Hunting for Botnet Command and Controls 228
Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."
C&C attacks work well for military (Score:2, Interesting)
C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.
Violation of My Privacy? (Score:5, Interesting)
When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?
In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?
Told Ya So (Score:2, Interesting)
The vigilantes are running into the problem of cut-outs. The original botnets for DDOS all used a three-tier architecture - slaves (bots), masters (IRC servers), and clients. The current incarnation seems to have at least that many layers if not more. Killing the masters is better than trying to stomp on all the bots, but that still leaves the clients. Until the owners of the compromised boxen acting as masters allow access to track back to the clients, the vigilantes are facing the fate of Sisyphus.
Goetz - AC because I can't remember my
Self destruct the botnets? (Score:5, Interesting)
What causes botnets? (Score:2, Interesting)
These end users just *don't care*. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
I wish ISPs would hold the lusers (criminally) responsible for this. I for one look after my home datacentre, including my Gentoo Linux boxen and keep them patched.
Good for them. (Score:5, Interesting)
a group of high-profile security researchers is fighting back, vigilante-style.
This emotionally laden language has been deliberately chosen to make it sound like this activty is a "bad thing [tm]"
I truly believe it is the duty of every person to fight against clearly evil activity.
This includes a mugger hitting an old lady, a middle age man trying to drag a pre-teen girl (or boy) in to a car idiling in the street, and a person trying to kick in the door of the elderly couple down the street.
If the people disabling bot-nets make every effort to be certain they do not harm innocent or uninvolved people (and the standard here is very high), then they are doing a public service. (if they take the attitude, like some "anti-spam" people, of -> 'kill them all, let God sort them out, they are just assholes with very, very small peckers')
Those who believe the gub'mint is going to be johnny on the spot to fix all your boo-boos are sadly misguided: there is neither the manpower or the reaction time to fix everything "bad" in the world. That depends on YOU.
Vigilantism? Or good citizenship? (Score:1, Interesting)
The botnets represent a serious threat in all sorts of different ways. Spamming. Phishing. DDOS attacks. Extortion. Money laundering. Child pornography. These large armies of zombie PCs can be use for a variety of evil purposes.
Yah.. this should be the remit of law enforcement agencies.. but guess what. Nothing much is happening. Law enforcement is either waaay outta their league or swamped with other issues. So as good citizens of the internet, what should we do?
Well.. those people who keep moaning about "vigilantes" will do nothing.. expect moan some more when their business is taken out by a DDOS-wielding extortionist. One basic obligation of all citizens it to protect others and to not ignore crimes when they are in progress. So, it is absolutely right and proper that people take direct action if it is clear that law enforcement agencies cannot.
You can target the botnet's C&C system. And there are a variety of ways you can do this - not all of which require immense technical skills. Sometimes that means you have to be slightly more "grey hat" than "white hat" in your approach.
But even if you are technically breaking the law to shut down a botnet.. exactly *who* are the victims? Nobody important, that's who - and they are usually hiding behind layer upon layer of false domain registrations, hijacked IP addresses and worse. In fact, most of the time there are no identifiable victims of this type of anti-botnet action at all - no valid names, companies or organisations. So who's gonna complain?
Personally, I'm not part of this group, but independently I have managed to shut down two large botnets.. at least temporarily. And I would do it again. But.. well, let's just say if you are involved in this sort of thing then it's better to stay an "Anonymous Coward".
I hope they invite the DShield guy (Score:3, Interesting)
Apparently the attacker about crapped his drawers when instead of the usual bot replies to his commands an actual person started talking to him in his IRC channel.
http://dshield.org/ [dshield.org]
Re:Self destruct the botnets? (Score:3, Interesting)
Some drones have builtin uninstall commands, others have commands to download and execute programs, so cleaners are written.
But the drones are getting more and more advanced, builtin uninstall commands are getting more rare... it is clearly a battle that can not be won if only fought this way.
