Hunting for Botnet Command and Controls

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

Easy way to catch them.

[Elshar]

Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...

To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..

Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.

pessimistic

[moz25]

So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.

Re:Violation of My Privacy?

[TCM]

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

You, by encrypting them.

Shutting down botnets is a pointless effort..

[Alascom]

The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.

The only solution is secure software engineering and prompt, reliable patching.

Re:Violation of My Privacy?

[justforaday]

Does it come as a surprise to you that people that have access to routers can sniff your packets?

Re:Shutting down botnets is a pointless effort..

[sweetooth]

and until then we'll just let the botnets run rampant....

Unfortunately that's not a very good solution. While creating more secure software from the ground up is definately thew ay to go for the future you have to have some plan to deal with the current problems. Keep in mind that the vast majority of people aren't going to upgrade to the latest and greatest OS, web browser, or whatever if thier existing one works. So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.

Re:Who cares really

[moz25]

But it doesn't hurt anyone else much either as I'm on a 56k line. Oh, scary DOS comming from that.

What you're saying shows the root of the problem and why it's so hard to solve: you need some level of cooperation from people who do not have a direct interest in solving it simply because it doesn't affect them. Sure, your little 56k is quite harmless, but with 1000 zombies on little 56 lines, you can create quite a flood.

The other problem is with using up bandwidth allotments. Let's say the attacker is using 2KB/s for flooding. You won't notice that, but the other end wastes 5GB/month. Now if you have just 200 56k lines on pumping this on average, you'll be driving the target into unwanted bandwidth bills for sure. Now this analysis is making some assumptions, but you get the picture.

Re:Violation of My Privacy?

[Cross-Threaded]

You bring up a reasonable concern.

However, when you click SEND from whatever email client you use, you are essentially flinging a postcard out of your 10th story window.

Said postcard contains:

_

*your sensitive information* | Address of your friend/associate

P.S. If you are not the intended recipient, please give me to someone else closer to the address.

_

If you are truly concerned about some "expert" taking the time to read whatever it is that you have to say to a friend, or associate, then you should investigate either encrypting your messages, or use a different medium of communication.

Re:Violation of My Privacy?

[Anonymous Coward]

>> When the security "experts" are busy looking at all the data passing through routers

>> In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?

Wrong. Reverse engineering of malware does not involve sniffing traffic indiscriminately. By looking at the binary's assembly code the totality of the backdoor protocol can be determined. For those with less skills, examining the network traffic going from/to a single sacrificial "goat" machine running VMware at either the host level or the network level can also yield usable information.

Sniffing random traffic of unrelated machines is not a standard or even useful practice when conducting malware analysis.

Re:kudos

[Mysticalfruit]

The main reason for this is that nobody in power has been afflicted by this.

The moment one of these BotNet's decides to DDOS the servers at the capitol building or start attacking other aspects of the US internet infrastructure, your congressman isn't going to give a shit.

The internet and the laws governing it are the wildwest at the moment. Some corners have very strong laws, other corners have none. However, if I remember it was the vigilantes who took care of the areas that strong law hadn't come into play.

Vigilante groups are a double edged sword. Laws generally aren't as agile as a group of people working for the common good. However, there is a danger that any group of people once given power is generally adverse to giving it up. Also the argument about what "common good" is gets nebulous. We all agree that child porn sites should be taken down and their proprieters chucked into wood chipppers. What happends when you get a vigilante group that feels that all porn sites are bad?

C&C?

[VStrider]

I thought there was no such thing as a central C&C on botnets. An infected pc, can be a member of many botnets. Today a pc is doing the bidding of joe hax0r, tomorrow is doing the bidding of billy rox0r. Even if you shut down one C&C, the thousands of infected pcs, remain infected and ready to join another botnet.

The only sollution is user education.

Re:Violation of My Privacy?

[pete6677]

I'd say the grandparent poster is aware of this, but just wanted to take advantage of the opportunity to bitch about his privacy since it got him a guaranteed +5 Insightful on Slashdot.

Re:C&C attacks work well for military

[ladadadada]

The trouble with cutting off the head is that you end up with a perfectly good army just waiting for a suitable leader to come along... and we all saw how well that worked for Yoda.

The computers that form the botnet are still compromised and are still just as dangerous. If they have a hard-coded IP address to receive instructions from the vigilantes can make sure that IP address doesn't issue instructions but if the instructions are received in a less centralised way then I can't see how they could stop the instructions being sent.

