Hunting for Botnet Command and Controls 228
Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
Easy way to catch them. (Score:3, Insightful)
To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..
Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.
pessimistic (Score:5, Insightful)
Re:Violation of My Privacy? (Score:5, Insightful)
You, by encrypting them.
Shutting down botnets is a pointless effort.. (Score:4, Insightful)
The only solution is secure software engineering and prompt, reliable patching.
Re:Violation of My Privacy? (Score:5, Insightful)
Re:Shutting down botnets is a pointless effort.. (Score:4, Insightful)
Unfortunately that's not a very good solution. While creating more secure software from the ground up is definately thew ay to go for the future you have to have some plan to deal with the current problems. Keep in mind that the vast majority of people aren't going to upgrade to the latest and greatest OS, web browser, or whatever if thier existing one works. So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.
Re:Who cares really (Score:3, Insightful)
What you're saying shows the root of the problem and why it's so hard to solve: you need some level of cooperation from people who do not have a direct interest in solving it simply because it doesn't affect them. Sure, your little 56k is quite harmless, but with 1000 zombies on little 56 lines, you can create quite a flood.
The other problem is with using up bandwidth allotments. Let's say the attacker is using 2KB/s for flooding. You won't notice that, but the other end wastes 5GB/month. Now if you have just 200 56k lines on pumping this on average, you'll be driving the target into unwanted bandwidth bills for sure. Now this analysis is making some assumptions, but you get the picture.
Re:Violation of My Privacy? (Score:2, Insightful)
However, when you click SEND from whatever email client you use, you are essentially flinging a postcard out of your 10th story window.
Said postcard contains:
_
_If you are truly concerned about some "expert" taking the time to read whatever it is that you have to say to a friend, or associate, then you should investigate either encrypting your messages, or use a different medium of communication.
Re:Violation of My Privacy? (Score:1, Insightful)
>> In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?
Wrong. Reverse engineering of malware does not involve sniffing traffic indiscriminately. By looking at the binary's assembly code the totality of the backdoor protocol can be determined. For those with less skills, examining the network traffic going from/to a single sacrificial "goat" machine running VMware at either the host level or the network level can also yield usable information.
Sniffing random traffic of unrelated machines is not a standard or even useful practice when conducting malware analysis.
Re:kudos (Score:3, Insightful)
The moment one of these BotNet's decides to DDOS the servers at the capitol building or start attacking other aspects of the US internet infrastructure, your congressman isn't going to give a shit.
The internet and the laws governing it are the wildwest at the moment. Some corners have very strong laws, other corners have none. However, if I remember it was the vigilantes who took care of the areas that strong law hadn't come into play.
Vigilante groups are a double edged sword. Laws generally aren't as agile as a group of people working for the common good. However, there is a danger that any group of people once given power is generally adverse to giving it up. Also the argument about what "common good" is gets nebulous. We all agree that child porn sites should be taken down and their proprieters chucked into wood chipppers. What happends when you get a vigilante group that feels that all porn sites are bad?
C&C? (Score:3, Insightful)
The only sollution is user education.
Re:Violation of My Privacy? (Score:3, Insightful)
Re:C&C attacks work well for military (Score:2, Insightful)
The computers that form the botnet are still compromised and are still just as dangerous. If they have a hard-coded IP address to receive instructions from the vigilantes can make sure that IP address doesn't issue instructions but if the instructions are received in a less centralised way then I can't see how they could stop the instructions being sent.
Maybe what we need is a follow up deconstruction of the command protocol to allow an effective "self destruct" command to be sent. (Obviously there won't be a self destruct command but there is often the ability to download a new binary file and execute it.)
Re:pessimistic (Score:2, Insightful)
What do I mean? Well, we all know that there are plenty of good, free security tools out there, from antivirus programs, antispyware programs, and firewalls. CDs are dirt cheap, and every person reading this probably has a few hundred lying around. Everyone here probably also has plenty of ignorant friends and coworkers. Well, try to educate them! Next time a major Internet security story hits the mainstream media (like, I don't know, the big cc number heist facilitated by a virus), get your employer's blessing to send out an e-mail to everyone asking if they'd like a CD full of free programs to secure their home computers. Then, as people come to see you, pass out the disc, along with some articles on basic security, and tell them to take a few minutes to read and educate themselves. You may not reach all of them, but you will reach some, and if everyone at least tries, we may do some good here.
I'll even supply the URL for a PC Mag article on computer security for the beginners to read.
http://www.pcmag.com/article2/0,1759,1754340,00.a
Re:What causes botnets? (Score:3, Insightful)
You want to throw my mother in the slammer?
You're not nice at all.
Re:Good for them. (Score:3, Insightful)
More: There is no law against that.
Roper: There is! God's law!
More: Then God can arrest him.
Roper: Sophistication upon sophistication.
More: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal.
Roper: Then you set man's law above God's!
More: No, far below; but let me draw your attention to a fact - I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of the law, oh, there I'm a forrester. I doubt if there's a man alive who could follow me there, thank God....
Alice: While you talk, he's gone!
More: And go he should, if he was the Devil himself, until he broke the law!
Roper: So now you'd give the Devil benefit of law!
More: Yes. What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned round on you - where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast - man's laws, not God's - and if you cut them down - and you're just the man to do it - d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.
Re:What causes botnets? (Score:3, Insightful)
Joe Sixpack doesn't consider it "irresponsible" to connect his machine to the net without a firewall. Infact he probably doesn't even know what a firewall is.
If you're looking for someone to blame, look no further than Microsoft for having everyone run as admin and leaving several easily-exploitable ports open by default on every version of Windows up to XP SP2.
By the way just as a reminder - botnets originally entered the limelight after scriptkiddies on IRC networks started mass-scanning and exploiting remote-root vulns on LINUX machines (via exploits for commonly used & often default services such as wuftpd and bind) in order to accumulate more bandwidth to "takeover" IRC channels.
Linux was the primary OS exploited by botnet kiddies waay before Windows. According to you, the admins of those linux boxes should be held liable for getting rooted. While I agree they are at fault for not being more security-minded, I would never consider holding them criminally responsible for getting hacked.
That's just crazytalk.
How my botnet would work. (Score:4, Insightful)
The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.
All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.
This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.
Re:What's good for the goose... (Score:1, Insightful)
Um, you've read the constitution of the United States of America? We had a deal with our government and, in exchange, we-the-people allowed it to exist. Now, our government has decided a few fundamental terms of that deal don't apply.
If these changes really do make sense, then we need a constitutional convention to sort it out and come up with another agreement. I'd also be happy with a more proactive supreme court and a few clueful candidates for national office to sort this out. Unitil either of those things happen, we (the US) are not what we claim to be.
Maybe I should run for office.