of these intrusive networks by cutting off any reason for them to exist?
Most people, including extremely technical people, don't know exactly what is going on on their systems at all times, be those Windows, Mac, or Unix systems, or anything else. Why don't you tell us your foolproof method for knowing exactly what code is running on a system in the presence of rootkits and thread injection?
Your dog analogy is broken: a good dog owner knows what the dog is doing at any moment in which it could cause harm to someone else's property. Even a competent technical person has no idea what's going on on their computer with a rootkit cloaking the traces.
Guess what? I've been a professional reverse engineer for three years, and I still say this.
``d) don't care''
And that is a matter of economics; specifically, externalities. You would bear the cost of securing your system, but you aren't seeing the cost of running an insecure one.
In the Netherlands, at least one large network employs a detection mechanism for exploited hosts using honeypots. A lot of the IPs on the network get assigned to honeypots, so that a compromised host is likely to hit a honeypot sooner or later. The compromised host is that put in quarantine, denying it normal Internet access (only access to information and removal tools is still available). This hurts users when their machines are compromised, encouraging them to secure their systems.
It surprises me that this isn't done more often. Surely ISPs have something to gain from eliminating all the traffic that compromised hosts generate (seeing that 90% of email traffic is spam, and the bulk of it comes from compromised machines, just to name one thing).
Please correct me if I got my facts wrong.
Yeah...that's all well and good as long as the traffic isn't encrypted (it probably will be)..or it it's not, you know what to look for to write sigs for (you probably won't)...or you know which domains people in your network shouldnt be going to and youre watching dns logs (you probably won't). With all of the custom and targeted attack vectors, the fact that so many attacks have moved up the stack to layer 7 and above (humans), Network IDS's have passed their due date. The only thing that can really help is to engineer your host systems, create well defined policies, and install local host system monitoring software (HIDS, etc.), and secure those logs from tampering. Network security monitoring at this point is really a lot like airport security: It gives people a warm and fuzzy, but it doesn't accomplish much and the effort is better spent elsewhere.
I have a lovely wife who surfs the internet constantly. She has a bot on her Windows Box. I noticed it when we sent out 86 thousand emails in one day. (it helps to monitor your port 25!!). Okay.. so she is compromised.
Norton, Spybot, etc CANNOT detect what she has. Netstat shows the connection but taskmanager etc does not. I block port 25 from her computer as a precaution and the darn computer starts searching for smtp servers on the local network. I use qmail-auth and it prevents it.. however I have no trust that it cant use UPnP or something else to change my main router.
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
I can program myself out of a Hello World Contest!!