Meet the Botnet Hunters

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

Botnet Hunters!

We don't need their scum.

info on botnets

Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.

Hmmmm

Those first two paragraphs sound like a movie pitch. A wierd movie pitch...

Botmasters will switch to distributed C&C

Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.

Re:Botmasters will switch to distributed C&C

What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

Or are the backdoors they are using more sophisticated than that?

Re:Botmasters will switch to distributed C&C

I would imagine fear of the law and getting suied or thrown in jail. Not to mention poping open a window might be as unoticed as the popup wanting to increase my member size. It would take some sort of government imunity to prosecution to aviod getting getting tangled in the same laws that make computer tresspass ilegal. Maybe some program that you can sighn up with and keep detailed logs or let them keep the logs.

Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.

I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

I've done something similar

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.

Re:I've done something similar

Some are moving that way already. The botnet developers are beginning to realize the monetary value of their little operations, and are moving to protect their investments. There has been enough published crypto that these guys can basically drop in a secure signalling system. And one of the botnet researchers has said some are already using encrypted channels.

Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.

The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!

delete themselves

There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?

They are on the web

www.shadowserver.org/

Bitter irony, Slashdot is thy home (or hangout...)

"...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."

Apparently, Mr. Albright doesn't frequent Slashdot [slashdot.org] or watch CNN...

Domain..

In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'

Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..

Great plot!

This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three [wikipedia.org] like this.

Interesting Deal

So, these guys find botnets, collect the info to have them shut down, and then get the channel shut down? While this is great, it does little to stem the tide of bots. Adware/spyware and viruses are still being made to create more bots. So, while Shadowserver goes after the host servers, there are still millions of computers that are infected and transmitting, including that physician that was sending patient data!! If we really want to shut botmasters down, we need to battle the root of the problem. Unfortunately, we're still not allowed to kill of the bottom of the gene pool. Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix).

Drones

Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.

Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?

Be vewy vewy quiet...

Be vewy vewy quiet! We're hunting botnets!

Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

Spammer: daffy# shutdown -now
Botnet: *reboots*

Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

Spammer: daffy# shutdown -now
Botnet: *reboots*

Secure SMTP?

So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

-- Jim http://www.runfatboy.net/ [runfatboy.net]

botnets remain undetected

"However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another [eweek.com] botnet hunter article from eWeek.

Spyware Scanners Don't Work

FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

This, unfortunately, is the most common viewpoint from end-users and IT alike.

It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

Re:Spyware Scanners Don't Work

Ewido [ewido.net] and hijack this, when both run in safe mode (with networking so you can get updates), cleans them up once and for all. I have yet to encounter anything that persisted after these two steps were taken and an antivirus package was installed on the machine. Anything remaining after that point is probably a semi ligitimate (borderline adware) system service or some sort of hard to detect rootkit. At the risk of being flamed, i would recomend the Norton AV Corp 10x series from symantec. Its corportate so none of the gay activation or useless slow features and in this release they have started to detect certain spyware as viruses. Most people are turned off of symantec for there absolutely garbage horid products such as NIS. Symantec is a big company and their corporate shit has been for the most part reliable.

The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?

A different approach

Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.

Just my 2 cents.

Hey, I've seen that mentality before!

Like lost sheep without a shepherd, the drones will continually try to reconnect...

Sounds like my sister when her cell phone cuts out.

Turn your computer off

Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).

So... turn your computer off when you are not using it.

Hell you will even same some electricity while you are at it.

Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.

The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.

More information on same subject

I don't normally check the Washington Post site but after reading the article I went to main page to see what was there. Near the bottom of the page, in a section called Security Fix, Brain Kregs had posted a story on March 9th titled 'Shadowboxing with a Bot Herder' wherein he talks about his conversation with a botnet owner called Witlog.

Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:

According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

The permanent linnk for the article can be found here [washingtonpost.com].

And he didn't get a visit?

Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????

If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.

Better ways to stop them...

First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.

Why the FBI doesn't act

The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.

I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.

An analogy..

So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?

Great fun for geek kids!

I used to do that back in the day.

1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.

2> Take apart that self-extracting zip and look through the mirc script.

3> Work out where they're sending there zombies. Masquerade as a bot for a bit.

4> Figure out a way to issue commands to the bots if possible.

5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.

6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.

Ahh, the folly of youth.

Sad...but true.

"Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."

I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime are in fact being procecuted.

Then again, this is the US Government we're talking about here.

Nintendo R.O.B.

Call me when they start a group of hunters for the Nintendo R.O.B. [wikipedia.org] . They are the bots we should be really watching out for.

rerun

Wasn't this an episode of Stargate: SG-1?

