What a Botnet Looks Like

Esther Schindler writes "CSO has an annotated, zoomable map of real botnet topologies showing the interconnections between the compromised computers and the command-and-control systems that direct them. The map is based on work by security researcher David Voreland; it has interactive controls so you can zoom in and explore botnets' inner workings. Hackers use botnets for spamming, DDoS attacks and identity theft. One recent example is the Storm botnet, which may have comprised 1 million or more zombie systems at its peak. As with any networking challenge, there are good (resilient) designs and some not-so-good ones. In some cases the topology may be indicative of a particular botnet's purpose, or of a herder on the run."

Flash site, very funny.

To get a good look at a botnet they say, "You need to upgrade your Flash Player". How true!

Re:Flash site, very funny.

They say you can get a good look at a botnet by upgrading your flash player but I'd rather take your word for it.

Re:

Dude... seriously, move on. Take a deep breath, and just... move on. In the grand scheme of things, he can have 2351 different IDs- and it would not matter one iota. Why on earth do you let him have so much control over you?

Re:

Useful

Not necessarily this post, but if I'm to believe what these folks (willhill, et al.) are telling me, twitter has had some informative posts and if he feels the need to "sockpuppet", mod the puppets, leave the information. Coming into this war fairly

What a Botnet Looks Like

here's [interconnection.org] a photo of a botnet. Ok, it's a small botnet but if the botnet was a semi you wouldn't see the computers, now would you?

Ob. XKCD reference

Ok, it's a small botnet

Randall Munroe's botnet look like that [xkcd.com].

Thanks for posting...

all of the IP addresses. Can I get that in a text format? I want to add them to my hosts file.

Re:Thanks for posting...

I don't think you'd want to do that.

My current RBL has about 6.5 million entries, and is extremely permissive. It is also updated bi-hourly.

I sure wouldn't want my machine to traverse a hosts table of 7 million hosts every time I tried to look up a name in the DNS.

Same for your firewall, 7 million entries will cripple iptables. Hell, 30,000 entries causes visible slowness on a dual-core opteron system.

Of course, you might get better performance out of iptables with the ipsets kernel patch. But that's still a damned big list.

reminds of the sexual partners mapping...

http://www.artsci.washington.edu/news/Autumn05/largermap_sexualnetworks.htm

Wow - I can see my house from here!

It would be nice to be able to search my static IP or a range of IPs to see if they are on the map.

Check out the losers

There are lots of well constructed stars, where a handful of master nodes control several slaves. Each slave knows two or three masters for redundancy. That's good design, and I expected it.

But what's hilarious is that there are some ip addresses that are slaves to four or five different botnets. I wonder what the owners of those machines think?

"Man, the internet sure is slow today!"

"I need a new computer, this one's all slow."

"Sweet! Five botnets and counting! I'm part of something! I belong!"

Re:Check out the losers

I do know what those users think, and it's very much like you posited: "My computer has become unusably slow, and I don't know why or how to fix it!" Unfortunately that was followed by, "Aunt Esther, can you tell me what's wrong?"—and thus I spent half a day killing enough of the junk that I could install a firewall, antivirus, etc.

People like my nephew aren't unwilling to learn. They're just lost when it comes to their computers. And they don't particularly mind being ignorant as long as the equipment works right (or appears to). Just as most of us don't feel the need to understand how a car works in order to drive one.

Some of us remember the days when we wistfully wanted computers to become easy enough for ordinary people to use them. Alas, we got our wish.

Re:Check out the losers

And they don't particularly mind being ignorant as long as the equipment works right (or appears to). Just as most of us don't feel the need to understand how a car works in order to drive one.

Yes, but people are often more familiar with what a car needs. Regular oil changes, maintenance, gas; they might not know (or care) why the car needs these, but they know that if they don't, the car will fail to work.

People don't even know that much about computers, about what they shouldn't do, even if they don't know why.

Re:Check out the losers

Not everyone does understand basic maintenance. You'd be amazed. Plenty of people wait until the car breaks down before they think to get it serviced.

And they don't like to gain even basic knowledge. In the gas crisis of the late 1970s, my (then-)mother-in-law waited 40 minutes at a gas station before she got to the pump. When she discovered it was self-serve, she drove away, because she didn't know how to use the pump herself. (Yes, obviously all she had to do was ask the person behind her—who'd be motivated to help—but she didn't.)

Also, even when people take the car in for maintenance, it's something they do out of distrust for the practitioners. That's better than not taking it in, of course, but it's inherently a combative relationship: what's the mechanic gonna tell me I need this time?

The thing is, few of us want to be experts in every technology we use. We just want it to work.

None of which excuses ignorance, mind you, but it does explain it.

I, for one..

...would like to see more. Was there actually an article there, or was that just a picture? How about something about the methodologies used, a description of the organization of the network, maybe even some metrics like centrality. Something other than a picture, ferchrissakes.

How it looks like?

There are fields, Neo. Endless fields where bot beings are no longer born. Are grown. For the longest time I wouldn't believe it and then I saw the fields with my own eyes...

Ha Ha!

One of the nodes backendportal.info [networksolutions.com] is registered to Horatio Nelson! [wikipedia.org]

Honeynets seem to be doing their thing

If you zoom in, you'll see a lot of the concentration of spiderwebs are around sites like honeynet.cz.

127.0.0.1

Wait, 127.0.0.1 is in there. That is my IP address!

How does eNom...

allow people to register with information like:
Registrant Contact:
elnopic
elnopic elnopic (elnopic@elnopic.com)
+1.2435543
Fax: +1.5555555555
123 sdhdsa g
asdf, AD 34215
US
Do they not even try to verify this information?

Re:

after further investigation, it appears the above domain was registered by a company called namecheap also known as HostingAnime [wikipedia.org] a company known for hosting al-Qaeda websites.

Coincidence? I think not!

Too many bots!

There must be too many bots - I can't even get it to render! All I get is a white page with no nodes and no links :\

Either that or they've rendered the botnet on a white background in apple white with light grey lines.

(i.e. it seems to be Slashdotted ;) )

yeah... and

And why's this so much news?
Any self-respecting revolutionary knows that you have a distributed network, so that even if a cell goes down, you can still pass messages.

Hell... I wish IRC could learn from this, I've had enough of netsplits. By rights only the server that goes offline should be affected if it goes down, it shouldn't split the network into 2 massive sections.

Yeah the image looks nice, and is all "ooohhhh ahhhh" and lends itself to "Hey... that's me", but really "News"? I think not

Call me when they have an article as to how they got this information

-1 "Cynical Bastard"

Re:Anonymous Coward

No, it sucks. I zoomed in to close and saw my IP!

Re:

can be shut down by shut down by just shutting down computers that don't have secure computers.

Gee thanks thanks captain obvious captain obvious for your observe your observations.

Was it just me, or did anyone else imagine parent as speaking in the voice