Hunting for Botnet Command and Controls 228
Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
Re:Violation of My Privacy? (Score:4, Informative)
Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.
Unless, of course, you're sending Aunt Martha that e-mail over IRC....
Re:Easy way to catch them. (Score:3, Informative)
Re:Violation of My Privacy? (Score:1, Informative)
The Wiretap Act "Provider Exception" 18 U.S.C 2511(2)(a)(i) [cybercrime.gov] enables the network, or those working for the network, to snoop on any traffic.
So, if you don't like that, you're free to make your own internet. As someone who operates networks, I can assure you, unless you're doing something that violates my TOS, I have better things to do with my time than read your crappy e-mail, and posts to
Re:Violation of My Privacy? (Score:4, Informative)
So you can put the gun down- your privacy is safe.
Re:Easy way to catch them. (Score:2, Informative)
It's the dissecting and cleaning part that's hard, and getting harder and harder as kiddies are getting "smarter".
Re:Self destruct the botnets? (Score:3, Informative)
Going after the controlling servers of the bot-net however, while it is definitely still a legal grey area, is less likely to get you a jail sentence and/or a fine. There are also viable approaches that wouldn't break the law at all, although they are probably not going to deliver results if the server is with certain "bullet proof hosting" providers who just don't care about abuse reports. In any case, it's still a game of Whack-a-Mole, only by going after the servers you are essentially playing with 10,000 mallets simultaneously...
Re:Who cares really (Score:3, Informative)
Most 'normal' users really don't seem to give a damn if their computeris being hijacked, as long as they don't notice it. And the same users won't undertand that their 56k line is one of many, which adds up to an enormous amount of bandwidth.
Re:A more effective approach? (Score:3, Informative)
1. Its more code weight, harder to transport, run, and create.
2. The bot virus writers have probably read the villiany HOWTO which advises against installing a self-destruct device because invariably the hero will use it as a very easy means to destroy the superweapon.
Re:Easy way to catch them. (Score:3, Informative)
Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.
The article discusses decoding the control messages sent between the bots in their own network, and how to take control of them, and possibly shutting them down.
Anti-anti-botnet (Score:3, Informative)
If I were a Blackhat, my counter to this would be to have the members of the botnet relay my commands among themselves like a telephone relay tree where one person calls 5 who each then call 5 who each then ... To find Mr. Big, you'd have to find the headwaters of the stream, which would be a difficult task.
Re:I hope they invite the DShield guy (Score:2, Informative)
I don't think that the security community has a unanimously high opinion of Steve Gibson: see http://www.grcsucks.com/ [grcsucks.com] for a counter-point.
Gibson is certainly a gifted self-publicist, but Ill leave others more qualified to comment on whether he is a good security consultant...
Re:C&C attacks work well for military (Score:3, Informative)
Re:Easy way to catch them. (Score:3, Informative)
That's exceedingly hard to get working properly, which is probably why it's still not a very common behaviour. In my experience, most of the botnets still seem to be controlled by a central IRC server, albeit they tend to use hacked up ircds that provide only the minimal functionality required (with little in the way of informational messages), making it hard to get much information out of the IRC servers used for centralized control.
I'm the security manager for the GameSurge IRC network, and that's just my personal experience on the matter. The average botnet used to attack things other than our IRC network may be different from what I've seen, however I'd still contest your claim that they aren't usually controlled from centrealized IRC servers anymore. Remember, most of the people running botnets are kids.
Re:What's good for the goose... (Score:3, Informative)
This is nothing like a Star Chamber -- The little script kiddies aren't being rounded up and killed (although maybe that'd send a nice message).
I'm just kicking them off my DNS network and when I can alert the ISPs of infected zombies and C&Cs then all the better. When there is information to hand over to LE then I try to do that. A lot of this abuse now deals with phishing and other financially driven motives and so having a strong working relationship with LE is essential. Vigilantes don't have that...
This isn't about being a vigilante, it's about protecting my backyard. That fact that it helps the rest of the net out is a positive side effect.
Thanks,
David U.
Re:Why allow IRC? (Score:4, Informative)
So just port filtering doesn't work. The next idea is to do stateful packet inspection. Every router looks at the contents of every packet to determine if it is part of the IRC protocol.
Ok, this would work, except it would be unacceptably expensive to implement. Plus, I beleive that some (most? all?) IRC servers support SSL and possibly IPSEC. So the packets are encrypted using SSL, and using some non-obvious port. (like say, port 443) At this point, it is very hard to distinguish between legitimate HTTPS traffic and IRC traffic. I suppose you could look at the packet sizes and do traffic analysis on the flows, but you'd still have problems with other legitimate services running over HTTPS. (Like VPN proxies or Java Applets, or Flash)
So, even if IRC is the root of all evil in the world, it's not possible to just "not allow" it.
(Sorry for the rant, I'm getting over being sick and still a bit punchy)