Unusual, but Not Impossible

A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.

Related story

There's an excellent story about this sort of thing here [csoonline.com] (via another tech site with a digging-related name).

At what cost?

From TFA...

"Now 27, Albright supports his wife and two children..."

" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "

Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.

Easy way to shut down value of botnets

Most botnets are used for spamming. An analysis of the majority of inbound spam clearly shows most of the traffic coming from unauthorized SMTP relays set up in broadband IP space. The main advantage to setting up botnets is to do mass-mailing from a large pool of IP addresses that have the best chance of getting around RBLs. Spamming is the primary revenue source for botnets and also the primary manner in which machines are infected.

Some ISP recognize this issue and are dealing with it. Some are not.

The solution is very simple: filter port 25 traffic from broadband IP space.

Let me repeat this, because it's real simple.. it's so goddam simple that we're now to a point where any ISP that doesn't do this should be considered grossly negligent and a spammer themselves.

Some ISPs are responsible and some are not. AOL is a good example. AOL started filtering port 25 traffic and this has a dramatic effect on the security of their clients, the performance of their network and the overall safety of the Internet at large. Other ISPs are working on this too, like Bellsouth. These are the good ISPs who recognize that this simple solution can create a dramatic reduction in botnet propagation and spamming.

On the other hand, you still have many ISPs who don't seem to give a shit and are part of the problem. I'm not talking about the foreign ISPs... we know they're irresponsible. TDE, Brazil, China, Korea... it's easier to just wholesale block their IP ranges [blogspot.com], but domestic ISPs like EARTHLINK and Verizon continue to be a major source of spam and botnet propagation.

Earthlink particularly annoys me because they constantly advertise how great they are at keeping spam and viruses out. Ironically, they are one of the largest sources of spam, phshing scams and worms in the United States. Thanks Earthlink! Get your fucking act together you morons. Take a few of those goddam leprechans and pink unicorns you have hanging around and replace your existing IT staff!! Filter port 25 so we don't have to deal with spam, worms, system probes and wasted bandwidth from your badly-managed networks!

Filtering port 25 takes a lot of the incentive out of creating a botnet. Everyone who really understands the dynamics of the spam/worm problem recognizes this.

ISPs "Detect & Destroy"?

So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.

Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.

Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we get rid of most of them?

For out of the country BOTs, well I would imagine there has to be a way. I don't care to ever receive anything from anyone in Rwanda, Uganda, or even Russia.

Re:ISPs "Detect & Destroy"?

So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.

Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."

How to fix this easily

There needs to be more accountability/traceability in order to register a domain. You should have to prove ID etc. so that if your domain is clearly a botmaster then the authorities can find you in person easily and nail your ass.

Sounds like anime...

So Botnet hunters are tracking rogue Botnet puppet masters, taking them out using their own ISP, then tracking the Botnet drones who wander the net like 'lost sheep without a shepherd, ... continually try[ing] to reconnect to the hacker's control server, unaware that it no longer exists'?

Sounds like a totally kick ass anime!

Naturally I imagine all these Botnet hunters are hyper-attractive ultra-well-endowed women who's clothes get partially torn off every time they have a Hack-net Battle a Botnet Drone with their emasculatingly over-sized gun/sword!

eh?.........no?

Tis a pity ...

They should spend their time doing something more useful.

Like tagging botmasters for the kill.

Relevant Article

This article has a nice example of how a Russian botnet was hunted: http://www.newyorker.com/fact/content/articles/051 010fa_fact [newyorker.com] A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!"

from one who works with shadowserver

I've been working with the shadowserver group for a while now and can say that it has been very interesting. to give some facts on the project

SS == shadowserver

* SS rarely shuts down botnets asap, but rather waits to see if they can figure out who the owner is, and several arrests have been made because of this.

* there has been talk on what is going to happen when the botnets switch to a different method other than irc. for more information, search for the botnet mailing list hosted by whitestar

* most of the trojans are found by running nepenthes

* SS has a HUGE repository of botnet scripts and C&C information.

* SS could always use more contacts with ISPs, domain registrars, and foreign LEAs. (we're in #shadowserver on freenode)

* botnets aren't the only thing we've been tracking (you'll see what I'm talking about in the news later)

Re:Danger, Will Robinson

I must be the only nerd here who wears a shoulder holster to work. (and no, I'm not a cop)

Re:Danger, Will Robinson

oh no a pimply faced "mobster" might come after you.... give me a break

Re:Danger, Will Robinson

Nice until they run into a mobster-botmaster with a gun.
This is a task for the government, not for pimpled nerds.

Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."

How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?

Re:Danger, Will Robinson

Which network protocol supports the transmission of bullets?