Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Observing Botnets with Honeynets

Posted by CmdrTaco on Tue Mar 15, 2005 09:38 AM
from the know-thine-enemy dept.
Security
Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Observing Botnets with Honeynets 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • I always liked (Score:5, Funny)

    by Enigma_Man (756516) on Tuesday March 15 2005, @09:40AM (#11942966) Homepage
    logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.

    -Jesse

  • Zombie PCs being sent to steal IDs (Score:5, Interesting)

    by maotx (765127) <maotx@yaho o . c om> on Tuesday March 15 2005, @09:42AM (#11942978)
    While I was going to submit this as a story, it would seem more appropriate as a link from this one.

    News.com [com.com] has an interesting article [com.com] talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project [honeynet.org] estimates that some of the networks are made up of more than 50,000 computers.

  • 226,585 unique hosts!? (Score:5, Insightful)

    by bigtallmofo (695287) on Tuesday March 15 2005, @09:48AM (#11943020)
    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

    Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

    Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

    • Re:226,585 unique hosts!? (Score:4, Interesting)

      by LiquidCoooled (634315) on Tuesday March 15 2005, @10:11AM (#11943164) Homepage Journal
      No, here at work, we just have to sneeze loudly and we get a new IP.

      Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.
    • There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      Yes, there is, a lot of DDOS power. A lot of xdcc bots. Script kiddies with zero skills can pull it off.

      Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

      Just because botnets use irc networks as a place of gathering does not mean IRC is a scourage on humanity. ??AA are not even worried about such things, there
      • "Script kiddies with zero skills can pull it off"

        Totally agree, but you have to admit that someone with 50,000 +/- bots available to them is a dangerous person.

        Side question, where is the quote in your sig from?
        • Agreed. I don't care if you are a script kiddie; if you get a botnet that big, then you command my respect -- not because of technical skills, but the amount of computing capital that you have, and the power that you can wield on the internet with it. Now, that is not to say that you may know how to use it, but you could still sell that bot net to someone else.
    • Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

      I hate to be the one to tell you this, but they have been for a while now. I poked my head in a few a while back, and..well, granted, it was early on a school night, but for being a supposed linux help channel, it was sure full of geek talking about tits. I hung around for close to 2 hours, and one guy even got yelled at for asking a question.

    • Re:226,585 unique hosts!? (Score:5, Funny)

      by EnglishTim (9662) on Tuesday March 15 2005, @10:26AM (#11943296)
      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

      THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE.
    • While the most valuable bots are on always-on broadband connections, I expect many are on dial-up. Over a "few months" a PC connecting over dialup could use dozens of IPs. With a big ISP (big IP pool) and a user averaging more than one connection per day you could get >>100 IPs per bot over a few months.
      • With a big ISP (big IP pool) and a user averaging more than one connection per day you could get >>100 IPs per bot over a few months.
        Whereas a bot on DSL or a LAN could get that in a few minutes.

    • Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts.

      Lots of people did, though. Not botnets as such, but it's been clear for several years that Windows is extremely vulnerable to automated infiltration.

      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      A "professional full-time organization" can be one guy. But I'm guessing you mean something more serious, like somebody's raised some invest

    • As I understand it, that figure was all botnets they monitored combined.
      Not a single one.

      But as we all know, on the internet "size doesnt matter much".
      Switch your bots to a lightweight (UDP based?) protocol, partition up the botnet or make it P2P and you can handle any insane number of bots.

      Remember, as soon as a new Windows vulnerability is discovered (the current rate seems to be about one serious remote exploit every 3 months) your malicious botnet-operator only needs to "plug in" the new exploit and h

  • Are bot-nets open source? (Score:3, Funny)

    by duffbeer703 (177751) * on Tuesday March 15 2005, @09:54AM (#11943048)
    I'd love to use bot nets to spot, stop or even patch new/unknown machines on my network.

  • WTF? (Score:5, Funny)

    by Quixote (154172) * on Tuesday March 15 2005, @09:59AM (#11943086) Homepage Journal
    FTFA:
    In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

    What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???

    • Selling D2 items is more profitable than you might think...

    • Re:WTF? (Score:5, Interesting)

      by Reene (808293) on Tuesday March 15 2005, @10:12AM (#11943175) Homepage Journal
      I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

      The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms [play.net] fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...

  • detection of botnets (Score:5, Informative)

    by kc0re (739168) on Tuesday March 15 2005, @10:04AM (#11943118) Journal
    For those of you that use Snort [snort.org] as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort [bleedingsnort.com]

    Look for IRC rules that are non-standard ports. Very easy to run.

  • Spam on the Undernet (Score:3, Funny)

    by Necrotica (241109) <cspencer&lanlord,ca> on Tuesday March 15 2005, @10:08AM (#11943146)
    I'm an op in a large channel on the Undernet and spam is definately a growing problem. I see lots of spambots join/part our channel and an unusually high percentage of them come from Romania.

    You would think that the Undernet admins could simply force users to login to X, thus dramatically reducing the problem. However they are not willing to do that. As a sysadmin myself, never in a million years would I turn a blind eye one of my services being used completely inapporpriately and I would take the steps necessary to prevent it.

  • Just my 2p... (Score:3, Funny)

    by aug24 (38229) on Tuesday March 15 2005, @10:13AM (#11943181) Homepage
    ...could one of you chaps out there with more time than me please brute-force the password to these IRC servers and update these bot machines with a file which throws up a popup saying "You have been hacked you idiot, get someone to help you secure this box (or I will steal your credit card details").

    J.

  • WTF? Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law. What idiots.
    • Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law.

