Slashdot Mirror
Spam-Bot Intrusion Caught — Now What?
An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "
Spamhaus.
GENERATION 667: The first time you see this, copy it into your sig on any forum and add 1 to the generation
1) Don't contribute to the problem. Attacking botrunners directly, or vigilante action doesn't help, and may actually be harmful - by teaching them how to build better drones. See http://fm.vix.com/internet/security/superbugs.html
2) As for US gov't agencies, if you or the attacker seem to be in the US, http://www.ic3.gov/ is likely to be interested. http://www.cert.org/csirts/national/contact.html can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)
3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver (http://www.shadowserver.org) seems to be interested in researching and gathering intelligence on botnets also.
There is an organization, ShadowServer (www.shadowserver.org if I recall right) that specializes in mucking about with Botnets. They'd probably have the right contacts and such to deal with that.
Spam-Bots catch you!
Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.
I would contact local law enforcement first, as they would probably know if there is any possibility of legal action. Also some law enforcement agencies have departments dedicated to cybercrimes and IMHO best way to contact those would be through local law enforcement. Be sure to inform that your computer was hacked or broken into, so that the incident is not mistaken as a regular spam emails.
If that fails (maybe because law enforcement does not have enough manpower to deal with it), then posting all information that you can find to a security oriented forum probably would incite some action. Problem is that with that approach the actual perpetrator probably will go free to create another bot-net.
In either case I would be interested on hearing how things progress.
Well, I suppose calling the police wont help as much if the attack didn't originate from your country. But to start, I would suggest gathering as much information as possible and forwarding it _inline_ in an email message thats gets sent to a level of government you feel most comfortable dealing with (ie: local, provincial, federal), and CC'ing the message to the authorities in the country to which the IP address of the machine that attacked you belongs to.
;) (ie: date/time etc)
This will probably help things go along faster since you are publicly (and don't blind CC) connecting the authorities of both countries. And I advise you paste your research in a basic text only format initially inline in case the attachment flags the virus as spam or similar at the MTA level. At least if you get initial contact with the police, they can then instruct you where to send data files for things like packet captures after initial contact.
PS - Don't forget to be thorough, like in a court of law/Judge Judy thorough
How did you get the infestation? What did you download?
Once they are reported to the proper authorities, make it public here what are signs of your computer being a zombie to them. Get as many people OFF of the botnet you can, and seeing as there are probably plenty of IT guys here, you may be able to get others to uncover more information about the spammers.
First post = troll. Cleverly worded post designed to enrage others = flamebait.
You have the bot herder address. To do the most "damage", get it shut down. Contact the ISP abuse department who hosts it. If there's a DNS name, also contact the ISP hosting the authoritative DNS zone and possibly the registrar, who may elect to terminate the domain. If you don't get a response from the ISP, contact their upstream provider(s) (if a smaller Tier 3 ISP).
Whois is your friend.
Learn from your mistake. You got a spambot because you messed up your 1337 sysadmin skills. You need to figure out what you did wrong and how not to do it again.
Then, you need to stay on top of security issues. You run appear to run Windows so you'l have to work 10x as hard to do that. windows is a big steaming pile of goats shit when it comes to security. All the sh1t that MS claim protects you does nothing more than inconvenience normal users and slow their boxes down to buggery.
You're not likely to catch em so don't bother. Make some notes and learn for next time!!!
I drink to make other people interesting!
The appropriate action probably depends on the country you are in and the country hosting the herders.
From a list of things to be done, I would contact the ISP last. They will probably contact the perpatrators directly and remove them from service, but that will do nothing to take them out of circulation. That requires something more. Alternatively, you might ask your ISP for advice on how to procede. But make it clear the intentions with them. They might not have a clue what you've captured.
Easy.
Hack into the US Navy weapons control website.
Search for a file called "city-coords.txt".
Find out what the lat and long is of the spammer.
Change the line "Al Queda Base 4:xxx" to reflect the new coordinates.
Dress as Osama and make a press release with a big "Base 4" sign behind you. Use a good make-up artist if you want.
