Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Meet the Botnet Hunters

ScuttleMonkey posted more than 8 years ago | from the volunteer-fun dept.

194

An anonymous reader writes "The Washington Post is running a pretty decent story about 'Shadowserver,' one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: 'Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'"

cancel ×

194 comments

Sorry! There are no comments related to the filter you selected.

Botnet Hunters! (5, Funny)

blinkless (835747) | more than 8 years ago | (#14966688)

We don't need their scum.

Re:Botnet Hunters! (0, Troll)

GoodOmens (904827) | more than 8 years ago | (#14967128)

Knowing the (US) goverment I bet this guy will be somehow charged for online criminal activites ....

Re:Botnet Hunters! (0)

Shads (4567) | more than 8 years ago | (#14967171)

I'm thinking if i were a botnet operator, I'd have my botnet computers set to automatically delete the entire system in the event they weren't able to contact the server after a given ammount of time and after all possible backup sites failed. Make the botnet hunters jobs real interesting ;)

Re:Botnet Hunters! (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14967185)

I think I'd have them swarm karma whores who respond to unrelated first posts so they can get their "insight" near the top of the page.

Re:Botnet Hunters! (1)

kev0153 (578226) | more than 8 years ago | (#14967243)

Yes Sir

info on botnets (4, Informative)

flynt (248848) | more than 8 years ago | (#14966693)

Is there a central location that tracks the current largest botnets, what their purpose is, their communication mechanisms, etc? I googled and couldn't find much.

Re:info on botnets (2, Informative)

Anonymous Coward | more than 8 years ago | (#14967466)

Shadowserver have started something [shadowserver.org] akin to what you're looking for.

Hmmmm (1, Funny)

Anonymous Coward | more than 8 years ago | (#14966701)

Those first two paragraphs sound like a movie pitch. A wierd movie pitch...

Botmasters will switch to distributed C&C (4, Interesting)

putko (753330) | more than 8 years ago | (#14966703)

Botmasters will switch to gossip-based protocols (like p2p) to achieve their goals. The good ones have done this already.

This is required for other reasons: if you have more than 10K or so bots, you are better off with a distributed mechanism.

Interestingly enough, most of the botmasters are not so technical - they wouldn't be able to comprehend virtual synchrony if it smacked them in the face.

Re:Botmasters will switch to distributed C&C (4, Insightful)

toad3k (882007) | more than 8 years ago | (#14966825)

What I don't understand, is if these guys can see every bot on the network, have an infected honey pot of their own, why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves? In the end it is probably better for the individual than allowing them to get keylogged etc.

Or are the backdoors they are using more sophisticated than that?

Re:Botmasters will switch to distributed C&C (3, Insightful)

sumdumass (711423) | more than 8 years ago | (#14966992)

I would imagine fear of the law and getting suied or thrown in jail. Not to mention poping open a window might be as unoticed as the popup wanting to increase my member size. It would take some sort of government imunity to prosecution to aviod getting getting tangled in the same laws that make computer tresspass ilegal. Maybe some program that you can sighn up with and keep detailed logs or let them keep the logs.

Now on another note, If we did allow these people to do as you say and included the "i'm doing good not evil" as an excuse, how many real attackers can use that as thier claim to inocence when they do eventualy get busted? I mean if I can avoid prosecution for poping up a windows that says your infected, I could end all my botnet attacks that way and make the window apear to be a standard popup from spyware that also effecting the computer.

I don't see why the law isn't going after these bot net people like they would if I broke into some companies mainframe and used thier computers to compile code. Maybe instead of having the ISP turn the domain off, they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take mor ethen a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.

Re:Botmasters will switch to distributed C&C (3, Insightful)

Otto (17870) | more than 8 years ago | (#14967075)

I would imagine fear of the law and getting suied or thrown in jail.

So, here's a clue: Don't tell anybody you did it.

I mean, really. Make a popup or something that says you've been infected to the users, or better yet, just have the bot kill itself quietly and not do anything else. No need for it to be damaging, it's enough to have the bot just stop running and kill it's own restart sequence. Voila, instant botnet death.

