Eavesdropping on a Botnet 185
wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"
bot free, really... (Score:2)
-r
Re: (Score:3, Insightful)
The first time I have seen stealth kernel mode rootkits in the wild for Linux and Solaris was Dec 1996. This is nearly 10 years ago. As a matter of fact in this area Linux and Solaris were first and Windows did not really follow until 2K became commonplace in the home. From there on the malware writers came back and hacked 98 and me.
So your optimism regarding SloWarez is misplaced and misguided.
malware-free system? (Score:4, Insightful)
options abound Linux, BSD, Windo... oh, forget about that last one
Re:malware-free system? (Score:5, Interesting)
Until someone creates something that can infect the various *nixes that is.
malware-free system?-Linux. (Score:5, Funny)
That's impossible. How do I know. Just "Ask Slashdot".
Re:malware-free system? (Score:5, Funny)
Re:malware-free system? (Score:5, Insightful)
It's called a rootkit. They've been around for years.
Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.
Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.
Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.
Why do you rob banks? (Score:5, Insightful)
... because that's where the money is.
You write about root kits and declare:
Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.
As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.
On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.
Re:Why do you rob banks? (Score:4, Insightful)
Re-read my post, and then think.
Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.
(I say servers because Linux desktops tend not to expose services to the Internet.)
Re: (Score:2, Interesting)
An oversized rat tells me to think, and offers an lesson in proportions and exponents:
Re-read my post, and then think. Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.
So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator? Help me out Nutria, what are you trying to tell me?
Re: (Score:3, Insightful)
What gives you that idea?
Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?
Re: (Score:2)
I'll take that as a "no" response. You obviously think that free software is a superior alternative. Thanks!
Re:Why do you rob banks? (Score:5, Insightful)
Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.
Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.
And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.
Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.
So, don't discount the threat. All operating systems need patching and good security practice to run safely.
And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.
Re:Why do you rob banks? (Score:4, Funny)
Sacrilege! Sacrilege, you Windows fanboi!!!! How dare you criticize the Holy Penguin!!!!!!!!!!
Re: (Score:2)
What do you think the C&C machines are running?
This is a good point and a lot of the IRC channels are running on rooted Linux boxes. What I find interesting is how the botherder community knowledge limits what they do. Linux desktops are not protected only by the fact that they are rare, but also by the fact that a lot of these people have no idea what they are doing beyond the tried and true tools. The community has the knowledge to root Linux servers and Windows servers, but aside from that they re
Re: (Score:2)
It's been a while (around ten years?), but back when I ran a few (legitimate) IRC servers, I found that in general ircd on FreeBSD worked much better on the same hardware than Linux did, being able to handle roughly twice as many users and crashing (sometimes the entire box) far less often while doing so. ircd is pretty hard on your networking stack when you have hundreds (back then -- now servers do thousands) of simultaneous user
Re: (Score:2, Insightful)
I cannot tell you how many bad contact me web pages exist on the Internet with many of the worst being on Linux et al. Things like mod_security and PHP safe mode only mitigate certains cases. Its a
Re: (Score:2)
Anyway, the thing is, the guy used a script-kiddie package to take control of the server and spam... the first signal when I came into the office next morning was the server severly trashing around, but not because of the spamming but because (as I later found out through google) every copy available of the pack
Re: (Score:3, Interesting)
Windows LiveCD (Score:3, Interesting)
I did set up one myself. It works pretty well once setup.
Re: (Score:2, Informative)
Re: (Score:2, Informative)
Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.
Linux distros are now miles ahead of
Re: (Score:3, Funny)
Fixed that for you.
Re: (Score:2)
A system partition mounted as ro should be a pretty solid alternative to this approach, I guess. You can keep the image in a CD and just write over it if a hacker
Re: (Score:3, Insightful)
Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.
Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.
-Joe
ISP should warn (Score:2)
BartPE? (Score:2)
I also realized that with the many plug-ins that bart has, you could make a fairly usable static system with it. it gets infected? reboot. it gets questionable? reboot.
e
It's a bird. It's a plane. It's TC! (Score:3, Funny)
Trusted Computing to the rescue!
