Searching for Botnet Command & Controls

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

This'll surely stop them, or not.

As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?

Query string

Just filter traffic looking for the string "Sarah Connor".

What I don't understand

Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

• Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.
• Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.
• Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

Re:What I don't understand

Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.

Re:What I don't understand

They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.

Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.

I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.

I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.

Good luck

As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my ..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?

Re:Good luck

a lot of these botnet creators employ "features" such as

Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.

Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.

Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.

But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.

None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.

What is ..?

This: "yvRpS9t6OD9ueF39E8pGSUZCssLO7XmPjyNadWjv"

A botnet command or some other traffic?

Or even noise for the sake of noise? (Ie, spamming the government's ears)

Re:What is ..?

It's a Perl script that says "Hello, World!"

... so it IS line noise :-)

FTFA:

Operating under the theory that if you kill the head, the body will follow ... find and disable the command-and-control infrastructure that powers millions of zombie drone machines

Here you go: One Microsoft Way Redmond, WA 98052 Phone: (425) 882-8080 Fax: (425) 706-7329.

Tread Carefully

This will have to go beyond simple traffic scanning. If not how would they determine whether a group of machines are bots or are simply responding to SETI@home or whatever other distributed systems are running over the 'net?

Seems like at some level there will have to be a human protocol that decides which traffic is naughty and which is nice. Humans can be manipulated and protocols spoofed. If this weren't the case we wouldn't be having this discussion in the first place.

"Botmaster"...

From the article: "The compromised machines are controlled by a 'botmaster' ... If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster."

Somewhere, there is a joke that begins with the quote "I AM TEH BOTMASTER!" and ends with the quote "AND I AM TEH GATEKEEPER!", but alas, I cannot figure it out right now.

Oh slashdot, help me out here.

list has no posts

No messages have been posted to the botlist yet. I subscribed and thought I'd check out the archive... it's empty. Seems like they'd advertise lists that were up and running with content, not lists w/o any. Perhaps it was setup by bot masters so they'd know who to pick-off?

Kill those nasty bots

Operating under the theory that if you kill the head, the body will follow...

It contrast, has been found that some zombie PCs are operating under the theory that if you cut off the head, the body will just wander around aimlessly.

Good luck...

...shutting down IRC.

Worst, it wouldn't help a bit

So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!

Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.

Futile. The only chance is to cut the machines from the 'net that contain those trojans.

I could see it working

Obviously grabbing random traffic and scanning it isn't going to work. They need to "capture" one of the bots, and study it. Watch all the traffic coming and going, disassemble the software that receives and executes the commands. Then they'd have a solid base for knowing how to track and/or block traffic like that, at least for that one bot variant. So, they'd have to do that for every bot network out there. And who knows how many there really are, or how different they are.

I'd like to report a huge Botnet...

It is run by this Taco guy...

He uses this website, slash something or other. All he has to do is put the url he wants attacked on its frontpage and all his loyal "bots" go right to work on a DDOS attack.

Most ingenious! And I bet he profits handsomely from it too!

It's a development I can verify

When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

And this business is growing.

The possibilities!

Operating under the theory that if you kill the head, the body will follow

Imagine were that not the case! Headless bots roaming the net looking for trouble.

In all seriousness, I could imagine some nasty work that could be done to turn disbanded botnets into a bigger problem than active ones.

it's obvious

private irc servers. so obvious i don't know why the question is even asked

well

What's to stop them from moving to a p2p VPN style system. Good luck seperating that from legit traffic.

Ob Comic Geek

"Operating under the theory that if you kill the head, the body will follow,"

S.H.I.E.L.D. has leared that this is not true. If you kill the head, two more will take it's place. Hail HYDRA!

Enforcement? Hello?

The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.

Honeyclients

I think these [honeyclient.org] folks are headedd in the right direction when it comes to destroying botnets.

From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits Drives client application to connect to servers
Any changes made to honeyclient system are unauthorized - no false positives!
We can detect exploits without prior signatures


What can honeyclients do for you?
Allows proactive monitoring of malicious servers
Allows discovery of client 0-day
This can be extended beyond just HTTP clients
Any other client-server based protocol will work

/. Fortune says it best

"Never underestimate the power of a small tactical nuclear weapon."

How appropriate.

It's not that hard.

Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.

I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.

And what springs to my mind first...

Operating under the theory that if you kill the head, the body will follow...

"You insensitive prick! Do you have any idea how much that stings?" [imdb.com]

Bwahahaha!

startkeylogger

How you can participate

You can participate in this effort via mail list. Go to http://www.whitestar.linuxbox.org/mailman/listinfo /botnets [linuxbox.org] to sign up.

Re:Grammer Nazi!

or: the group is ramping...

Re:Grammer Nazi!

Ah, but group in this case is singular. So "is" is valid if it is the group which is ramping up, or "are" if it is the members which are :)

Re:What?

Sometimes when i open my older mailboxes (which sadly have no spamcheckers) and need a calculator to count the spam messages, i really feel like i'd rather disable the hacker himself, literally.

  I really don't need V!@gr@ nor do i want to buy any other drugs really cheap. And i really don't need the emails that advertise them. Reading e-mail is as private for me as sex is for some other people, if i don't advertise my software products next to your bed while you're having sex, i'd also expect you not to climb into my mailbox to advertise yours.

  Isn't it time to dump the current e-mail system as it is and move on to something else that's really private and personal ? Sure you can have zillion filters installed but sometimes the filters take out stuff that you need and sometimes they let in stuff that you don't need, they are not perfect. I do understand that by the time the e-mail protocol was invented, the inventors themselves couldn't imagine spamfarms all over the world sending fake emails but around 30-40 years have passed [wikipedia.org] , maybe it's time to let it go ?

  Sure we can't dump the current e-mail mess in one day, but an alternative solution that would slowly take stuff over and be non-anonymous would make very many of us really really happy. If sending out mail would only be authorized to organizations and identified persons, it would make the network a lot cleaner.

  PS. I know it's just a dream and utterly non-realistic in the currect circumstances ... but it would still be nice :)

Re:Grammer Nazi!

Sigh. Only on Slashdot etc. etc.

Re:Grammer Nazi!

> In the U.S., Microsoft is developing Vista; in the U.K; they are. Does that
> affect words like 'group?' Anyone from the UK to comment?

I've seen/heard both.

A quick Google reviews this:
http://news.bbc.co.uk/1/hi/programmes/radio_newsro om/1099593.stm [bbc.co.uk]
-----
Collective nouns
can be singular or plural. The only rule is: you must be consistent. "Marks and Spencer is selling a new biscuit. They say it's the best ever made" is the type of rubbish we broadcast far too often. In a sporting context, teams are always plural: "England are in the soup", "Manchester United are finished", "Wales are resurgent".

Half
can be singular or plural: half the oranges were eaten; half the food was eaten.

Plurals
the media remain plural, agenda has become singular. Refrain from unnecessary Latin plurals: call them referendums, formulas. The singular of "criteria" is "criterion". While on the subject, to write: "One in twenty people believe the world is about to end" is wrong; even if that one in twenty IS right.

-----

(I don't understand that last sentence...)

Re:Grammer Nazi!

welcome to missing the joke, einstein