What's good for the goose... (Score:5, Interesting)
I'd be interested to see how many people in
Who cares? Nobody. (Score:2, Interesting)
Re:Violation of My Privacy? (Score:2, Interesting)
This is drifting off topic, but I am coming to feel you hinted at something fairly interesting to bring up. Big Windows networks are boring, to the point where it's uninteresting to hack them and/or 'dig around' to see what's there.
At my last job, the network was a big old-school conglomerate. There were Solaris, Netware, OS2 Warp (!), and Windows NT servers all mixed together on a single net. It was really cool.
Where I'm working now it's a big enterprise NT setup without anything else. It's monotonous and there's really nothing of interest in 'the system' to check out.
Anybody who 'hacks' at my current workplace is likely there to steal the info on the servers. At the old workplace it was interesting just to map the whole thing out and figure out how it all connected.
In this regard, all-Windows shops might have less problem with 'hacking' in the classical sense. Who finds it interesting to get 'root' on some crummy all-NT environment?
But, back to on-topic...
Re:Vigilantism? Or good citizenship? (Score:1, Interesting)
Personally, I'm not part of this group, but independently I have managed to shut down two large botnets.. at least temporarily. And I would do it again. But.. well, let's just say if you are involved in this sort of thing then it's better to stay an "Anonymous Coward".
Well, I do work for one of the "dynamic DNS providers" that are mentioned (as a group) in the article. I am going to stay A/C for that reason.
Basically what happens is this. These "vigilantes" (myself included I suppose) get their hands on an infected machine and reverse engineer the bot, or, as the article mentions, analyze the traffic they generate. Eventually they find where the bots are connecting to and try to shut down the C&C point. In my case, as a dynamic DNS provider, I am on a private mailing list with many other dynamic DNS providers. We receive daily lists of known botnet C&C points along with evidence and supporting materials.
It is then up to US as the DNS providers to decide if enough evidence has been presented to shut off the hostname or domain associated with the botnet. In most cases, the hosts and domains are disabled. By removing the DNS name that the bots use to connect to their C&C point, it renders a good portion of them unusable. Of course, the bots include multiple hostnames and the machines can be re-infected with a new bot using different names, but as a group the dynamic DNS providers are making an effort to eliminate the C&C points as quickly as they are found.
Many people worry that these "vigilantes" will do harm, but they are not the only link in the chain. There are MANY individuals and corporations involved in shutting down the C&C points, so there are some checks and balances. It's not like these guys can wave a magic wand and make the botnets burst into flames. If only it were that easy...
Re:C&C? (Score:4, Interesting)
Yes, but there'll be one trojan per botnet. Script kiddies don't like to share, and in fact the current trend is supposedly groups assembling botnets and then auctioning off their services to spammers. Given that, you can see why the botnet "owner" wouldn't want to allow access to other evildoers.
Re:A more effective approach? (Score:3, Interesting)
As soon as you find the magic word to make the bots respond to you (which can be difficult at times, some of the malware writers are pretty sneaky) shutting a botnet down can be as simple as logging into the irc server and appropriate channel and typing a couple of words. The problem comes in when the botnet owners are keeping close tabs on the channels and ban any clients that don't behave just right. At that point you have to go to the trouble of having your irc client mimmic the behavior of the botnet clients so that you will go unnoticed long enough to get the information you need to shutdown the botnet.
Re:A more effective approach? (Score:1, Interesting)
Not a problem for long... (Score:4, Interesting)
I am not into botnets anymore, but like most here prolly', I started my internet life on irc. And anyone else who grew up on non dalnet like servers with chan services knows that being on a network without them can be a pain. Especially when smacktards show up for the day
Anyways, knowing a bit about bot's and botnets, I would say that it shouldnt be too hard to take some down. Being irc based, plain text would be one problem. But if you have access to a machine infected, encryption would be pointless since you could just debug the program and find out what it 's protocol is anyways. I think one big issue that was hinted at in one of the above posts was that you should be able to use an infected machine to "take over" the botnet. Well, things dont work that way. For those of you that havent run one or used one before, I will give you a rough idea of what the ones in my day (1.1.15 or so IIRC).
