Hunting for Botnet Command and Controls

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

Re:Violation of My Privacy?

[wcdw]

At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).

Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.

Unless, of course, you're sending Aunt Martha that e-mail over IRC....

Re:Easy way to catch them.

[Nasarius]

I think he's proposing that you run your own IRC network as a honeypot and hope that bot authors use it. Seems kinda inefficient.

Re:Violation of My Privacy?

[Anonymous Coward]

As a provider, I can ask: Exactly what privacy do you expect beyond the TOS agreement you clicked/signed to gain access to my network?

The Wiretap Act "Provider Exception" 18 U.S.C 2511(2)(a)(i) [cybercrime.gov] enables the network, or those working for the network, to snoop on any traffic.

So, if you don't like that, you're free to make your own internet. As someone who operates networks, I can assure you, unless you're doing something that violates my TOS, I have better things to do with my time than read your crappy e-mail, and posts to /.

Re:Violation of My Privacy?

[deep44]

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

Umm.. they're not looking at "all the data passing through routers". Flow data is a sampling of information (source, dest, proto, port, etc) from a designated collection point. Even without the actual "data" portion of the packet, it's impractical to collect anything more than a small percentage of the total traffic.

So you can put the gun down- your privacy is safe.

Re:Easy way to catch them.

[coekie]

Finding them really is not the problem. Opers have nice tools/services for that (at least on some big networks), drone connection/channel detection notices scrolling by as fast as you can read...
It's the dissecting and cleaning part that's hard, and getting harder and harder as kiddies are getting "smarter".

Re:Self destruct the botnets?

[Zocalo]

If you are going down that road, then you would have to simply go ahead and do it, which makes you no different than the scum that put it there in the first place in the eyes of the law. Now, in theory, you could pop up a message that says "Your PC has been compromised... You need to do X, Y & Z." and be safe from the law. The snag is that most of the people whose PCs are members of botnets are probably the same ones who are used to seeing pop-ups of that form telling them to do and drop $30 on some shitty piece of software that just installs more malware.

Going after the controlling servers of the bot-net however, while it is definitely still a legal grey area, is less likely to get you a jail sentence and/or a fine. There are also viable approaches that wouldn't break the law at all, although they are probably not going to deliver results if the server is with certain "bullet proof hosting" providers who just don't care about abuse reports. In any case, it's still a game of Whack-a-Mole, only by going after the servers you are essentially playing with 10,000 mallets simultaneously...

Re:Who cares really

[rpozz]

This isn't flamebait, he's making a point.

Most 'normal' users really don't seem to give a damn if their computeris being hijacked, as long as they don't notice it. And the same users won't undertand that their 56k line is one of many, which adds up to an enormous amount of bandwidth.

Re:A more effective approach?

[NevarMore]

Wipe themselves out how? They probably don't have self-destruct routines,
1. Its more code weight, harder to transport, run, and create.
2. The bot virus writers have probably read the villiany HOWTO which advises against installing a self-destruct device because invariably the hero will use it as a very easy means to destroy the superweapon.

Re:Easy way to catch them.

[Keruo]

Nice idea, but you're ~2 years late.
Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.

The article discusses decoding the control messages sent between the bots in their own network, and how to take control of them, and possibly shutting them down.

Anti-anti-botnet

[John Jorsett]

Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc.

If I were a Blackhat, my counter to this would be to have the members of the botnet relay my commands among themselves like a telephone relay tree where one person calls 5 who each then call 5 who each then ... To find Mr. Big, you'd have to find the headwaters of the stream, which would be a difficult task.

Re:I hope they invite the DShield guy

[encyclo]

I don't think that the security community has a unanimously high opinion of Steve Gibson: see http://www.grcsucks.com/ [grcsucks.com] for a counter-point.

Gibson is certainly a gifted self-publicist, but Ill leave others more qualified to comment on whether he is a good security consultant...

Re:C&C attacks work well for military

[Aaron England]

The proper acronym for command and control is C2. Not C&C. Add comunications to that and you get C3. Add computers to that and you get C4. Add intelligence to that and you get C4i.

Re:Easy way to catch them.

[SailorFrag]

> Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.

That's exceedingly hard to get working properly, which is probably why it's still not a very common behaviour. In my experience, most of the botnets still seem to be controlled by a central IRC server, albeit they tend to use hacked up ircds that provide only the minimal functionality required (with little in the way of informational messages), making it hard to get much information out of the IRC servers used for centralized control.

I'm the security manager for the GameSurge IRC network, and that's just my personal experience on the matter. The average botnet used to attack things other than our IRC network may be different from what I've seen, however I'd still contest your claim that they aren't usually controlled from centrealized IRC servers anymore. Remember, most of the people running botnets are kids.

Re:What's good for the goose...

[davidu]

This is nothing like a Star Chamber -- The little script kiddies aren't being rounded up and killed (although maybe that'd send a nice message).

I'm just kicking them off my DNS network and when I can alert the ISPs of infected zombies and C&Cs then all the better. When there is information to hand over to LE then I try to do that. A lot of this abuse now deals with phishing and other financially driven motives and so having a strong working relationship with LE is essential. Vigilantes don't have that...

This isn't about being a vigilante, it's about protecting my backyard. That fact that it helps the rest of the net out is a positive side effect.

Thanks,
David U.

Re:Why allow IRC?

[Halo-]

I'm not going to argue the merits or faults of IRC, because it doesn't matter. The problem is that even if you say "IRC is bad" there isn't really a way to "not allow" it. Generally IRC uses ports around the range 6669-7000 (IIRC). So everyone firewalls those off... And the owners of the server move to port 3456 (or whatever...)

So just port filtering doesn't work. The next idea is to do stateful packet inspection. Every router looks at the contents of every packet to determine if it is part of the IRC protocol.

Ok, this would work, except it would be unacceptably expensive to implement. Plus, I beleive that some (most? all?) IRC servers support SSL and possibly IPSEC. So the packets are encrypted using SSL, and using some non-obvious port. (like say, port 443) At this point, it is very hard to distinguish between legitimate HTTPS traffic and IRC traffic. I suppose you could look at the packet sizes and do traffic analysis on the flows, but you'd still have problems with other legitimate services running over HTTPS. (Like VPN proxies or Java Applets, or Flash)

So, even if IRC is the root of all evil in the world, it's not possible to just "not allow" it.

(Sorry for the rant, I'm getting over being sick and still a bit punchy)