Re:It's a bird. It's a plane. It's TC! (Score:5, Interesting)
Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.
I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.
http://jooh.no/root/torrents/trusted-computing.to
Re:It's a bird. It's a plane. It's TC! (Score:5, Informative)
Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.
I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...
Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.
Re:It's a bird. It's a plane. It's TC! (Score:5, Insightful)
Trusted Computing.... and Windows (Score:2)
Second thought. This could be a good thing. After a while of malware being "trusted" will people and companies abandon the TCP program? I am not a big fan of the TCP concept and this outcome could be the answer to getting rid of it. Or not.
Re: (Score:2)
At least that's what they're selling us. Frankly, I have serious doubts about their motives. Probably the same doubts you seem to have:
but will it let consumers decide what is trustworthy?
Cynical question: Why should they? The average consumer has no idea whether a particular piece of software is thrustworthy - they click "yes" in every dialog. Heck, they even click on phishing links. So when the TC chain detects a new service to be in
Re: (Score:2)
Next opportunity (Score:5, Interesting)
Re:Next opportunity (Score:5, Funny)
Re: (Score:2)
PC Clinic (Score:5, Informative)
Re: (Score:2, Interesting)
Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.
I'm looking around for a way to preve
Re: (Score:2)
Re: (Score:2)
Scissors http://www.dumbentia.com/pdflib/scissors.pdf [dumbentia.com]
"Post to Slashdot" (Score:3, Interesting)
(yeah, I pretty much forgive the Digg one, everybody has those ...)
Makes you wonder what else is going on (Score:5, Insightful)
Re: (Score:2)
Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).
Re: (Score:2, Interesting)
Re: (Score:2)
Most of the traffic I log and run a traceroute on bounces through a number of nodes into the "darknet" of unregistered IP addresses. Even there it bounces through 3-5 darknet nodes before hitting a recognizable backbone or gateway node. Although certain nations primary gateways are common, there is no way to tell whether the attacker is located in that nation or using compromised darknet machines in that nation.
The odds are that the majority are located in Canada or the US and simply using darknet prox
Re: (Score:2)
I think that the problem with this is that there are tons of dummies with unprotected computers that do not see the disadvanatge of their computers being used for "dark" purposes.
In short, big problems will get big attention, small problems are getting small attention. Inasmuch as personally I want every organizaed crimial whipped, hanged, executed, tortured and very much dead, the trouble from them seems not that big
Re: (Score:2)
The laws are touch for murder, but they are nearly not tough enough for prostitution and drugs. Basically every shady business that organized crime feeds on should be penalized severly - bookmakers, gamblers, shark loaning, drugs, prostitution, what else...
I am telling you people will thin
Re:Makes you wonder what else is going on (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Your post could be a troll, but since you attach your name to it, I'll reply.
Your 'plan' would mean that the prison system wouldn't just be 'overloaded' but it would gravitate out of control before the year was up, putting lots of people in prison who have been functioning members of society. The cost to society would be unimaginable: prisoners cost a lot of money to accomodate and those imprisoned do not contribute to society, monetary or otherwise.
And all this for what? Because your personal beliefs are d
Re: (Score:2)
As for trolling. The changes I am proposing should be gradual - gradual increase of punishment. Then there will be no significant increase in prison population.
Inevitable also is idea of restricting rights. As I proposed in one of my posts in this thread, the troublesome gang-infested communities should have been restricted basic freedoms long time ago. Total sweeping raids of
Re: (Score:2)
Right. That settles it. You're off your trolley.
This is an experiment that has been done and its consequences were (arguably) much worse than its benefits: alcohol-prohibition ring a bell?
Net result: more crime, not less. Lots of hardship for otherwise innocent people and for what? Because some people don't want other people to be intoxicated for the hell of it? Who do you think you are telling other people what they can or cannot do with their own mind and body?