A botnet is basically a shell like environment similar to say a bash shell or a dos prompt. ie: its all text commands using plain ol' ascii. Commands generally start with a ".", like ".help". The botnet also has security systems in place (ie: users with passwords etc) that define who can dcc chat the bot directly, use its !channel commands on irc etc. The eggdrop (sorry, yes, im refering to eggdrop's specifically) bot also has the ability to link multiple bots togethere to form a big "botnet". The is all of course done with special bot accounts with unique passwords.
The reason you cant just take one over (despite it probably being a modified version of this system of bot), is because the other bots are probably only allowed to "take orders" from a specific machine or user. Although for simiplicity sake, I would imagine its just a user and password combo to prevent any traceable information from being gleamed over the botnet traffic. Dont forget to that the botnet would be point to point and most of the traffic would only be coming from a single location (which you would have to find out from a comprimised machine).
In the end, I see the biggest problem in finding the zombies being, how do you tell when a machines infected if the virus tries the best it can to hide itself from non-forensic integrity checking tools. But, over the years I can see software taking a turn to being better checked for authenticity and integrity etc. Once we hit that point, botnets would probably start to disappear. Also consider that the machines themselevs will go offline and be replaced by newer ones that arent suceptable to the same malicious code. This at least forces them to keep active. And keeping them active helps you trace them.
Anyways, hope you had a fun read. Not worth previewing this one, l8r.
Re:Anti-anti-botnet (Score:4, Interesting)
Controlling it is then a matter of keysigned commands. All commands are timestamped to be unique(so you can easily discard duplicate messages), and is verified with the public key. The only way you can be exposed at the leader is if you get caught with the private key.
Why allow IRC? (Score:2, Interesting)
Call me a stick in the mud, but I have simply never seen the purpose of IRC. I've installed programs for it, logged into the LUG's channels because I'm told it's the best thing since sliced bread, found it to be a an utter waste of time, and removed the IRC client. Three times. I simply can't see any purpose to it that is worth either the massive time waste (people don't think before they reply to questions), or the huge security hole that it appears to be. [BTW for people on AberLUG, I know there's a no-install Java access route too. But there's no content.]
So why are people (network administrators, specifically) allowing the packets to pass? You've got a problem with, say, your AS chunk of routing space being full of IRC-controlled robot machines. So set your router to forward all IRC packets (in- or out-bound) to
If IRC has some value (which I have yet to be shown an argument for, let alone be convinced by such an argument ; "Look at this, it's kewl!" is not an argument), then tell the developers who claim so to come up with an IRC-like system which is provably secure and that provides the functionality they want without the security risks. Any of the security risks. Which returns to the original point - what is the "value" of IRC that people tolerate the security risks that appear to be inherent in the model.
Question: What did people do for rapid networked communication between self-selected groups before someone (whoever) invented IRC? Answer : mailing lists and/or private newsgroups on non-peering, non-usenet NNTP servers.
Question: What is still a major method of rapid networked communication amongst self-selected groups? Answer: mailing lists (and private newsgroups too, but often less visible than the lists). Did you notice that SourceForge provides this functionality? You think it's there to make the menus longer, or for some other reason?
If it causes pain, and you've got an alternative, stop doing it.
BTW, who was responsible for this junk? I remember something similar being available on Compuserve when I joined in 1992, but it was unusable then and hasn't got any better since.
It is possible that the security risks of IRC are consequent on the possibility of being anonymous on the communication system. That may account for a lot of the junk too. Although the IRC-like stuff in Compuserve was on a private network with personal accountability through credit-card-backed account identifiers, and that was pretty content-free.