Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Botnet Hunters!

[blinkless (835747)]

We don't need their scum.

info on botnets

[flynt (248848)]

Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.

Botmasters will switch to distributed C&C

[putko (753330)]

Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.

Re:Botmasters will switch to distributed C&C

[toad3k (882007)]

What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

Or are the backdoors they are using more sophisticated than that?

Re:Botmasters will switch to distributed C&C

[sumdumass (711423)]

I would imagine fear of the law and getting suied or thrown in jail. Not to mention poping open a window might be as unoticed as the popup wanting to increase my member size. It would take some sort of government imunity to prosecution to aviod getting getting tangled in the same laws that make computer tresspass ilegal. Maybe some program that you can sighn up with and keep detailed logs or let them keep the logs.

Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.

I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

Re:Botmasters will switch to distributed C&C

[Otto (17870)]

I would imagine fear of the law and getting suied or thrown in jail.

So, here's a clue: Don't tell anybody you did it.

I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.

Hell, maybe it's a normally available patch that just hasn't been applied, in which case

Re:Botmasters will switch to distributed C&C

[plover (150551)]

Maybe [...] they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take more then a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating out

Re:Botmasters will switch to distributed C&C

[arivanov (12034)]

For 90% of the zombies out there even if the computer screams through the speakers "You are infected moron" and displays this on screen permanently the owner will not clean it up. At best they will call Dell and tell that the spanking new PC they bought one week ago has broken speakers.

Just history repeating itself.

Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on

Re:Botmasters will switch to distributed C&C

[diegocgteleline.es (653730)]

why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves?

Those bots "patch" the backdoors so nobody else can get in through the hole

I've done something similar

[c6gunner (950153)]

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.

Re:I've done something similar

[plover (150551)]

Some are moving that way already. The botnet developers are beginning to realize the monetary value of their little operations, and are moving to protect their investments. There has been enough published crypto that these guys can basically drop in a secure signalling system. And one of the botnet researchers has said some are already using encrypted channels.

Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.

The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!

delete themselves

[by Anonymous Coward]

There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?

Re:delete themselves

[Soporific (595477)]

I believe you would be able to do that, however then you take on the liability of screwing up peoples machines even more or causing some other unforseen problem.

~S

Re:delete themselves

[Furp (935063)]

When you issue a command or code to cause a botnet to self destruct, you are crossing the line from greyhat hacking to blackhat hacking. You're no longer a witness. Which also makes you liable under whatever laws exist in your country of residence for hacking. Because you're gaining illicit access to their computers (the infected botnet) And accessing data (causing the botnet to self destruct)

Which is why if you're going to do botnet hunting you either get to ally yourself with law enforcement and contac

They are on the web

[9mm Censor (705379)]

www.shadowserver.org/

Bitter irony, Slashdot is thy home (or hangout...)

[The_REAL_DZA (731082)]

"...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."

Apparently, Mr. Albright doesn't frequent Slashdot [slashdot.org] or watch CNN...

Domain..

[onion2k (203094)]

In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'

Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..

Great plot!

[Rob T Firefly (844560)]

This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three [wikipedia.org] like this.

Oh, I don't know...

[Channard (693317)]

.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.

Be vewy vewy quiet...

[Tackhead (54550)]

Be vewy vewy quiet! We're hunting botnets!

Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

Spammer: daffy# shutdown -now
Botnet: *reboots*

Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

Spammer: daffy# shutdown -now
Botnet: *reboots*

Secure SMTP?

[RunFatBoy.net (960072)]

So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

-- Jim http://www.runfatboy.net/ [runfatboy.net]

Re:Secure SMTP?

[morcheeba (260908)]

That would help in detection, but what's to stop the bot from using the host-computer's credentials? Most machines are set up to send email already.

botnets remain undetected

[digitaldc (879047)]

"However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another [eweek.com] botnet hunter article from eWeek.

Spyware Scanners Don't Work

[michaelhood (667393)]

FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

This, unfortunately, is the most common viewpoint from end-users and IT alike.

It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

Re:Spyware Scanners Don't Work

[TubeSteak (669689)]

AFAIK, a program like TCPView [sysinternals.com] will show all incoming and outgoing connections to your windows box.

I pop it up from time to time just to make sure nothing odd is going on.

It's also handy because it allows you to close the connection any malicious program is making. Very very useful when the program is stealthed & won't show up in the task manager.

Re:Spyware Scanners Don't Work

[0xA (71424)]

The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

This is part of the problem though. When someone finds an piece of malicious software they often fail to submit it the AV and anti spyware companies so definitions can be updated. I'm guilty of it myself in the past as well but we do need to be responsible community members.

Re:Spyware Scanners Don't Work

[crabpeople (720852)]

Ewido [ewido.net] and hijack this, when both run in safe mode (with networking so you can get updates), cleans them up once and for all. I have yet to encounter anything that persisted after these two steps were taken and an antivirus package was installed on the machine. Anything remaining after that point is probably a semi ligitimate (borderline adware) system service or some sort of hard to detect rootkit. At the risk of being flamed, i would recomend the Norton AV Corp 10x series from symantec. Its corportate so none of the gay activation or useless slow features and in this release they have started to detect certain spyware as viruses. Most people are turned off of symantec for there absolutely garbage horid products such as NIS. Symantec is a big company and their corporate shit has been for the most part reliable.