Maybe what we need is a follow up deconstruction of the command protocol to allow an effective "self destruct" command to be sent. (Obviously there won't be a self destruct command but there is often the ability to download a new binary file and execute it.)

Re:pessimistic

[Anonymous Coward]

The ISPs need to act, certainly, but people need to be educated to secure their computers against these worms. It isn't easy, but it can be done. It'll take lots of work, and progress will be extremely slow, but we, yes we, are the people to do it.

What do I mean? Well, we all know that there are plenty of good, free security tools out there, from antivirus programs, antispyware programs, and firewalls. CDs are dirt cheap, and every person reading this probably has a few hundred lying around. Everyone here probably also has plenty of ignorant friends and coworkers. Well, try to educate them! Next time a major Internet security story hits the mainstream media (like, I don't know, the big cc number heist facilitated by a virus), get your employer's blessing to send out an e-mail to everyone asking if they'd like a CD full of free programs to secure their home computers. Then, as people come to see you, pass out the disc, along with some articles on basic security, and tell them to take a few minutes to read and educate themselves. You may not reach all of them, but you will reach some, and if everyone at least tries, we may do some good here.

I'll even supply the URL for a PC Mag article on computer security for the beginners to read.

http://www.pcmag.com/article2/0,1759,1754340,00.as p [pcmag.com]

Re:What causes botnets?

[Anonymous Coward]

wish ISPs would hold the lusers (criminally) responsible for this.

You want to throw my mother in the slammer?

You're not nice at all.

Re:Good for them.

[muzzmac]

A quote from "A man for all Seasons" quite relevant to this comment I thought.

More: There is no law against that.

Roper: There is! God's law!

More: Then God can arrest him.

Roper: Sophistication upon sophistication.

More: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal.

Roper: Then you set man's law above God's!

More: No, far below; but let me draw your attention to a fact - I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of the law, oh, there I'm a forrester. I doubt if there's a man alive who could follow me there, thank God....

Alice: While you talk, he's gone!

More: And go he should, if he was the Devil himself, until he broke the law!

Roper: So now you'd give the Devil benefit of law!

More: Yes. What would you do? Cut a great road through the law to get after the Devil?

Roper: I'd cut down every law in England to do that!

More: Oh? And when the last law was down, and the Devil turned round on you - where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast - man's laws, not God's - and if you cut them down - and you're just the man to do it - d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.

Re:What causes botnets?

[majest!k]

No wonder you posted that as AC.

Joe Sixpack doesn't consider it "irresponsible" to connect his machine to the net without a firewall. Infact he probably doesn't even know what a firewall is.

If you're looking for someone to blame, look no further than Microsoft for having everyone run as admin and leaving several easily-exploitable ports open by default on every version of Windows up to XP SP2.

By the way just as a reminder - botnets originally entered the limelight after scriptkiddies on IRC networks started mass-scanning and exploiting remote-root vulns on LINUX machines (via exploits for commonly used & often default services such as wuftpd and bind) in order to accumulate more bandwidth to "takeover" IRC channels.

Linux was the primary OS exploited by botnet kiddies waay before Windows. According to you, the admins of those linux boxes should be held liable for getting rooted. While I agree they are at fault for not being more security-minded, I would never consider holding them criminally responsible for getting hacked.

That's just crazytalk.

How my botnet would work.

[josh3736]

If I were a blackhat, my botnet would run thusly:

The bots would be connected to their own P2P-ish system. Commands would be passed around the network in a method similar to searches in Gnutella.

All commands would by signed by my private key. My bots would all have my public key. This, I would be *the only person* who could issue valid commands to my botnet.

This would make it impossible to tell where the commands are coming from since the originator would look just like another bot on the network.

Re:What's good for the goose...

[Anonymous Coward]

I'd be interested to see how many people in /. who might applaud this pro-active white-hattery, who simultaneously strenuously object to the US Patriot act which is pretty much just allowing the government to do the same thing in real life?

Um, you've read the constitution of the United States of America? We had a deal with our government and, in exchange, we-the-people allowed it to exist. Now, our government has decided a few fundamental terms of that deal don't apply.

If these changes really do make sense, then we need a constitutional convention to sort it out and come up with another agreement. I'd also be happy with a more proactive supreme court and a few clueful candidates for national office to sort this out. Unitil either of those things happen, we (the US) are not what we claim to be.

Maybe I should run for office.