Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam-Bot Intrusion Caught — Now What?

Posted by Cliff on from the searching-for-peace-keepers-on-the-internet dept.

An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "

9 of 76 comments (clear)

  1. one word by Jbcarpen · · Score: 5, Informative

    Spamhaus.

    --
    GENERATION 667: The first time you see this, copy it into your sig on any forum and add 1 to the generation
  2. Places to report to... by caitriona81 · · Score: 5, Insightful

    1) Don't contribute to the problem. Attacking botrunners directly, or vigilante action doesn't help, and may actually be harmful - by teaching them how to build better drones. See http://fm.vix.com/internet/security/superbugs.html

    2) As for US gov't agencies, if you or the attacker seem to be in the US, http://www.ic3.gov/ is likely to be interested. http://www.cert.org/csirts/national/contact.html can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)

    3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver (http://www.shadowserver.org) seems to be interested in researching and gathering intelligence on botnets also.

    1. Re:Places to report to... by Anonymous Coward · · Score: 5, Interesting

      Attacking botrunners directly, or vigilante action doesn't help

      The spirited attack on and destruction of Blue Security and the spam flood that followed, does not support that assertion. Somebody wanted them gone badly, for a reason.

    2. Re:Places to report to... by caitriona81 · · Score: 4, Interesting

      I should probably rephrase and clarify, attacking them directly without legal action to back that up is bad - ie, if you are going after a bot runner, it needs to be in a manner that not only takes away their toys, but also puts them in jail, for a long period of time. If you can't take away their freedom in the process, then you aren't doing us any favors by teaching them how not to get caught -- botnets, and their means of control get more and more sophisticated, with overall trends towards plausible deniability and robust survivable command and control networks, designed to either resist attack, or be reconfigured after the fact to retain control of compromised hosts.

      This is a far cry from when botnets were controlled "in the open" on public IRC networks - the kiddies are clearly learning something with each iteration, and they are sharing that knowledge amongst themselves. Also of note is more use of packers, executable encryption and anti-debugger routines, which were completely absent from early botnet executables. Use of rootkits, as well as secondary backdoors (to regain access after the system owner detects the intrusion) are also on the rise.

    3. Re:Places to report to... by tacocat · · Score: 4, Funny

      I disagree. If you could determine the physical location of such bot herders and disclose that to the internet at large, I'm sure that there would be a final solution applied that people would be willing to turn their backs on. Especially if you could post photographs, names, and physical addresses.

  3. You could always try private sector... by BinarySkies · · Score: 4, Informative

    There is an organization, ShadowServer (www.shadowserver.org if I recall right) that specializes in mucking about with Botnets. They'd probably have the right contacts and such to deal with that.

  4. What actions? by dbIII · · Score: 5, Insightful
    Were the actions to install from scratch on a new disk / take a disk image to look at later + reformat + reinstall / poke around for a bit with the thing not on the network before reformat + reinstall / rely on external sources for info and just wipe the thing / or did you take the common and lazy approach now of just fixing the obvious damage and hoping the rest of the system is not compromised? The real pain is you can't even trust the backups in some cases especially if the people responsible for the machine ignore it most of the time - it may have been rooted for a while.

    Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.

  5. contact the ISP/registrar by sp1n · · Score: 4, Interesting

    You have the bot herder address. To do the most "damage", get it shut down. Contact the ISP abuse department who hosts it. If there's a DNS name, also contact the ISP hosting the authoritative DNS zone and possibly the registrar, who may elect to terminate the domain. If you don't get a response from the ISP, contact their upstream provider(s) (if a smaller Tier 3 ISP).

    Whois is your friend.

  6. Use your government by tigersha · · Score: 5, Funny

    Easy.

    Hack into the US Navy weapons control website.

    Search for a file called "city-coords.txt".

    Find out what the lat and long is of the spammer.

    Change the line "Al Queda Base 4:xxx" to reflect the new coordinates.

    Dress as Osama and make a press release with a big "Base 4" sign behind you. Use a good make-up artist if you want.

    Two days leater and BAM!!! the spammer is gone. Your tax dollars at work for you!

    --
    The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism