Prototype Software Sniffs Out, Disrupts Botnets

← Back to Stories (view on slashdot.org)

Prototype Software Sniffs Out, Disrupts Botnets

Posted by Zonk on Saturday February 16, 2008 @08:24AM from the are-you-john-connors dept.

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

3 of 51 comments (clear)

Min score:

Reason:

Sort:

Useful but fundamentally flawed.... by DigitalisAkujin · 2008-02-16 08:44 · Score: 4, Interesting

This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

While this is a step in the right direction it will be out maneuvered quickly.
1. Re:Useful but fundamentally flawed.... by eonlabs · 2008-02-16 10:01 · Score: 4, Interesting
  
  This brings me to several questions:
  
  What happens if a new host, or several new hosts are added to the network?
  What happens if this is a public wifi where new hosts are added and dropped all the time?
  
  If the functionality is as described in the article summary and it looks for coordinated communications, how will it interpret bittorrent style communications where a lot of different computers, some possibly infected, most not, transferring data to and from a single host trying to download?
  
  It sounds like swarming algorithms are the kind of behavior it would be looking for.
  Just thinking out loud...
  
  --
  I wouldn't consider the mad hatter mad. Just reality impaired. He sure can make a mean cup of tea.
Even easier way ... . by Anonymous Coward · 2008-02-16 09:01 · Score: 5, Interesting

Just run a web server where you allow things like .. .

index.php?main=xxx

and then watch the attempts that come in for xxx, they will
all be scripts that trigger the botnets. grab the scripts
and you have the irc server, the channel, etc.

A recent one that I saw was one katana.webchat.org in channel
#msdos -- no idea if it is still running (ironic since webchat
is supposed to have a security team). I reported it, but never
heard anything back).

Here are a bunch of other ones, access to botnets, free of
charge.

http://www.forestfamily.org/garc/.php/meifase.txt
http://bialoka123.fileave.com/script9.txt
http://raptortx.googlepages.com/inc3.txt
http://snock.host.sk/spread.txt
http://bialoka123.fileave.com/script9.txt
http://members.lycos.co.uk/enviescraps/pbot.txt
http://gikowns.googlepages.com/BOTNET-GIKO.txt
http://www.ligseg.com.br/Etc/24.gif
http://76.162.170.34/Photos/pbot
http://www.hotjazz.xpg.com.br/ty.txt

Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.