Slashdot Mirror
Spam-Bot Intrusion Caught — Now What?
An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "
1) Don't contribute to the problem. Attacking botrunners directly, or vigilante action doesn't help, and may actually be harmful - by teaching them how to build better drones. See http://fm.vix.com/internet/security/superbugs.html
2) As for US gov't agencies, if you or the attacker seem to be in the US, http://www.ic3.gov/ is likely to be interested. http://www.cert.org/csirts/national/contact.html can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)
3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver (http://www.shadowserver.org) seems to be interested in researching and gathering intelligence on botnets also.
Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.
Once they are reported to the proper authorities, make it public here what are signs of your computer being a zombie to them. Get as many people OFF of the botnet you can, and seeing as there are probably plenty of IT guys here, you may be able to get others to uncover more information about the spammers.
First post = troll. Cleverly worded post designed to enrage others = flamebait.
Fantastic. Get the persons account shut down, like most people these days, who have multiple domains, internet links and everything else, he will be offline for what? A couple of hours? Your just going to piss him / her off.
No, the best thing to do here is kill the whole problem. All the machines in the botnet need to be cleaned and updated so that they don't get re-infected, otherwise they will get taken over by someone else (Yes, I know most people when they infect a system DO update it so that someone else can't take over, but they leave back doors). The person running the botnet needs to see the beak (Judge). It might be that the beak decides that a slap on the wrist is the appropriate action, but I think just cutting off one point of access / control of a bot net which I am sure that they have other control over is just silly.
Curiosity was framed; ignorance killed the cat. -- Author unknown
You can leave the "Soviet" out of this sentence to actually make it true...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Don't make me laugh. Law enforcement usually looks at you with a rather blank stare and says something along the lines of "And ... what should we do now about it?"
It's not that the nets would be unknown. Every security researcher worth his salt has a fairly good idea where those botnets are and how they work. The problem is, nobody with the legal muscle to do anything about it would care.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Clean your computer and go on with your life. Everything else is a waste of precious time, energy and nerves.
What could you do? You could inform your local law enforcement. Which will invariably end up in a file cabinet within moments because they have no clue how to deal with it.
You could go a step higher and contact your country's equivalent of some sort of "internet police". Most countries have that today. They will look at the info, find out where the spammer sits and depending on where he sits it goes different roads. Either he is in a country within reach, i.e. your country or one where Interpol/Europol actually has some muscle. In this case, they will maybe even go through the hassle of dealing with the provider hosting the spam controller, and within 2-3 weeks they finally got all the papers necessary to shut the machine down. A day later, the spammer opens up a new one and the party continues.
If the machine is somewhere in Russia, far east or some country ending in -stan, nothing is being done and it just continues from the same machine.
The spammer himself (or rather, the individual registering the server) is invariably sitting in some of the countries mentioned in the previous paragraph and thus untouchable anyway.
In short, the best you can achive is to annoy a spammer. Just in case the server switch wasn't due anyway because you can only use a spamcontroller for a certain amount of time before the ISP gets interested and starts to "persuade" you to move.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Laws that forbid the carrying of arms . . . disarm only those who are neither inclined nor determined to commit crimes . . . Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than to prevent homicides, for an unarmed man may be attacked with greater confidence than an armed man."
-- Thomas Jefferson, 1764
"This year will go down in history.
For the first time, a civilized nation has full gun registration.
Our streets will be safer, our police more efficient, and the world will follow our lead into the future."
-- Adolf Hitler, 1935
Hmm, lets learn from the mistakes of the past and not repeat them.
Besides if you do take my guns and knives, I can still beat you to death with a rock.
Just try to outlaw rocks, go ahead.