      You are forgetting that many of the people involved are retarded. If you look on direct connection networks or even in Usenet groups where things like stolen fonts are traded you won't have to look long to find one fuckwit complaining that one of the archives of pirated material he/she/it put together has been "ripped off" by some other t

  • Spidering (Score:3, Interesting)

    by menace3society (768451) on Tuesday March 15 2005, @10:30AM (#11943320)
    Does it bother anyone else that they imply that spidering is related to DDoS and botnets?

    Note that DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.

    Any time I see this sort of obvious attempt to build paranoia, it makes me suspicious of the whole article.

    • "Does it bother anyone else that they imply that spidering is related to DDoS and botnets? "

      When the bots are doing nothing but http requests and database requests on your site by doing search queries and following links, then yes that would be a DDoS attack.

      Any attack relating to damaging a service is a DDoS.

      much better then just DDoS attacking with a single domain with an HTTP request attack, there are a few reasons to doing it this way, my guess would be maybe its harder to notice by viewing your logs
      • The problem is that they imply that spidering is only ever used for DoS attacks, which patently isn't true. Unless, of course, you think that being linked to by Google is a DoS attack.
    • Nope, what they describe *is* spidering. The difference between DDoS attacks and ligitimate spidering by search engines, etc is probably the "niceness". e.g, the delay between requests, respecting robots.txt, etc. Any implication "that spidering is related to DDoS and botnets" is all in your imagination. Go put your tinfoil hat back on bud.

  • I've had a similar experience (Score:5, Interesting)

    by Anonymous Coward on Tuesday March 15 2005, @11:56AM (#11944194)
    I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

    I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.
  • At some point in the not-too-distant future, I forsee a disgruntled botnet operator (or an unethical sysadmin who's getting DDoSed) causing about 100,000 0wned home computers to spontaneously "deltree /y c:".

    At that point, we may see the average end-user become slightly more concerned about network security.

    In fact, I'm a little surprised it hasn't happened already.
    • I doubt this will happen (maybe by accident or some "failed" update, though).
      The botnet is so "useful", why should he intentionally wipe it out?

      My guess would be that we'll just be seeing more of the same. A lot more.
      Phishing will grow bigger as more clueless users get infected with keylogging bots that send their bank info home, the blackmailing crowd might move on to more high profile victims (ebay down for a day? 100k bots can do it) and the botnet/worm creators will ofcourse constantly get more creativ
  • If you're monitoring these 'bot nets, why not do something useful instead -- like delete the d@mn 'bot programs off the compromised machines instead!

    Oh, yeah, you'd be out of a job at that point once they were gone.

    • The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicat
  • I've noticed that a lot of online banking sites are now switching from typed passwords to "keypad" buttons that you have to click with a mouse. The order of the buttons changes every time the page is loaded, so sniffing the mouse position won't help. This seems like a good basic security measure and I'm a bit surprised it hasn't been universally adopted.

    Just wondering, from those who know about such things - Short of doing a realtime screen capture and sending the video of the mouse moving over the button

    • Re:Are these BotNets responsible (Score:5, Interesting)

      by Anonymous Coward on Tuesday March 15 2005, @09:49AM (#11943024)
      Yep.

      The funny thing about the bruteforce attempts I've been victim of is that they use the same password as username.

      I figured this out after having a guest:guest account open for a while. Suddenly I started getting complaints from the network admin, and then one night working, I was shocked by how slow this 400MHz monster had become lately. Running ps showed me a few things I didn't want to see. However, as I didn't delete the programs compiled on that account, I could browse through the code to see how it worked, and indeed, it connected a IRC server and a channel with a key and kept listing IP addresses and codes that I never took the time to investigate.

      And uhm, yeah, it was stupid having a guest:guest account. :)
      • You're not the only one - I haven't been cracked like that but I know other people who have. Always, it's via a guest or "test" account.

        Moral of the story? Don't run SSH unless you really really know what you're doing! Linux distros - don't let people create accounts with stupid passwords, and especially do not run SSH by default!

        • I have a dummy account with a cryptic name and password and no home as the only allowed ssh login for my box, from which I must su to a normal user, then su - to admin. I'm hoping that it's unlikely to be cracked.
      • What gets me is how easy it is to find out which channel these bots go into and what commands they accept. What prevents any Joe-Blow with a little sniffer from logging into one of these 25,000+ bot rooms and sending them DoS or self-destruct commands? I'm really suprised that their isn't any "bot wars" from disgruntled 13-year olds (no offense to any 13 year old /.ers) who want to take control of all of thoses infected boxes.
        • what surprises me is that there arent any antibot /.ers who'll log on those botnets and self-destruct them.

          that is, if any 13 yo can do it... but IANASK (I am not a script kiddie), so...

        • Re:Are these BotNets responsible (Score:2, Interesting)

          by Anonymous Coward
          I'm really suprised that their isn't any "bot wars"

          Trust me, there are. You may not notice them since they target a pretty specific population (lusers with owned boxes attacking each other until they drop off the internet won't much affect you unless you're on the same network segment as one side or the other). We have an IRC operator on our network who figured out that at least the IRC control module could be disabled on command on certain prepackaged (yay scriptkiddiez) bots, and would (ab)use his pow
    • Maybe I have been lucky but I see less then 5 attempts to my port 22 a day. I only allow accounts with existing keys (no password auth) and only from a few source ip addresses access but I can still see all of the attempts that fail. You can always see the trends by port and attack by browsing the internet storm center [sans.org]. See how you compare to the averages or you can look up specific port related issues from the other links on that page.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.