Searching for Botnet Command & Controls 114
Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."
Re:What? (Score:3, Insightful)
I really don't need V!@gr@ nor do i want to buy any other drugs really cheap. And i really don't need the emails that advertise them. Reading e-mail is as private for me as sex is for some other people, if i don't advertise my software products next to your bed while you're having sex, i'd also expect you no
Re:What? (Score:1)
/me looks it up right now
This'll surely stop them, or not. (Score:5, Insightful)
Re:This'll surely stop them, or not. (Score:1)
P2P is no good way for trojans (Score:3, Interesting)
First, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.
Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.
Third, the spread is too slow through P2P. The chance that an an
Re:P2P is no good way for trojans (Score:3, Insightful)
I'm not sure you're understanding the previous poster. He/she is talking about control networks for botnets, not about distribution mechanisms. Bots and worms can be coded to look for particular filenames on P2P and get their commands from that source. Then they look for the next filename in their list. This is used to direct the bots, not to compromise them.
Re:P2P is no good way for trojans (Score:2)
If the bot wants an attack script from me, I tell it to attack 127.0.0.1. Or I tell it to attack me, so I can inform the corresponding ISP of infected machines.
Re:P2P is no good way for trojans (Score:1)
asymmetric encryption [google.com] to keep you from seeing anything. Now it has an extra 27 bytes that say 'dkd74jdlsid03jj663dw128db4h'. Oh, and they appear to just line it up to a word boundry.
virtual private networks [google.com] to punch through the net. Of course you could just block all of the
Re:P2P is no good way for trojans (Score:2)
The real botnet controllers are people. The DOJ has been arresting a few botherders recently, I blogged about this a week ago [blogspot.com]. I do not know how this is being done but I think its much more likely that they are following the money, not following the bits.
I still think that the way to bring b
Query string (Score:5, Funny)
Re:Skynet not Botnet (Score:2)
What I don't understand (Score:4, Informative)
Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:
Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?
Can't be bothered (Score:3, Insightful)
Re:What I don't understand (Score:3, Informative)
Re:What I don't understand (Score:2)
So far the perps have been very willing to share attacks. Now that there is money to be made and they are in competition there is a good reason not to share new goodies. It is in the interests of the professional botherders to have lots of script kiddies doing idiotic attacks, being caught and prosecuted. I bet they would even write bots that report the o
Re:What I don't understand (Score:5, Funny)
Re:What I don't understand (Score:2)
There's another one for the firewall.
Re:What I don't understand (Score:2)
Or maybe I'm reading too much into it, as well as playing too much HL2.
Yes.
Re:What I don't understand (Score:2)
Re:What I don't understand (Score:5, Insightful)
Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.
I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.
I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.
you must be new here (Score:1)
Re:What I don't understand (Score:3, Insightful)
Any terrorist worth his salt who wants to signal ter
Re:What I don't understand (Score:2)
behind each bot (Score:1)
if you take down the ip or the machine, you're also attacking this guy, who's never even heard of botnets.
Re:What I don't understand (Score:2)
No, just most of them. Anything you do to raise the barrier to entry reduces the number of people doing it.
Re:What I don't understand (Score:2)
The largest percentage of my calls as a consultant are compromised systems,
mostly via malware and virii
It is a good thing none of the botnets are run by ppl that are insidiously intelligent
It would be horrendous what could be done
The botnet could just become a VPN for command and control aspects, and then to make
matters worse it could pickup its "orders" from any website or p2p network
They could run encrypted e-mail as part of the botnet and recv its commands
via anon-remailers
It could also
Good luck (Score:5, Interesting)
Re:Good luck (Score:1)
An Inside Look at Botnets (http://www.cs.wisc.edu/~pb/botnets_final.pdf [wisc.edu])
It's a question of money (Score:2)
What this whole story brings to us is not, that AV and security experts deal with botnets (they'v
Re:Good luck (Score:4, Interesting)
Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.
Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.
Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.
But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.
None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.
Re:Good luck (Score:1)
Re:Good luck (Score:2)
Re:Good luck (Score:2)
What is ..? (Score:1)
A botnet command or some other traffic?
Or even noise for the sake of noise? (Ie, spamming the government's ears)
Re:What is ..? (Score:1)
Re:What is ..? (Score:5, Funny)
FTFA:
Here you go: One Microsoft Way Redmond, WA 98052 Phone: (425) 882-8080 Fax: (425) 706-7329.
Take the bot, break it apart (Score:2)
Granted, if they used some more sophisticated encryption it would probably be near impossible to find out what a "valid" command is and what isn't, unless tested against the bot. So far, they didn't.
KISS principle. If it's not necessary, why bother? Works well without.
Re:Take the bot, break it apart (Score:2)
this reminds me of an old article [grc.com] over at GRC which covers this subject. interesting read.
Re:Take the bot, break it apart (Score:2)
Seriously now. A DDoS can be stopped. Not at the source, but at the ISP connecting you. You can't of course stop the attack from happening, but you can use powerful and sophisticated filtering and load sharing systems to stay online. A number of attacks, together with an accompanying blackmail ("pay or else we flood you"), has happened to a few services that rely heavily on internet access, namely online betting shops.