Hell, maybe it's a normally available patch that just hasn't been applied, in which case opening Windows Update in a browser window might be enough to get the user to apply the patches, thinking that Windows did it itself, like it's actually prone to do sometimes.

I can think of dozens of ways to avoid prosecution. Hell, this guy has a hard enough time getting the botnet OWNER in trouble, injecting a few commands into the network that you know will do some good and not do any actual harm should be freakin' trivial.

The first rule of not getting in trouble is not getting caught.

Re:Botmasters will switch to distributed C&C (1)

raduf (307723) | more than 8 years ago | (#14967321)


      Making examples doesn't really... feel ok. Many of us had their "rebel days" in our youth, and I wouldn't have liked getting thrown in jail with a permanent record for remotely rebooting someone's server. Not that I ever did that of course :) but I could have. The real problem is that it takes too much effort to catch all those guys "by hand". Catching a few and chopping their right arm may work, and I may even go with it, but I'll never like it. And I wouldn't advertise it either.

Re:Botmasters will switch to distributed C&C (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#14967476)

I would imagine fear of the law and getting suied[sic] or thrown in jail. Not to mention poping[sic] open a window might be as unoticed[sic] as the popup wanting to increase my member size. It would take some sort of government imunity[sic] to prosecution to aviod[sic] getting getting tangled in the same laws that make computer tresspass[sic] ilegal[sic].

I can back you up here. I know some security researchers who monitor botnets and they don't shut them down for legal reasons. They do get the command networks killed when they start to be maliciously used. As an aside, some of the botnets are actually honeynets and every now and again a researcher will share some logs that shows them monitoring one another while posing as "legitimate" botnet operators.

Re:Botmasters will switch to distributed C&C (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14966993)

why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves?

Because it would be illegal.

Just like you can't hang a nigger to the next tree anymore without answering tedious questions and paying a fine.

Re:Botmasters will switch to distributed C&C (0)

Anonymous Coward | more than 8 years ago | (#14967043)

I disabled a few botnets a couple years back, and yeah, it's totally possible to do that. In fact, I made a pop up to say they were infected, then disabled the bot. The basic plan is, get the viral code, check how it runs, figure out what exactly controls it, find bots, control them to stop being bots.

Re:Botmasters will switch to distributed C&C (1)

arivanov (12034) | more than 8 years ago | (#14967077)

For 90% of the zombies out there even if the computer screams through the speakers "You are infected moron" and displays this on screen permanently the owner will not clean it up. At best they will call Dell and tell that the spanking new PC they bought one week ago has broken speakers.

Just history repeating itself.

Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on what they were in reality) with some fresh funds from USA donors for a "freedom of information study project" bought themselves the highest possible spec new PC with the biggest and baddest monitor they could buy. It was mostly used by their kids to play tetris and a few other games (the "scientists" did not know how to use a computer). As usually it in a few days it was throughly infected including that funny virus that used to drop the letters down on the screen (SWAP, Cascade or something like this). They looked at it and took the monitor in for repairs screaming that they have been sold damaged goods. We were getting parts from the same supplier so I had about an hour of free entertainment listening to the tech trying to tell the stupid "politically aware c**t" that she is infected.

So making the bots scream at their owners will have no effect. Besides that it is illegal in US, UK and a few other countries laws.

Re:Botmasters will switch to distributed C&C (2, Informative)

diegocgteleline.es (653730) | more than 8 years ago | (#14967095)

why can't they take control of the computers, tell them to pop up a "you've been infected, moron" window and format themselves?

Those bots "patch" the backdoors so nobody else can get in through the hole

I've done something similar (5, Interesting)

c6gunner (950153) | more than 8 years ago | (#14967106)

Formating the guy's HD might be a little extreme, but back when I actually used IRC, I used to get bots trying to infect me all the time. So I'd run the file, capture and analyze the packets it sends as it's connecting, then shut it down, reconnect using mIRC, and take over the botnet. From there it was a simple matter to get them to accept a script which would eradicate all the bots.