Gradual increase in 'deterrants' has never wo
Re: (Score:2)
The problem with us, Americans, that we think that it is our sacred right to do whatever harm we want to ourselves. This is an idiocy of overblown cornerstone of American democracy "the right to pursue happinness". Alright, do whatever you want to pursue happiness, but not at my expence, my friend.
If you come to me on the street threatening to kill me for $20 needed
Re: (Score:2)
You are simply reiterating the same faulty argumentation you've been fed without any critical thinking. I think most sane people would agree that any crimes against others should be punished including the addict that robs some-one to satisfy his/her habbit. There are laws for those crimes that are fine in and of themselves. The problem begins when people are pushed into crime because the act of using/possession is made an offense. Using drugs isn't a crime against anyone. Most other behaviour that only enda
Re: (Score:2)
There is a big difference between crime and organized crime. The latter should be stopped by all means.
If a person is showing even a sign of Cribs, he should be executed on the spot. That is how organized crime should be dealt with.
Be sure... (Score:5, Funny)
I say we take off and nuke 'em all from orbit. It's the only way to be sure.
Re: (Score:2)
I nearly thought that one had slipped through the next.
Re: (Score:2)
so many only/lonely ways. (Score:5, Funny)
Re: (Score:2)
I dare say that whacking just the wife would be sufficient to put a stop to her cheating. Not to mention cheaper.
(Unless you have a 2-for-1 coupon from the local mob - no sense letting a freebie go to waste.)
Re: (Score:2)
Re: (Score:2)
From TFA... (Score:2)
Oh, *R*E*A*L*L*Y*? Gotta love some ppl aproach to security articles
Steve Gibson did something akin to this (Score:5, Informative)
I know he may not be [theregister.co.uk] the most favourite [theregister.co.uk] of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.
Link to the article [grc.com] (...long article warning)
Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.
Re: (Score:2)
I was under the impression that since Windows XP SP2, Microsoft decided to disable raw sockets. Gibson's concerns were valid. There is no reason why there should be raw socket functionality on any consumer-level product. Raw sockets doesn't maybe make the computer itself more vulnerable, but it definitely can make it a bigger threat to other machines and networks, once compromised. The casual user doesn't use it and therefore won't even notice it's gone, not to speak of knowing about its existance in the f
Need to hold users responsible. (Score:5, Insightful)
Need to hold ISP's responsible (Score:5, Insightful)
In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.
The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.
the already do that. (Score:2)
Congratulations, you noticed the reason that studies show Windows has a 12 minute half life on any network.
The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.
The cable modem already does that but it does not work. They block outbound ports and limit the upload speed. You can't block the inbound ports because you would block services users would actually notice. Even if you could lock up everything
My ISP does this. (Score:2, Interesting)
(We play online poker ok?)
It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.
Within a few hours I got a call on my cell. Asked me what I wanted to do. I said pull the plug if the box is still spewing in a few hours. (That was time enough for me to get home and deal.) I arrived home, pulled the plug on the offe
Re: (Score:2)
You must not deal with a lot of "normal" computer users. Believe me, the average user is at least as bad as any child you've left on one of your computers. Left to their own devices (ie without an IT department to baby them) these people will wreak all manner of havoc. But who am I to complain?
Deal. (Score:2)
2. I get tons of spam. Sometimes ~1000 per day. I don't think I've ever seen a poker spam. This is a myth and is normally trotted out by those opposed to the whole idea of online poker.
3. All of those comment spams are tied to affiliate accounts. Have a problem with them? Contact the site and send them the link to the spam. It will be dealt with. The spammer will likely lose thei
Re: (Score:2)
Not going to happen in a million years, I'm afraid.
See, I happen to be the resident security dude at an ISP (half a million customers). Management doesn't care and doesn't understand that this is a problem that needs attention. It's the customer's computer, monitoring traffic costs money, shutting out customers creates service calls (thus costing money), doing what no one else does m
Re: (Score:2)
ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.