Currently phishing is
Tread Carefully (Score:1)
Seems like at some level there will have to be a human protocol that decides which traffic is naughty and which is nice. Humans can be manipulated and protocols spoofed. If this weren't the case we wouldn't be having this discussion in the first place.
Re:Tread Carefully (Score:1)
"Botmaster"... (Score:2)
Somewhere, there is a joke that begins with the quote "I AM TEH BOTMASTER!" and ends with the quote "AND I AM TEH GATEKEEPER!", but alas, I cannot figure it out right now.
Oh slashdot, help me out here.
Re:"Botmaster"...err Keymaster? (Score:1, Offtopic)
Re:"Botmaster"... (Score:2)
I think I've found their C&C network, it has something to do with mozzarella cheeze, Stay Puff marshmallows, and a really bad dude named Xul.
http://www.mozilla.org/keymaster/gatekeeper/there
list has no posts (Score:2)
Re:list has no posts (Score:2)
1. setup fake web site describing new security initiative
2. get article published on slashdot about new web site
3. collect slashdot users email addresses to add to spam list
4. ????
5. Profit!
Kill those nasty bots (Score:2)
It contrast, has been found that some zombie PCs are operating under the theory that if you cut off the head, the body will just wander around aimlessly.
Good luck... (Score:1)
Worst, it wouldn't help a bit (Score:5, Insightful)
Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.
When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.
Futile. The only chance is to cut the machines from the 'net that contain those trojans.
Re:Worst, it wouldn't help a bit (Score:2)
Or from right here on slashdot.... Ive seen the pages come across, usually has something like HELLO WOLRD on the first couple of lines, then a series of numbers/characters obviously formatted in a pattern, then ends with another obvious terminator. It looks so blatently like a crypted message I reported it to Taco/other maintainers, but they just closed the ticket with "securit
Re:Worst, it wouldn't help a bit (Score:2)
Good luck trying to find an unmoderated usenet group that isn't full of garbage ... and I'm not referring to the spam therein, either.
Re:Worst, it wouldn't help a bit (Score:2)
Or have the bot follow some major online forum and have him wait for a message there.
Or let the bot read some blog.
Or open your own forum at something like myfreeforum, there you can even let your bot create an account and have it log in, perfect for having an accurate number of bots available.
Or... a few other options. But this is not "Botnetting 101".
Re:Worst, it wouldn't help a bit (Score:2)
Re:Worst, it wouldn't help a bit (Score:2)
Re:Worst, it wouldn't help a bit (Score:2)
I could see it working (Score:2)
Re:I could see it working (Score:1)
All they have to do is setup a computer with XP (original, no patches) and connect it to the internet. Give it 45 minutes and you'll have all the bots you want!
I'd like to report a huge Botnet... (Score:5, Funny)
He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.
Most ingenious! And I bet he profits handsomely from it too!
Re:I'd like to report a huge Botnet... (Score:1)
It's a development I can verify (Score:5, Interesting)
Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.
Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.
Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.
Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.
Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.
This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.
And this business is growing.
Re:It's a development I can verify (Score:1)
Needs the same to crash it (Score:2)
While this was easy with the
It doesn't take a genius to install a firewall, a virus tool and refrain from clicking every single piece of junk you get sent. If you can't apply 2 brain cells to a task, get outta my net!
The possibilities! (Score:1)
Operating under the theory that if you kill the head, the body will follow
Imagine were that not the case! Headless bots roaming the net looking for trouble.
In all seriousness, I could imagine some nasty work that could be done to turn disbanded botnets into a bigger problem than active ones.
Re:The possibilities! -- good point.. (Score:1)
it's obvious (Score:1)
well (Score:1)
Ob Comic Geek (Score:1)
Enforcement? Hello? (Score:5, Informative)
Re:Enforcement? Hello? (Score:1)
Re:Enforcement? Hello? (Score:1)
Honeyclients (Score:2, Interesting)
From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits Drives client application to connect to servers
Any changes made to honeyclient system are unauthorized - no false positives!
We can detect exploits without prior signatures
What can honeyclients do for you?
Allows proactive monitoring of malicious servers
Allows d
/. Fortune says it best (Score:2)
How appropriate.
It's not that hard. (Score:4, Informative)
I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.
Re:It's not that hard. (Score:1, Insightful)
And what springs to my mind first... (Score:2)
"You insensitive prick! Do you have any idea how much that stings?" [imdb.com]
Bwahahaha! (Score:1)
How you can participate (Score:2)
Re:Grammer Nazi! (Score:1)
Re:Grammer Nazi! (Score:2)
Re:Grammer Nazi! (Score:1, Offtopic)
> affect words like 'group?' Anyone from the UK to comment?
I've seen/heard both.
A quick Google reviews this:
http://news.bbc.co.uk/1/hi/programmes/radio_newsro om/1099593.stm [bbc.co.uk]
-----
Collective nouns
can be singular or plural. The only rule is: you must be consistent. "Marks and Spencer is selling a new biscuit. They say it's the best ever made" is the type of rubbish we broadcast far too often. In a sporting context, teams are alw
Re:Grammer Nazi! (Score:1, Offtopic)
Re:Grammer Nazi! (Score:1)