They're getting more complex these days, but the same principles still apply. Once you get one on your system, it's a simple matter to analyze it and use it to take control off, and destroy, the rest of them.

Re:Botmasters will switch to distributed C&C (0)

Anonymous Coward | more than 8 years ago | (#14967354)

From my experience as a botmaster when i was a stupid teenager, 95% of bot file's actually have an uninstall command. All one would really need to do, is get the .exe file the botmaster uses to infect individuals (it sets on all the infected computers, just gotta know where), decrypt the .exe and most of the time you can view the output from the decryption as a text file. just look through that and it'll almost always give you a list of commands as well as server information and such (since most n00b's use irc servers). with this info, if any of you run into bot files. Whipe those botnets clean and purge the earth of scriptkiddies.

Re:Botmasters will switch to distributed C&C (1)

ostiguy (63618) | more than 8 years ago | (#14967154)

Why would a bot master want to use a protocol that likely has packet signatures on IDS/IPS? Or packet shaping signatures on educational/ISP networks that might manage bandwidth but not content?

delete themselves (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14966709)

There should be a way to reverse engineer the clients so that they can delete themselves, I'm not exactly a botnet admin, but they have file access from what I have learned. Should they not just be able to use a friendly botnet server to tell the computers to delete the client software?

Re:delete themselves (2, Insightful)

Soporific (595477) | more than 8 years ago | (#14966728)

I believe you would be able to do that, however then you take on the liability of screwing up peoples machines even more or causing some other unforseen problem.

~S

Re:delete themselves (0, Redundant)

Tweekster (949766) | more than 8 years ago | (#14966950)

They are running a botnet, screw them. they obvisousely didnt notice the botnet (and more than likely the huge amounts of spyware) so basically. I wouldnt feel guilty breaking a half functioning system.

Re:delete themselves (2, Informative)

Furp (935063) | more than 8 years ago | (#14967060)

When you issue a command or code to cause a botnet to self destruct, you are crossing the line from greyhat hacking to blackhat hacking. You're no longer a witness. Which also makes you liable under whatever laws exist in your country of residence for hacking. Because you're gaining illicit access to their computers (the infected botnet) And accessing data (causing the botnet to self destruct)

Which is why if you're going to do botnet hunting you either get to ally yourself with law enforcement and contact the ISPs, or kill the botnets. Personally I would prefer the safer of the two.

Re:delete themselves (0, Flamebait)

Tweekster (949766) | more than 8 years ago | (#14967085)

and I again say: WHO CARES? cross the line for a moral good. Just dont get caught and try not to cause anymore damage than the botnet host has already suffered.

Re:delete themselves (1)

Furp (935063) | more than 8 years ago | (#14967237)

Well, depending on your personal ethics, the moral ground isn't the important one to be considering. It's the legal one. I do have a little experience with the amazing abilities of the judicial system to screw people over, and I would really NOT want to put myself in that situation. Causing damage is exactly what you would be doing by making the botnet self destruct. It's not a matter of weighing which is more damage, leaving the botnet up or destroying it, it's a matter of the fact that you're causing damage in the first place. And that's the way the courts will look at it.

Re:delete themselves (1)

Tweekster (949766) | more than 8 years ago | (#14967264)

Well figure this: since the botnet creator isnt being gone after when they ARE being destructive... what is the chances they will come after you when you more than likely wouldnt be destructive (unless a freak accident)... I would guess less than zero. they are not doing anything about the damage being done now...why would that changeif something went awry and causes some minor problems The fact that the courts will never be involved is the key point, the system currently is doing nothing about the botnets to begin with and have no ambition to at this point. If they have no interest in it, they will not bother with you either.

Re:delete themselves (2, Insightful)

Furp (935063) | more than 8 years ago | (#14967281)

Unless the FBI or some other TLA is involved (Either from the USA or other countries), and are already monitoring the botnet and gathering evidence for prosecution? Quite honestly, issuing a command like self destruction would seem like the criminal is ditching and running, and they would have your IP address at that point...