The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?

A different approach

[laursen (36210)]

Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.

Just my 2 cents.

Re:A different approach

[955301 (209856)]

By mac address? Then just infect future systems with software which will try multiple mac addresses as well to get around the blocks.

Re:A different approach

[redelm (54142)]

Yes. Some ISPs do just that. SBC blocks outbound port 25 used to send spam. If you run your own sendmail, you can request it be unblocked.

This reduces the attractiveness of SBC machines to host bots. But SBC cannot block ports like 80 (HTTP), so SBCbots can still be used for DDoS.

Hey, I've seen that mentality before!

[eldavojohn (898314)]

Like lost sheep without a shepherd, the drones will continually try to reconnect...

Sounds like my sister when her cell phone cuts out.

Turn your computer off

[gatkinso (15975)]

Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).

So... turn your computer off when you are not using it.

Hell you will even same some electricity while you are at it.

Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.

The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.

Re:Turn your computer off

[rob_squared (821479)]

There is a valid reason to keep your computer on continuously. And that is because of thermal expansion. Since the circuitry in a motherboard is rather small, and the same holds true for the CPU and motherboard, then the repeated heating and cooling fo these components may make them brittle and more prone to failure.

And, well, think of the CPU time wasted by not downloading from bittorrent and emule (or SETI/Folding@home for the more noble ones out there).

More information on same subject

[smooth wombat (796938)]

I don't normally check the Washington Post site but after reading the article I went to main page to see what was there. Near the bottom of the page, in a section called Security Fix, Brain Kregs had posted a story on March 9th titled 'Shadowboxing with a Bot Herder' wherein he talks about his conversation with a botnet owner called Witlog.

Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:

According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

The permanent linnk for the article can be found here [washingtonpost.com].

And he didn't get a visit?

[SomeoneGotMyNick (200685)]

Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????

If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.

Better ways to stop them...

[Otto (17870)]

First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.

Why the FBI doesn't act

[kilodelta (843627)]

The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.

I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.

An analogy..

[mattpointblank (936343)]

So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?

Great fun for geek kids!

[by Anonymous Coward]

I used to do that back in the day.

1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.

2> Take apart that self-extracting zip and look through the mirc script.

3> Work out where they're sending there zombies. Masquerade as a bot for a bit.

4> Figure out a way to issue commands to the bots if possible.

5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.

6> Send it and laugh l

Sad...but true.

[RagingFuryBlack (956453)]

"Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."

I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime

Re:Sad...but true.

[CagedBear (902435)]

They said it in the article. Data handed to the fuzz by a civilian isn't admissible before a judge. They can only use the information to aid in launching their own investigation, which of course requires resources.

Unusual, but Not Impossible

[Quantam (870027)]

A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.

Not Probable

[Absentminded-Artist (560582)]

I call Bull Puckies. What botnet? Why haven't we heard of it? You think the currently anti-Mac press would pass up a chance to herald OS X botnets as a failure of OS X security? Or even Linux? ZDnet New Zealand would personally wet themselves over this story. I think it's part of their reason for being to blast Apple every chance they can get. And yet we hear nothing.

I took the liberty to scan through www.shadowserver.org's RSS feeds for any news on OS X botnets and all I could find were mentions of the sa

Don't kid yourself. Security needs some paranoia!

[wild_berry (448019)]

A bit of googling [google.co.uk] finds a comment attributed to David Taylor at http://blog.washingtonpost.com/securityfix/2005/10 /it_must_be_zombie_season.html [washingtonpost.com]. It spreads by making use of a PHP vulnerability, so may have be harmful to OSX systems too.

This blog post [blogspot.com] identifies a bot called Q8 for Linux/Unix systems. Honeynet's paper on bots (http://www.honeynet.org/papers/bots/ [honeynet.org]) says:

Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux

How to fix this easily

[JustNiz (692889)]

There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.

from one who works with shadowserver

[app13b0y (767720)]

I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project

SS == shadowserver

* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.

* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar

* most of the trojans are found by running nepenthes

* SS has a HUGE repository of botnet scripts and C&C information.

* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)

* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)

Re:Danger, Will Robinson

[Tweekster (949766)]

oh no a pimply faced "mobster" might come after you.... give me a break

Re:Danger, Will Robinson

[Zak3056 (69287)]

Nice until they run into a mobster-botmaster with a gun.
This is a task for the government, not for pimpled nerds.

Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."

How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?

Re:Interesting Deal

[[Arkan] (24212)]

Would you have RTFineA, you'd have noted the following:

"A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems."

I bet that your plan for security through statistics isn't looking good.

The final and ultimate answer to bots, spyware and such is knowledgeable users. I've been called an extremist when advocating a few years ago for a mandatory licence to get the right to connect a home PC to Internet, and I still think

Re:ISPs "Detect & Destroy"?

[99BottlesOfBeerInMyF (813746)]

So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.

Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."