Two days leater and BAM!!! the spammer is gone. Your tax dollars at work for you!
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Yeah, right! C'mon Cliff, tell us what sites you were cruising when the bot got downloaded ;-)
do bots have clear text configuration files ?
or were you just running nslookup/whois,... on the connections the bot made
Clean your computer and go on with your life. Everything else is a waste of precious time, energy and nerves.
What could you do? You could inform your local law enforcement. Which will invariably end up in a file cabinet within moments because they have no clue how to deal with it.
You could go a step higher and contact your country's equivalent of some sort of "internet police". Most countries have that today. They will look at the info, find out where the spammer sits and depending on where he sits it goes different roads. Either he is in a country within reach, i.e. your country or one where Interpol/Europol actually has some muscle. In this case, they will maybe even go through the hassle of dealing with the provider hosting the spam controller, and within 2-3 weeks they finally got all the papers necessary to shut the machine down. A day later, the spammer opens up a new one and the party continues.
If the machine is somewhere in Russia, far east or some country ending in -stan, nothing is being done and it just continues from the same machine.
The spammer himself (or rather, the individual registering the server) is invariably sitting in some of the countries mentioned in the previous paragraph and thus untouchable anyway.
In short, the best you can achive is to annoy a spammer. Just in case the server switch wasn't due anyway because you can only use a spamcontroller for a certain amount of time before the ISP gets interested and starts to "persuade" you to move.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I had my own server broken into for the first time, wasn't a botnet but a bank of america style phishing site. I discovered it when trying to make a subdomain with the control panel didn't work right.. the provider said they cleaned some out but couldn't be sure and then in fact I found the servers myself, in /root and /tmp disguised as other files. I mailed yahoo and google since both had email addresses being used, and told the isp. Guess what? I got no response from google, and none from the isp (they totally suck too, I've been down for a month after being told to erase the disk and they upgraded me - to Fedora Core 2! - and are so incompetent it is not even usable anymore. So I'm changing to a better managed hosting company rsn.)
/bin however I couldn't tell if it was the crackers or the isp who did that. It was running out of date software, and though they failed lots of ftp login probes it looks like they got in through an out of use user's login somehow and promoted to root.
I did get a thank you from Yahoo. But, the first one was clueless, ignoring the content of my letter. I got a second one from them saying thanks. But that they couldn't accept attachments. So couldn't send them the proof.
At any rate, what I did is erase the disk, restore from backup and some checked files, and lose a lot of time. There is probably little more you can do than simply report to one of the links below that you have a botnet address then as quickly as possible erase it.
I also found a number of commands changed in
Moral of the story? If you use a managed hosting service, keep a FULL backup locally. Run tripwire or something similar, I will from now on. Use a hosting service that is not completely clueless. Do not try an upgrade or anything afterwards. Have a portable hard disk you can use - my ipod was very useful. The most annoying thing was having to spend lots of time on the phone with admins, and having my email and website hanging in the air. The answer is to immediately cut all your losses, get another system maybe on another provider. Possibly you could even do this with a local machine and dyndns temporarily but if you're busy the last thing you have time to do is mess with crooks. Best thing that came from it is I discovered several other hosting companies from friendly clients who helped me get my jobs done.
[quote]We [b]will[/b] win in 2008, and you [b]will[/b] lose your guns. And there isn't a damn thing you can do about it[/quote] And criminals [b]will[/b] still, well, be criminals and obtain weapons illegally. Banning guns won't stop crime committed with guns. This tragedy (my heart goes out to all of those affected by it) is an example of this. I'm a liberal, and I don't even own a gun, and I still see gun control as a stupid idea to control a bigger problem. And you're not helping the bigger issues here by trying to push your own agenda against guns by using a tragedy like this. Nothing to see here, off topic.
You are an idiot. Fuck you.
It's not because ou think you only have a spambot that there's no trojan/backdoor/rootkit lurking in the background.
Be paranoid: do no trust any executable code, and even not your (hopefully) backed-up data.
Otherwise, you might just end up putting back yet another future spam/DDOS/phishbot on the net.