Again, that's a lot of risk to be taking on. Because there *are* convictions for people running botnets, which means that there *are* governmental agencies monitoring some of them, trying to catch the ringleader(s).

Re:delete themselves (1)

glas_gow (961896) | more than 8 years ago | (#14967410)

Forget actually propagating the self-destruction of bots, even thinking about unauthorised access is an offense punishable by law.

They are on the web (5, Informative)

9mm Censor (705379) | more than 8 years ago | (#14966723)

www.shadowserver.org/

Bitter irony, Slashdot is thy home (or hangout...) (5, Funny)

The_REAL_DZA (731082) | more than 8 years ago | (#14966731)

"...Albright sent an e-mail to the FBI including all the evidence he collected about the attack..."
Apparently, Mr. Albright doesn't frequent Slashdot [slashdot.org] or watch CNN...

Domain.. (3, Insightful)

onion2k (203094) | more than 8 years ago | (#14966733)

In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.'

Why don't the hunters register the domain for themselves? Or just ask the registrar controlling it to transfer it to their control? If the botnet owner tries to complain it's been hijacked he'd have to explain the botnet..

Re:Domain.. (1)

Mr. Funky (957139) | more than 8 years ago | (#14966809)

Or have the toplevel provider blocking it with a 'REGISTRAR-LOCK'.
It is very hard to get that unlocked, I found out :(

Re:Domain.. (1)

BoRegardless (721219) | more than 8 years ago | (#14967392)

& then...

Issue a reformat command ;-)

Great plot! (4, Funny)

Rob T Firefly (844560) | more than 8 years ago | (#14966744)

This whole loose-knit bunch of humans doing their part against a force of cold, malignant bots has a great edge to it! Someone should make a movie or three [wikipedia.org] like this.

Oh, I don't know... (2, Funny)

Channard (693317) | more than 8 years ago | (#14966768)

.. with all this mention of 'The Botmaster' it sounds more like a cue for a gay porn movie with a Neuromancer style theme.

Re:Great plot! (1)

CCFreak2K (930973) | more than 8 years ago | (#14966777)

Spoilers.

Isn't that was SkyNet is? A big botnet? A self-aware one, anyway.

Interesting Deal (1)

DeadManCoding (961283) | more than 8 years ago | (#14966758)

So, these guys find botnets, collect the info to have them shut down, and then get the channel shut down? While this is great, it does little to stem the tide of bots. Adware/spyware and viruses are still being made to create more bots. So, while Shadowserver goes after the host servers, there are still millions of computers that are infected and transmitting, including that physician that was sending patient data!! If we really want to shut botmasters down, we need to battle the root of the problem. Unfortunately, we're still not allowed to kill of the bottom of the gene pool. Either that or switch from XP to a better OS platform that has fewer known vulnerabilities (Mac, *nix).

Re:Interesting Deal (2, Informative)

Arkan (24212) | more than 8 years ago | (#14966941)

Would you have RTFineA, you'd have noted the following:

"A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems."

I bet that your plan for security through statistics isn't looking good.

The final and ultimate answer to bots, spyware and such is knowledgeable users. I've been called an extremist when advocating a few years ago for a mandatory licence to get the right to connect a home PC to Internet, and I still think that it should be implemented: given the pile of cash those frickin' viruses and worms cost us, it should no longer look like a stupid idea pretty soon.

--
Arkan

Re:Interesting Deal (1)

DeadManCoding (961283) | more than 8 years ago | (#14967148)

Ugh, hate it when I miss that stuff... I will agree with you that we need more knowledgable users, but consider everything that has to go into a "internet surfing" license. I just don't know if that's going to be possible.

Re:Interesting Deal (1)

dnixon112 (663069) | more than 8 years ago | (#14967133)

So how does switching to Mac or *nix help when, like the article points out, the majority of infections come from clueless users who click on unknown e-mail attachments?

Danger, Will Robinson (0, Flamebait)

Mr. Funky (957139) | more than 8 years ago | (#14966765)

Nice until they run into a mobster-botmaster with a gun.
This is a task for the government, not for pimpled nerds.
Just my 2c...

Re:Danger, Will Robinson (1)

FirmWarez (645119) | more than 8 years ago | (#14966839)

I must be the only nerd here who wears a shoulder holster to work. (and no, I'm not a cop)

Re:Danger, Will Robinson (2, Funny)

Tweekster (949766) | more than 8 years ago | (#14966888)

oh no a pimply faced "mobster" might come after you.... give me a break

Re:Danger, Will Robinson (3, Informative)

Zak3056 (69287) | more than 8 years ago | (#14966970)

Nice until they run into a mobster-botmaster with a gun.
This is a task for the government, not for pimpled nerds.


Someone needs to be doing it, and the story indicates that government just isn't interested in this--and even if they are, they can't seem to successfully prosecute. The end of the article really jumped out at me:

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."


How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?

Re:Danger, Will Robinson (2, Insightful)

ArcherB (796902) | more than 8 years ago | (#14967544)

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."

How can there be any legal barriers here? Is this supposed to be some twisted view of the 4th amendment?
--
What part of "shall not be infringed" is so hard to understand?


I think your sig says it all!

If people bitch when the NSA listens to calls from suspected terrorists, who are not in the US and not citizens, could you imagine the outcry if the gov't started sniffing packets? (OK, OK, I'm sure they already do... and people bitch about it.)

Re:Danger, Will Robinson (1)

couchslug (175151) | more than 8 years ago | (#14967108)

Which network protocol supports the transmission of bullets?

Drones (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14966785)

Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists.

Since we're discussing drones, wouldn't a more appropriate analogy have been "like lost bees without a queen"?

Re:Drones (0)

Anonymous Coward | more than 8 years ago | (#14967594)

Yeah, well, except for the fact that bees don't do what their queen says that would be a great analogy. (rolls eyes.)

Be vewy vewy quiet... (5, Funny)

Tackhead (54550) | more than 8 years ago | (#14966787)

Be vewy vewy quiet! We're hunting botnets!

Buggy bot: Would you like to shut us down now or wait 'till you get home?
Daffy fuck: SHUT HIM DOWN NOW! SHUT HIM DOWN NOW!
Buggy bot: You keep out of this. He doesn't have to shut you down now.
Daffy fuck: He does SO have to shut me down now! I demand that you shut me down now. (Nyeah!)

Spammer: daffy# shutdown -now
Botnet: *reboots*

Daffy fuck: Let's read those logs again.
Buggy bot: Okay. bugbot: would you like to shut us down now or wait 'till you get home?
Daffy fuck: daffy: shut him down now
Buggy bot: bugbot: you keep out of this, he doesn't have to shut you down now
Daffy fuck: Aha! Hold it right there. DNS cacne poisoning. It's not 'he doesn't have to shut you down now, it's he doesn't have to shut me down now.' Well, I say he does have to shut me down now! So shut me down now!

Spammer: daffy# shutdown -now
Botnet: *reboots*

Secure SMTP? (3, Interesting)

RunFatBoy.net (960072) | more than 8 years ago | (#14966807)

So many of these Botnets are used to send SPAM. I get a gut feeling that efforts would better be expended on getting widespread adoption of a more secure, universal SMTP protocol.

-- Jim http://www.runfatboy.net/ [runfatboy.net]

Re:Secure SMTP? (1)

morcheeba (260908) | more than 8 years ago | (#14966889)

That would help in detection, but what's to stop the bot from using the host-computer's credentials? Most machines are set up to send email already.

Re:Secure SMTP? (1)

ArcherB (796902) | more than 8 years ago | (#14967388)

Banning email is a not-so subtle way of notifying admins that their servers have been compromised. Maybe when a few CEO's find that their staff can't send emails, they'll hire some competent admins.

Re:Secure SMTP? (1)

drinkypoo (153816) | more than 8 years ago | (#14967584)

The problem is frequently not a lack of admin competency, but a lack of corporate willingness to do what IT says. CEO goes to IT, says, "Mister IT Man! It hurts when I do this!" IT guy says "Well, don't do that" and CEO says "What, are you fucking crazy? I want to play my ActiveX games! I like clicking on everything that comes into my inbox! Go fuck yourself!" And so, the security never improves.

botnets remain undetected (1)

digitaldc (879047) | more than 8 years ago | (#14966815)

"However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

Sounds like a golden opportunity for ingenious programmers to design something to seek out and destroy these botnets, and then sell it to Microsoft for a fortune.
Another [eweek.com] botnet hunter article from eWeek.

Spyware Scanners Don't Work (3, Insightful)

michaelhood (667393) | more than 8 years ago | (#14966837)

FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

This, unfortunately, is the most common viewpoint from end-users and IT alike.

It's unfortunate because it's so dangerously inaccurate. Lots (LOTS) of spyware is not detected by any of the mainstream detection applications. The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

Re:Spyware Scanners Don't Work (1)

Otto (17870) | more than 8 years ago | (#14967029)

FTA: "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

So WTF? Why is he not forwarding these files on to the major anti-virus vendors like the good netizen he claims to be? ALL of the major vendors have submission mechanisms and are glad to work with researchers to detect this sort of thing. Is this guy sitting on his hands or what?

Things don't get better until people MAKE them get better.

Re:Spyware Scanners Don't Work (1)

jimwelch (309748) | more than 8 years ago | (#14967143)

From the website [URL:http://www.shadowserver.org/news.php] Methods/Mission...

Shadowserver is responsible for:
* Analyzing and reducing cyber-threats and vulnerabilities against potential targets.
* Disseminating cyber threat information
* Coordinating incident response
* Disassembling and sandboxing viruses and trojans.
* Tracking and reporting on botnet activities.
* Monitoring and reporting on malicious attackers.
Shadowserver works alongside other security agencies such as CERT/CC, InfoTex, Dshield, Drone Armies, ISC, Whitestar, and Nepenthes to establish and coordinate defensive strategies.

Re:Spyware Scanners Don't Work (1)

TubeSteak (669689) | more than 8 years ago | (#14967044)

AFAIK, a program like TCPView [sysinternals.com] will show all incoming and outgoing connections to your windows box.

I pop it up from time to time just to make sure nothing odd is going on.

It's also handy because it allows you to close the connection any malicious program is making. Very very useful when the program is stealthed & won't show up in the task manager.

Re:Spyware Scanners Don't Work (1)

0xA (71424) | more than 8 years ago | (#14967058)

The best solution I've found is using HijackThis to manually remove suspicious entries, but this is hardly a feasible solution for the average user.

This is part of the problem though. When someone finds an piece of malicious software they often fail to submit it the AV and anti spyware companies so definitions can be updated. I'm guilty of it myself in the past as well but we do need to be responsible community members.

Re:Spyware Scanners Don't Work (4, Informative)

crabpeople (720852) | more than 8 years ago | (#14967434)

Ewido [ewido.net] and hijack this, when both run in safe mode (with networking so you can get updates), cleans them up once and for all. I have yet to encounter anything that persisted after these two steps were taken and an antivirus package was installed on the machine. Anything remaining after that point is probably a semi ligitimate (borderline adware) system service or some sort of hard to detect rootkit. At the risk of being flamed, i would recomend the Norton AV Corp 10x series from symantec. Its corportate so none of the gay activation or useless slow features and in this release they have started to detect certain spyware as viruses. Most people are turned off of symantec for there absolutely garbage horid products such as NIS. Symantec is a big company and their corporate shit has been for the most part reliable.

The most important thing is to do all this in safe mode. Most people dont even do that so what can you do?

Re:Spyware Scanners Don't Work (1)

drinkypoo (153816) | more than 8 years ago | (#14967561)

Symantec is a big company and their corporate shit has been for the most part reliable.

I haven't use SAV10 but SAV9 was pure, unadulterated garbage. Whether managed or no, clients would stop getting updates and never start again until the client is uninstalled and reinstalled. This went both for program updates and virus definitions. It's also the second-slowest virus scanner in common use (behind Kaspersky Labs' AVP[oo].

