Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Hunting for Botnet Command and Controls 228

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
This discussion has been archived. No new comments can be posted.

Hunting for Botnet Command and Controls

Comments Filter:
  • Botnet (Score:3, Funny)

    by TimeTraveler1884 ( 832874 ) on Sunday June 19, 2005 @05:29PM (#12858505)
    Now only if they could do this with Skynet, we might just be able to postpone Judgement Day another 6 years.

  • by Elshar ( 232380 ) <elshar@[ ]il.com ['gma' in gap]> on Sunday June 19, 2005 @05:32PM (#12858523) Journal
    Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...

    To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..

    Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.
    • Finding them really is not the problem. Opers have nice tools/services for that (at least on some big networks), drone connection/channel detection notices scrolling by as fast as you can read...
      It's the dissecting and cleaning part that's hard, and getting harder and harder as kiddies are getting "smarter".
    • Nice idea, but you're ~2 years late.
      Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.

      The article discusses decoding the control messages sent between the bots in their own network, and how to take control of them, and possibly shutting them down.
      • > Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.

        That's exceedingly hard to get working properly, which is probably why it's still not a very common behaviour. In my experience, most of the botnets still seem to be controlled by a central IRC server, albeit they tend to use hacked up ircds that provide only the minimal functionality required (with little in the way of informational messages), making it hard to get much inf
    • Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..

      I... kinda feel someone already did this. It would explain the behavior in some irc networks.
    • Also, if you happen into a trojan'd script it's pretty easy to disect it and figure out how to control the zombies. I managed to find a zombie channel with 300 people on it. It took two days for my script to have their scripts delete the scripts and unload them with all the stragglers. Not that it every happened for legal purposes mind you. But, that was years ago. I doubt there are many large bot nets around today on IRC. Too centralized. Too easy to crush. Also, I'd say anything compiled and run would be

  • C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.
    • by CrazyJim1 ( 809850 ) on Sunday June 19, 2005 @05:48PM (#12858634) Journal
      C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.

      The best way to lay waste to someone's economic power in C&C is to destroy their harvesters. Make sure not to send infantry units because they'll suffer tiberium poisoning, or merely be run over by the harvester. Another great way to wreak havoc is to send the engineer into the harvesting facility as the harvester is unloading, you'll get the building, harvester and the tiberium thats being unloaded at the time. Of course, many believe engineering cheese is the cheap way to play C&C, but of course there are too many cheesy plays to count in that game. I suggest you play something like Starcraft. Or Starcraft2, which I have a chance of actually helping with.

      • I play Civilization II (yes, I am old, deal with it) and the computer players are easily fooled - don't place cities where the best resources are, place them on mountains with resources at their backs and the provoke, provoke, provoke - war costs nothing from a mountain top until armor is developed.
    • The trouble with cutting off the head is that you end up with a perfectly good army just waiting for a suitable leader to come along... and we all saw how well that worked for Yoda.

      The computers that form the botnet are still compromised and are still just as dangerous. If they have a hard-coded IP address to receive instructions from the vigilantes can make sure that IP address doesn't issue instructions but if the instructions are received in a less centralised way then I can't see how they could stop t
    • The proper acronym for command and control is C2. Not C&C. Add comunications to that and you get C3. Add computers to that and you get C4. Add intelligence to that and you get C4i.
  • by reporter ( 666905 ) on Sunday June 19, 2005 @05:33PM (#12858532) Homepage
    "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

    When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

    In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?

    • by TCM ( 130219 ) on Sunday June 19, 2005 @05:34PM (#12858543)
      When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

      You, by encrypting them.
    • by wcdw ( 179126 ) on Sunday June 19, 2005 @05:39PM (#12858578) Homepage
      At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).

      Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.

      Unless, of course, you're sending Aunt Martha that e-mail over IRC....
      • Long, long ago, at a now defunct provider, there was this long haired hacker type. This was back when everyone was on dialup in the mid nineties and ISPs still had hubs in their core. He dug a bit into the CuSeeMe protocols and made an 'observer'. There were people running a video stream on that ISP and chat via AOL with a second modem for purposes which I now blush to recall ... you can DL 10x worse these days, but it was quite a shock in 1995.

    • by justforaday ( 560408 ) on Sunday June 19, 2005 @05:40PM (#12858584)
      Does it come as a surprise to you that people that have access to routers can sniff your packets?
      • It should. There are wiretapping laws against this. It's no different than the phone company listening in on your conversations.
      • I'd say the grandparent poster is aware of this, but just wanted to take advantage of the opportunity to bitch about his privacy since it got him a guaranteed +5 Insightful on Slashdot.
    • by deep44 ( 891922 ) on Sunday June 19, 2005 @05:52PM (#12858650)
      When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?
      Umm.. they're not looking at "all the data passing through routers". Flow data is a sampling of information (source, dest, proto, port, etc) from a designated collection point. Even without the actual "data" portion of the packet, it's impractical to collect anything more than a small percentage of the total traffic.

      So you can put the gun down- your privacy is safe.
    • You bring up a reasonable concern.

      However, when you click SEND from whatever email client you use, you are essentially flinging a postcard out of your 10th story window.

      Said postcard contains:

      _

      *your sensitive information* | Address of your friend/associate

      P.S. If you are not the intended recipient, please give me to someone else closer to the address.

      _

      If you are truly concerned about some "expert" taking the time to read whatever it is that you have to say to a friend, or associate, then you shoul

    • What sort of things are you discussing with your friends and associates? Are you talking about penises, scrotums and vaginas? Well, are you?

      Seriously, you need to protect yourself. Don't depend on others to protect you while you're on the Internet. That's why you do certain things like not running Windows, run a solid, well-tested Linux or *BSD firewall, and practice encryption of all of your communication. The power of the Internet includes many responsibilities: one of those responsibilities is to ensure
    • by puzzled ( 12525 ) on Sunday June 19, 2005 @06:28PM (#12858836) Journal

      I've owned a couple of ISPs and I currently do service for a regional provider. If I cared to look I could see everything - your best defense is the same reason that you don't get dates - what you do is just not that interesting to anyone else.
      • Ouch!

        Wish I could mod this "a little too close to home."

        *grin*

        • I learned some years ago that church goin' Iowa corn farmers will have subscriptions to chickswithdicks.com. You see that, you convince yourself you're not seeing things, and then ... well ... you learn to not look.

          The boredom comment was as much of a dig as the real truth, I'm not joking even a little bit when I say I don't want to know what turns other people on ...

      • your best defense is the same reason that you don't get dates - what you do is just not that interesting to anyone else.

        This is drifting off topic, but I am coming to feel you hinted at something fairly interesting to bring up. Big Windows networks are boring, to the point where it's uninteresting to hack them and/or 'dig around' to see what's there.

        At my last job, the network was a big old-school conglomerate. There were Solaris, Netware, OS2 Warp (!), and Windows NT servers all mixed together on a s
    • I know people who do this kind of botnet tracing, they are looking at flow data, which is NOT the actual packets for most of their hunting.. they look for patterns in the flows, which are basicaly source/destination IP and ports, and protocols.
    • Having worked on very large networks, you can tap feeds where millions of emails go by per hour, do you really think anybody is going to take the time to track down your email? The key word in that quote is flows if you are going to try and get anything useful out of high speed links something like NetFlow [cisco.com] is one of the best ways. Botnets are very easy to track this way as you are looking for lots of sources contacting a few destinations. There are not alot of systems on the network that maintain tens of
    • In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?

      Me. I use data from IP flows passing through routers to reverse-engineer their closed, invite-only mailing lists, to ensure they're not snooping on anyone's e-mail.
  • pessimistic (Score:5, Insightful)

    by moz25 ( 262020 ) on Sunday June 19, 2005 @05:33PM (#12858537) Homepage
    So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.
    • Re:pessimistic (Score:2, Insightful)

      by Anonymous Coward
      The ISPs need to act, certainly, but people need to be educated to secure their computers against these worms. It isn't easy, but it can be done. It'll take lots of work, and progress will be extremely slow, but we, yes we, are the people to do it.

      What do I mean? Well, we all know that there are plenty of good, free security tools out there, from antivirus programs, antispyware programs, and firewalls. CDs are dirt cheap, and every person reading this probably has a few hundred lying around. Everyone
  • by Alascom ( 95042 ) on Sunday June 19, 2005 @05:35PM (#12858549)
    The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.

    The only solution is secure software engineering and prompt, reliable patching.
    • by sweetooth ( 21075 ) on Sunday June 19, 2005 @05:45PM (#12858616) Homepage
      and until then we'll just let the botnets run rampant....

      Unfortunately that's not a very good solution. While creating more secure software from the ground up is definately thew ay to go for the future you have to have some plan to deal with the current problems. Keep in mind that the vast majority of people aren't going to upgrade to the latest and greatest OS, web browser, or whatever if thier existing one works. So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.
      • So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.

        OR use the botnet command and control centre to command the bots to upgrade themselves...

        Just make sure to use the CONTROL centre and not the KAOS one.

    • This approach is even less effective than that.

      All they are doing is shutting down a rogue IRC channel. The boss merely has to switch to a new one. It probably takes about 5 seconds of effort.

      But they have to do something.
    • Yes, the less vulnerable systems there are, the harder it is to create a botnet, and the less effective the DoS attacks.

      Personally, I'm in favour of some sort of simple built-in software DRM that by default only lets 'certified' executables run, and obviously can be turned off by people who know what they're doing.
  • it's great that industry, when faced with a lack of effort from the law and legislature, has the will and wherewithal to go after the scumbags. it's a great first step to show policymakers how much of a concern this is to internet security.
    • Re:kudos (Score:3, Insightful)

      The main reason for this is that nobody in power has been afflicted by this.

      The moment one of these BotNet's decides to DDOS the servers at the capitol building or start attacking other aspects of the US internet infrastructure, your congressman isn't going to give a shit.

      The internet and the laws governing it are the wildwest at the moment. Some corners have very strong laws, other corners have none. However, if I remember it was the vigilantes who took care of the areas that strong law hadn't come int
    • it's great that industry, when faced with a lack of effort from the law and legislature, has the will and wherewithal to go after the scumbags

      I can only imagine the wailing and gnashing of teeth that you'd hear from the /. crowd if we fonud out that government agencies (rather than the private sector) was doing something about this. The need to poke around in the traffic to see what's coming and going is central to finding the C&Cs, but that very poking around, when done by NSA, or DOJ, etc., causes
  • Told Ya So (Score:2, Interesting)

    by Anonymous Coward
    Internet ages ago, when DDOS was hot and researchers all concentrated on that threat, I tried to tell them that DDOS is nothing. Stuart and the others wrote their paper and based the threat on DDOS which influences computer security research even today. I predicted what is now called botnets would be the more frightening destination of the DDOS train. I didn't catch that IRC would be the covert channel of choice (not very covert). HTTPS seemed much more likely to me - net admins expect to see https tr
  • by dyftm ( 880762 ) on Sunday June 19, 2005 @05:45PM (#12858614)
    What would be really interesting is if using a combination of honeypot PCs (to match trojans to controllers) and the commands used to control the botnets, these vigilantes could make the zombified PCs download and run a cleaning tool to rid themselves of the trojan.
    • If you are going down that road, then you would have to simply go ahead and do it, which makes you no different than the scum that put it there in the first place in the eyes of the law. Now, in theory, you could pop up a message that says "Your PC has been compromised... You need to do X, Y & Z." and be safe from the law. The snag is that most of the people whose PCs are members of botnets are probably the same ones who are used to seeing pop-ups of that form telling them to do and drop $30 on some
    • Which is exactly what *does* happen a lot. This is a "hobby" of many "vigilantes"
      Some drones have builtin uninstall commands, others have commands to download and execute programs, so cleaners are written.
      But the drones are getting more and more advanced, builtin uninstall commands are getting more rare... it is clearly a battle that can not be won if only fought this way.
    • the idea is to figure out where the masters come from or better yet, what the commands look like.... then program the router to drop those packets. That effectively cuts the masters off wherever they may be! This is grey-hat BOFH stuff at it's best!
  • What causes botnets? (Score:2, Interesting)

    by Anonymous Coward
    Well, obviously script kiddies with the malice and idiocy to create them. But also, the end users ... the people who irresponsibly leave their machine open to the 'net, get 0wned, and then contribute to whatever DoS is going on.
    These end users just *don't care*. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
    I wish ISPs would hold the lusers (criminally) responsible for t
    • Seriously, without serious network software how could a normal user even prove they WEREN'T hacked... more than that, are there ANY tools that let networks REQUEST users to modify behavior... not the BOFH type "pull the plug" but responsible tools that monitor the connection quality and report back things that are suspecious so the user can fix them?

      It'd be a great OSS project and a great firefox plugin!!

    • by Anonymous Coward
      wish ISPs would hold the lusers (criminally) responsible for this.

      You want to throw my mother in the slammer?

      You're not nice at all.
    • I really don't think it should be a criminal offense... that would overcrowd an already overcrowded prison system with more people whose crimes were of a dubious nature.
      however, it should be treated the same as a minor traffic offense. you don't secure your computer and your isp catches you? you have to take a computer proficiency class.
    • No wonder you posted that as AC.

      Joe Sixpack doesn't consider it "irresponsible" to connect his machine to the net without a firewall. Infact he probably doesn't even know what a firewall is.

      If you're looking for someone to blame, look no further than Microsoft for having everyone run as admin and leaving several easily-exploitable ports open by default on every version of Windows up to XP SP2.

      By the way just as a reminder - botnets originally entered the limelight after scriptkiddies on IRC networks star
  • Good for them. (Score:5, Interesting)

    by deacon ( 40533 ) on Sunday June 19, 2005 @05:52PM (#12858649) Journal
    From the FAS:

    a group of high-profile security researchers is fighting back, vigilante-style.

    This emotionally laden language has been deliberately chosen to make it sound like this activty is a "bad thing [tm]"

    I truly believe it is the duty of every person to fight against clearly evil activity.

    This includes a mugger hitting an old lady, a middle age man trying to drag a pre-teen girl (or boy) in to a car idiling in the street, and a person trying to kick in the door of the elderly couple down the street.

    If the people disabling bot-nets make every effort to be certain they do not harm innocent or uninvolved people (and the standard here is very high), then they are doing a public service. (if they take the attitude, like some "anti-spam" people, of -> 'kill them all, let God sort them out, they are just assholes with very, very small peckers')

    Those who believe the gub'mint is going to be johnny on the spot to fix all your boo-boos are sadly misguided: there is neither the manpower or the reaction time to fix everything "bad" in the world. That depends on YOU.

    • Not forgetting "happy slapping".
    • Re:Good for them. (Score:3, Insightful)

      by muzzmac ( 554127 )
      A quote from "A man for all Seasons" quite relevant to this comment I thought.

      More: There is no law against that.

      Roper: There is! God's law!

      More: Then God can arrest him.

      Roper: Sophistication upon sophistication.

      More: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal.

      Roper: Then you set man's law above God's!

      More: No, far below; but let me draw your attention to a fact - I'm not God. The currents and eddies of right and wrong, which yo
  • I'm wondering why they aren't telling bots to self-destruct? It seems pretty obvious to me that the C&C structures could reform fluidly as you take them down? A Black hat has a list of his bots, if you nuke his IRC channel, he just spawns a new one, or moves to a new IRC network...

    But if instead you tell all his bots to wipe themselves out, he's got to buy new ones. Yes those machines will surely get reinfected within a few days/weeks, but it will throw a much bigger wrench in the works.

    How is this
    • Wipe themselves out how? They probably don't have self-destruct routines,
      1. Its more code weight, harder to transport, run, and create.
      2. The bot virus writers have probably read the villiany HOWTO which advises against installing a self-destruct device because invariably the hero will use it as a very easy means to destroy the superweapon.
      • If these bots have any kind of generalized means to execute commands on the local machine, there should be a way to force them to self destruct.

        Bot flexibility is presumably valuable, giving their owners the ability to upgrade them in unforseen ways.
      • Actually you are wrong. Many of the pieces of malware I have reverse engineered have had a "self-destruct" mechanism built in which basically just deleted the exe and any registry entries associated with starting the malware. Not exactly massive amounts of code...

        As soon as you find the magic word to make the bots respond to you (which can be difficult at times, some of the malware writers are pretty sneaky) shutting a botnet down can be as simple as logging into the irc server and appropriate channel an
  • by capedgirardeau ( 531367 ) on Sunday June 19, 2005 @06:06PM (#12858718)
    I can't find it on his site, but the guy who runs DShield was under a DDOS attack a few years ago and he managed to crack into the IRC channel the attacker used to control his bot network.

    Apparently the attacker about crapped his drawers when instead of the usual bot replies to his commands an actual person started talking to him in his IRC channel.

    http://dshield.org/ [dshield.org]

  • by droopycom ( 470921 ) on Sunday June 19, 2005 @06:06PM (#12858723)
    ... fighting back the internet scumbags all over the planet, vigilante style...

    Now if they could just have a cool name, we could have a new hit superheroes movie for this summer.

    Any suggestion anyone ?
    - The League of Net Shadows
    - The League of Extraordinay Nerds
    - The Fantastic Fourty

    Come on give me something better ...

  • by argStyopa ( 232550 ) on Sunday June 19, 2005 @06:09PM (#12858738) Journal
    So, how is this different from a "Star Chamber"?

    I'd be interested to see how many people in /. who might applaud this pro-active white-hattery, who simultaneously strenuously object to the US Patriot act which is pretty much just allowing the government to do the same thing in real life?
    • So, how is this different from a "Star Chamber"?

      Um, it's not a government body?

      Boring stuff like they can be charged with crimes, you can sue the group, etc.


    • This is nothing like a Star Chamber -- The little script kiddies aren't being rounded up and killed (although maybe that'd send a nice message).

      I'm just kicking them off my DNS network and when I can alert the ISPs of infected zombies and C&Cs then all the better. When there is information to hand over to LE then I try to do that. A lot of this abuse now deals with phishing and other financially driven motives and so having a strong working relationship with LE is essential. Vigilantes don't have
  • C&C? (Score:3, Insightful)

    by VStrider ( 787148 ) <<giannis_mz> <at> <yahoo.co.uk>> on Sunday June 19, 2005 @06:55PM (#12858975)
    I thought there was no such thing as a central C&C on botnets. An infected pc, can be a member of many botnets. Today a pc is doing the bidding of joe hax0r, tomorrow is doing the bidding of billy rox0r. Even if you shut down one C&C, the thousands of infected pcs, remain infected and ready to join another botnet.

    The only sollution is user education.
    • The only solution is user education.

      You obviously don't have anything to do with end user support in your line of work. I've got the same people asking the same questions all the time. They don't want to be bothered to learn how to do anything on a computer other than the absolute minimum knowledge they need to get things done for work or school. There are millions of people out there who don't know anything more than how to turn their computers on and off, and use the basic features of Word, IE, and Outl
    • Re:C&C? (Score:4, Interesting)

      by sbma44 ( 694130 ) on Sunday June 19, 2005 @08:31PM (#12859481)
      I thought there was no such thing as a central C&C on botnets. An infected pc, can be a member of many botnets.

      Yes, but there'll be one trojan per botnet. Script kiddies don't like to share, and in fact the current trend is supposedly groups assembling botnets and then auctioning off their services to spammers. Given that, you can see why the botnet "owner" wouldn't want to allow access to other evildoers.

    • The only sollution is user education.

      We're doomed.

  • by Anonymous Coward on Sunday June 19, 2005 @07:02PM (#12859012)
    Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines.

    This is a blatant violation of the trojans' EULAs if I ever saw one. The authors put a lot of work into writing those trojans. What gives "security researchers" such a sense of entitlement to that code? If they want to analyze malware, they should write their own!

  • Anti-anti-botnet (Score:3, Informative)

    by John Jorsett ( 171560 ) on Sunday June 19, 2005 @07:52PM (#12859261)
    Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc.

    If I were a Blackhat, my counter to this would be to have the members of the botnet relay my commands among themselves like a telephone relay tree where one person calls 5 who each then call 5 who each then ... To find Mr. Big, you'd have to find the headwaters of the stream, which would be a difficult task.

    • Re:Anti-anti-botnet (Score:4, Interesting)

      by irc.goatse.cx troll ( 593289 ) on Sunday June 19, 2005 @10:48PM (#12860126) Journal
      No point in treeing it, trees lead to an origin too easily. Cell-style works so much better. Each peer has to discover eachother (Start with the machine that infected it, get the current list of peers from it. randomly ping each peer to see if one drops off, if so send a hint to your other peers. All hints only cause verification, not actually removing. Same for adding new peers this way.
      Controlling it is then a matter of keysigned commands. All commands are timestamped to be unique(so you can easily discard duplicate messages), and is verified with the public key. The only way you can be exposed at the leader is if you get caught with the private key.
  • Sounds like a new spin on something Steve Gibson did a few years [grc.com] ago. Very interesting read.
  • by Mercury2k ( 133466 ) on Sunday June 19, 2005 @10:42PM (#12860091)
    Hey guys. Just thought that I would put my $0.02 in.

    I am not into botnets anymore, but like most here prolly', I started my internet life on irc. And anyone else who grew up on non dalnet like servers with chan services knows that being on a network without them can be a pain. Especially when smacktards show up for the day ;)

    Anyways, knowing a bit about bot's and botnets, I would say that it shouldnt be too hard to take some down. Being irc based, plain text would be one problem. But if you have access to a machine infected, encryption would be pointless since you could just debug the program and find out what it 's protocol is anyways. I think one big issue that was hinted at in one of the above posts was that you should be able to use an infected machine to "take over" the botnet. Well, things dont work that way. For those of you that havent run one or used one before, I will give you a rough idea of what the ones in my day (1.1.15 or so IIRC).

    A botnet is basically a shell like environment similar to say a bash shell or a dos prompt. ie: its all text commands using plain ol' ascii. Commands generally start with a ".", like ".help". The botnet also has security systems in place (ie: users with passwords etc) that define who can dcc chat the bot directly, use its !channel commands on irc etc. The eggdrop (sorry, yes, im refering to eggdrop's specifically) bot also has the ability to link multiple bots togethere to form a big "botnet". The is all of course done with special bot accounts with unique passwords.

    The reason you cant just take one over (despite it probably being a modified version of this system of bot), is because the other bots are probably only allowed to "take orders" from a specific machine or user. Although for simiplicity sake, I would imagine its just a user and password combo to prevent any traceable information from being gleamed over the botnet traffic. Dont forget to that the botnet would be point to point and most of the traffic would only be coming from a single location (which you would have to find out from a comprimised machine).

    In the end, I see the biggest problem in finding the zombies being, how do you tell when a machines infected if the virus tries the best it can to hide itself from non-forensic integrity checking tools. But, over the years I can see software taking a turn to being better checked for authenticity and integrity etc. Once we hit that point, botnets would probably start to disappear. Also consider that the machines themselevs will go offline and be replaced by newer ones that arent suceptable to the same malicious code. This at least forces them to keep active. And keeping them active helps you trace them.

    Anyways, hope you had a fun read. Not worth previewing this one, l8r.
  • by josh3736 ( 745265 ) on Monday June 20, 2005 @01:31AM (#12860760) Homepage
    If I were a blackhat, my botnet would run thusly:

    The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.

    All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.

    This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...