[Pruneau
Surfing the Web I have come across the http://www.infectedornot.com/ site, which includes two online scanners that apparently scan the PC in a very short time. They also claim to detect more malware than any other antivirus installed on the computer. Supposedly these tools can detect viruses running on the computer. I tried one of them and was actually quite surprised at how fast it was. It didn't detect anything unusual, but asked me to use the second scanner which, so it says, can detect anything malicious on my PC, active or not. I was surprised at the distinction made between active and latent malware. Is it that there are viruses on computers waiting for a specific moment or action to activate? Also, the same page includes statistics showing how many scanned computers were actually infected. Not only that, it says that (about 40% of computers, or something like that) many of these had an antivirus installed. This makes me wonder: if, despite having an up-to-date antivirus installed you still have viruses, then, what purpose does the antivirus serve? The vendor says that it detects over 700,000 viruses, is this true or is it an exaggeration? Thanks and bye!!!
--
To report a botnet PRIVATELY please email: c2report@isotf.org
All list and server information are public and available to law enforcement upon request.o /botnets
http://www.whitestar.linuxbox.org/mailman/listinf
...don't get your hopes up.
A few years ago I installed a new release of a major vendor's OS. Unbeknownst to me, they had gone from a default secure model to a default open model. Before I finished checking out the security, someone had hacked in, installed a rootkit, and was using my system to attack a major financial institution. Their security guy contacted my ISP who contacted me. I yanked the ethernet cable, tracked everything down, saved the evidence (logs, binaries, etc), finished tightening the security, and hooked back up. I sent email to the financial firm's IT guy, and called the FBI's group responsible for such things. Neither ever bothered to get back to me. Maybe they got the guy anyway, but as far as I could tell, they just weren't going to bother.
The good folks at SANS do their best to act as early warning and protection for the net. They'd likely be interested in helping break this up AND they have the appropriate contacts in government and law enforcement to do so.
You can contact them here: http://isc.sans.org/contact.html and see if they are interested or can direct you to the appropriate person or agency contact.
Life is short: void the warranty.
Any time I have caught IP addresses of spammers, botnets, flooders, etc I do the following: 1. perform a lookup on their IP to determine the netblock owner. 2. if they are spamming a site perform a whois lookup and write down the technical contact and info about their DNS provider and web provider. (perform lookups on those as well and document the contacts) 3. send an e-mail (usually to abuse, spam, and help e-mail addresses) for the contacts identified in step 2. Summarize at a high level what happened (including dates and times) and that you wish for an investigation and action to be taken against the violator in accordance with their Acceptable Use Policy and Terms of Service. Attach any logs (obviously evidence goes a long way versus random claims) and indicate the programs you used to log the information and any certifications you have to give yourself credibility. (ie; if you are a CISSP throw it in your signature... dont bother if you are an MCSE [troll]) :)
I have done this numerous times for spammers and 9 times out of 10 I get e-mails back from the ISPs, upstream providers, webhosts, etc indicating they will look into it. Most of the time these are cheezy form letters but probably 2-3 out of 10 I get seem like "people" and they occasionally ask me for additional information or inform me that the "annoyance" was taken care of. On one of my e-mail accounts I do this religiously and I get very little spam anymore.
Drastic? Maybe. Effective? Definitely.
Until ISPs get better controls to mitigate (if not stop) spam, flooding, spoofing, virus promulgation, etc you have to nickel and dime the abuse@ email address boxes. :)
GO OUTSIDE
"Laws that forbid the carrying of arms . . . disarm only those who are neither inclined nor determined to commit crimes . . . Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than to prevent homicides, for an unarmed man may be attacked with greater confidence than an armed man."
-- Thomas Jefferson, 1764
"This year will go down in history.
For the first time, a civilized nation has full gun registration.
Our streets will be safer, our police more efficient, and the world will follow our lead into the future."
-- Adolf Hitler, 1935
Hmm, lets learn from the mistakes of the past and not repeat them.
Besides if you do take my guns and knives, I can still beat you to death with a rock.
Just try to outlaw rocks, go ahead.