And this gets the ISPs more money in what way? Many ISPs can pull up and print out a list of infected hosts by worm and by the amount of traffic they generate. They can automatically integrate this into their notification system and send e-mail to the host's account or shut down access. They don't because then they have to answer the phone calls explaining what is going
Reinstalling is not always the answer (Score:2, Interesting)
Re: (Score:2, Insightful)
But how can you be _certain_ that you got them all, and that your boss is not still infected?
Re:Reinstalling is not always the answer (Score:4, Insightful)
Re: (Score:2)
If you're a malware exper
Re: (Score:2, Funny)
Re: (Score:2)
Well, kudos to you but the last two machines I tried that on, it didn't work. Processes were restarting, files were locked, files were copies back when I deleted them, safe mode or not. Perhaps if I had a rescue CD with uncompromised tools on it and could nuke everything from orbit then mayb
It's a circular zen thing.... (Score:2)
There's very few Windows machines which can't be fixed if all they have is a malware infection. All it normally takes is a reboot in safe mode, run an antivirus and a malware scan, then look in "...Whatever\Current_Version\Microsoft\Windows\Run " and google the names of all the
Next, uninstall anything made by Symantec from the machine. It's al
Re: (Score:2)
Just because you've found one piece or malware, or even ten, does not mean that you have found them all. The only way you can guarantee that you have got all of them is to re-install, and bring all of the latest security updates to the machine on rem
Server counterpart to this (Score:5, Informative)
Re: (Score:2)
For the record... (Score:2, Insightful)
However, sad but true... (Score:2)
However, even that might not help if the OS in question is Windows XP and not integrated with SP2 on the same CD, and you don't know what you're doing. (like disconnecting the network until you've installed SP2 that you of course had lying on another disc so you don't need to go online for it)
Pretty annoying what a highly flawed and widely spread OS can do.
Then beg for another activation (Score:2)
The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.
The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept. Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again.
I have one token XP Pro box on my network but don't routinely use it to s
Re: (Score:2)
Moo (Score:3, Insightful)
Or MD5 everything.
Live CD Virus Scanner (Score:4, Insightful)
reinstall troubles... (Score:3, Informative)
Yes, and your average user will quickly encounter another funny problem: He has a good chance to be infected again before the download of SP2 and/or other security updates he needs to not be re-infected, is finished...
No, no, no... (Score:2)
Re:Happened to me. (Score:5, Funny)
Re:Happened to me. (Score:5, Funny)
My house was robbed once...
It was one of those cheap houses, you know using old materials and not the best contractors (the doors and windows would not always close properly.)
even with fully locked doors, up to date alarm company subscription, and a dog.
Though that brand of locks use one of five common keys, and the alarm company sometimes works with other companies to let marketers in, and the dog, as vigient as he is is just a dog and frankly pretty stupid.
For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.
Actually it was more like a posh wooded suburb gated-community thing, where all the prices are higher and the selection is more limited, but the cars are to die for. I don't even assoiate with my old neighbors much anymore. My kids ands wife are much more happier and I have a lot less stress about stuff like that.
Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.
Re: (Score:2)
Humorous, but you've probably never been to a LinuxCon.
Too easy... (Score:5, Funny)
You probably had Windows...
Re: (Score:2)
Re: (Score:2)
You probably had Windows...
Funny thing, I bought this house in a nice area, but a short walk from a high crime area. It was built in the 50's out of concrete block (two blocks thick on the ground floor). All the windows on the ground floor were glass block and could not be opened. The upstairs was the real living area with lots of windows, but a full story (slightly higher than a normal house) up in the air. It had a back deck on the second story, with no stairs going down and with the deck overhanging t
Re: (Score:2)
Re: (Score:2)
mkdir
mkdir
mkdir
[...]
cd $basedir/bin
tar xfz $basedir/bin/ssh.tgz
[...]
cd $basedir/bin
mv
chattr -AacdisSu
cp
mv
chmo