Prototype Software Sniffs Out, Disrupts Botnets

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

Does it detect torrents?

[imbaczek]

I can see RIAA and friends going green with envy if it worked.

Useful but fundamentally flawed....

[DigitalisAkujin]

This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

While this is a step in the right direction it will be out maneuvered quickly.

Re:Useful but fundamentally flawed....

[kvezach]

This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

Or Achord for that matter. If the botnet is based on a peer to peer structure and the author has added public-key encryption, all he has to do is connect to an arbitrary bot host and insert the (signed) command which propagates through the network to all the other nodes; there'll be no fixed master server to home in on.

Re:Useful but fundamentally flawed....

[eonlabs]

This brings me to several questions:

What happens if a new host, or several new hosts are added to the network?
What happens if this is a public wifi where new hosts are added and dropped all the time?

If the functionality is as described in the article summary and it looks for coordinated communications, how will it interpret bittorrent style communications where a lot of different computers, some possibly infected, most not, transferring data to and from a single host trying to download?

It sounds like swarming algorithms are the kind of behavior it would be looking for.
Just thinking out loud...

Re:Useful but fundamentally flawed....

[TubeSteak]

You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. On average, Botnets are no longer hundreds or thousands strong, they've grown into the tens of thousands...
As an exceptional case, F-Secure claims Storm is a million strong.

Do you really need tens/hundreds of thousands of bots attacking all at once? Even if the answer to that question is yes, the bots are still polled for status & told to fetch updates. Introducing a randomized delay will certainly help hide non-attack behavior, which will undoubtedly prolong the life of the botnet.

However, with a million bots, you could easily afford to randomize attack behavior. If TFA's technology spreads, botnets may have to have 3*X bots spitting out data randomly instead of X bots attacking instantly with 100% of their bandwidth in an easily discerned pattern. How else do you propose to defeat a sniffer looking for patterns in the network traffic?

Re:Useful but fundamentally flawed....

[ultranova]

What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip.

Unless, of course, they got their instructions in an e-mail. Spam is already semi-randomized to get past filters, so it wouldn't be hard to have it carry encoded instructions too.

Or have them use instant messaging. The zombie worm should detect which IM program the user uses, and send a message to the control (or one of various fake identities) using that, so the control knows to send messages back using it as well.

Heck, you could have a two-part worm which infects both Web servers and desktops. An infected desktop infects any server it contacts, and an infected server infects any desktop which contacts it. If the server and desktop are both already infected, they pass whatever new messages (commands) they have to each other.

You can get around anomaly detection by not causing any anomalies. Piggypack your messages on already existing connections rather than starting new ones. Basic spy stuff, really.

Re:way easier idea

My college had this policy when I was an undergrad. They used it on a Windows box I didn't care much about since I only used it to play movies on my TV. It was enough to keep me from ever using Windows again. I'd wager that most people would come up with more temporary solutions (changing ISPs, buying a new computer, etc.). One can always dream, though.

Even easier way ... .

Just run a web server where you allow things like .. .

    index.php?main=xxx

and then watch the attempts that come in for xxx, they will
all be scripts that trigger the botnets. grab the scripts
and you have the irc server, the channel, etc.

A recent one that I saw was one katana.webchat.org in channel
#msdos -- no idea if it is still running (ironic since webchat
is supposed to have a security team). I reported it, but never
heard anything back).

Here are a bunch of other ones, access to botnets, free of
charge.

http://www.forestfamily.org/garc/.php/meifase.txt
http://bialoka123.fileave.com/script9.txt
http://raptortx.googlepages.com/inc3.txt
http://snock.host.sk/spread.txt
http://bialoka123.fileave.com/script9.txt
http://members.lycos.co.uk/enviescraps/pbot.txt
http://gikowns.googlepages.com/BOTNET-GIKO.txt
http://www.ligseg.com.br/Etc/24.gif
http://76.162.170.34/Photos/pbot
http://www.hotjazz.xpg.com.br/ty.txt

Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.

Re:Even easier way ... .

[0100010001010011]

ROFL this is tons of fun.

I just took over a bot net. Read the source code and figured out what's going on how to login to them. Man these things are semi-complex.

I just took over one and killed it. Dude was none to happy:
16:20 macacao> l3
16:21 macacao> SE EU TE PEGO
16:21 macacao> EU VO CUMER
16:21 macacao> TEU CU
16:21 macacao> FILHO DA PUTA

Re:Even easier way ... .

[0100010001010011]

Because script kiddies are getting lazier and lazier.

All the ones I was messing with were the php ones that had a config file like this:
--
var $config = array("server"=>"katana.webchat.org",
                                          "port"=>6667,
                                          "pass"=>"", //senha do server
                                          "prefix"=>"L",
                                          "maxrand"=>8,
                                          "chan"=>"#samera",
                                          "key"=>"fucked", //senha do canal
                                          "modes"=>"+p",
                                          "password"=>"ts", //senha do bot
                                          "trigger"=>".",
                                          "hostauth"=>"*" // * for any hostname
                                          );
--
And now that I went back and refreshed, they changed the channel and password.

The commands aren't too difficult, they're in the header of a few other files that are linked in the original post. Just make sure that you have all your commands queued up and copy and paste them in at once. I didn't and the original bot owner took control and had them all die :-P

I rewrote the script so that instead of actually doing the commands it just logs what it should have done and returns a positive response to the channel. So far I have a few UDP floods, I think I'll observe these guys for a while. Should be some entertainment for Saturday night.

Comment removed

[account_deleted]

Comment removed based on user account deletion