Is the Botnet Battle Already Lost?

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

Re:How do you know if you've been rooted?

[cnkurzke]

check if there is a "start" icon in your left lower corner of the screen. if so - yes, chances are you have caught a virus, and your computer is taken over and controled by the dark forces.

Re:How do you know if you've been rooted?

[vandoravp]

Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.

Re:How do you know if you've been rooted?

[Telvin_3d]

You have no idea how depressing it is that I can't decide if the above comment should be modded flamebait, funny, informative or insightful.

If you're gonna go to all that trouble . . .

[thesoffish]

Why not just physically unplug your computer from the network?

Sue/address the IRC networks, first.

[SuperBanana]

What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.

Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.

I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.

I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.

It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.

PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.

Re:How do you know if you've been rooted?

[rpbailey1642]

Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.

larger battle

[Tom]

This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.

The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.

My comments..

[paulmer2003]

A long time ago, I used to run botnets and that other bullshit...So take it as I know what I am talking about.

It is a pity that the general open channels are a thing of the past, but so are private BBS'.

This is not true at all. There are plenty of -sp channels on IRC. Hell, just do a /list on EFnet...thousands upon thousands. And usually, when just going around IRC, you arent just going to walk up upon a botnet..

With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel.

No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do .rm and boom, they lost their entire net (thats assuming they have it set so *!*@* can login).

Basically this is a problem with people owning computers who don't know how to maintain them properly, and with MS making it unreasonably difficult, expensive, and time-consuming to maintain a Windows machine properly.

Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?

But as someone who doesn't run Windows, I don't really care.

While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.

nother possibility is that somebody I do business with could get their machines owned, and gangsters could steal my identity.

Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards.

Why can't we all just hit "delete"? takes only a few seconds.

Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box.

Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?

Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____

Re:It's simple. They don't care.

[RAMMS+EIN]

``d) don't care''

And that is a matter of economics; specifically, externalities. You would bear the cost of securing your system, but you aren't seeing the cost of running an insecure one.

In the Netherlands, at least one large network employs a detection mechanism for exploited hosts using honeypots. A lot of the IPs on the network get assigned to honeypots, so that a compromised host is likely to hit a honeypot sooner or later. The compromised host is that put in quarantine, denying it normal Internet access (only access to information and removal tools is still available). This hurts users when their machines are compromised, encouraging them to secure their systems.

It surprises me that this isn't done more often. Surely ISPs have something to gain from eliminating all the traffic that compromised hosts generate (seeing that 90% of email traffic is spam, and the bulk of it comes from compromised machines, just to name one thing).

Re:We need a trusted network of ISPs

[StrawberryFrog]

Your post advocates a

(x) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting botnets. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop botnets for two weeks and then we'll be stuck with it
(x) Users of windows will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from botherders
( ) Requires immediate total cooperation from everybody at once
(x) Many pc users cannot afford to lose business or alienate potential employers
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for the internet
(x) Ease of searching tiny numeric address space of all IP adresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of botnets
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with botherders
( ) Dishonesty on the part of botherders themselves
(x) Scope creep of any powerfull monitoring tool that is introduced to deal with a particular burning issue
(x) The old "Who watches the watchmen" problem
(x) The powerfull temptation to use it as a tool for censorship.

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Connections should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
(x) We should be able to use P2P without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!