You can recommend anything you like, and I won't even flame you, but SAV is crap. I was using SAV9 Corp on my home desktop box - under school licensing - but it turned out that AVG Free did a better job in every way. Symantec is also among the slowest when it comes to making the virus definition updates, probably because they know their corporate client will freak out and stop downloading them anyway.

I hope the BBC read that. (0)

Anonymous Coward | more than 8 years ago | (#14966882)

It will show them how to write a technical article properly.

A different approach (3, Insightful)

laursen (36210) | more than 8 years ago | (#14966883)

Why not simply convince the ISP's to block infected machines from accessing the internet to start with? They [the ISP's] can probably easy spot botnet traffic and could seriously stop botnets.

Just my 2 cents.

Re:A different approach (1)

955301 (209856) | more than 8 years ago | (#14966978)

By mac address? Then just infect future systems with software which will try multiple mac addresses as well to get around the blocks.

Re:A different approach (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14967022)

Why not simply convince the ISP's to block infected machines from accessing the internet to start with?
'Cause they are too busy throttling that nasty VoIP traffic that might compete with their "business partner", the local telco.

Re:A different approach (1)

redelm (54142) | more than 8 years ago | (#14967040)

Yes. Some ISPs do just that. SBC blocks outbound port 25 used to send spam. If you run your own sendmail, you can request it be unblocked.

This reduces the attractiveness of SBC machines to host bots. But SBC cannot block ports like 80 (HTTP), so SBCbots can still be used for DDoS.

Hey, I've seen that mentality before! (5, Funny)

eldavojohn (898314) | more than 8 years ago | (#14966908)

Like lost sheep without a shepherd, the drones will continually try to reconnect...
Sounds like my sister when her cell phone cuts out.

Turn your computer off (3, Insightful)

gatkinso (15975) | more than 8 years ago | (#14966914)

Only a partial solution (not even really a solution), but many of the hijacked PC's are left on all night to spew their viagra spam to the net or take part in DOS attacks (or whetever the hell they do).

So... turn your computer off when you are not using it.

Hell you will even same some electricity while you are at it.

Seems like taking 8 or 9 hours out of the day for the bot to actually operate will atleast decrease some of the traffic these bots are generating.

The practice people have developed of leaving their computers on 24/7 should stop... unless of course the computer is doing something more productive than generating elaborate mazes of 3 dimensional plumbing schemes.

Re:Turn your computer off (1)

CagedBear (902435) | more than 8 years ago | (#14967305)

Yes! I also tell users to press the standby button on top of the cable modem every time they walk away from the computer. They always ask me what that button does. How come the cable co. doesn't explain it when they install the darn things???

Re:Turn your computer off (1)

pnuema (523776) | more than 8 years ago | (#14967528)

The practice people have developed of leaving their computers on 24/7 should stop

I don't know about anyone else, but 100% of the hardware failures I have had have been during a cold reboot. Keeping your hardware warm keeps it alive longer.

More information on same subject (4, Informative)

smooth wombat (796938) | more than 8 years ago | (#14966916)

I don't normally check the Washington Post site but after reading the article I went to main page to see what was there. Near the bottom of the page, in a section called Security Fix, Brain Kregs had posted a story on March 9th titled 'Shadowboxing with a Bot Herder' wherein he talks about his conversation with a botnet owner called Witlog.

Besides the usual info about how many pcs he had infected (30,000 by his count), how he had done it (found software on a site) there was this bit at the end of the article from Symantec:

According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

The permanent linnk for the article can be found here [washingtonpost.com] .

Re:More information on same subject (1)

Covetous Knight (957894) | more than 8 years ago | (#14967087)

Yup. That story was posted to the front page [slashdot.org] of Slashdot as well.

And he didn't get a visit? (1, Insightful)

SomeoneGotMyNick (200685) | more than 8 years ago | (#14966929)

Let me get this straight. Summing up TFA, he found evidence of the bots, even saw persanal medical info, and turned it into the authorities WITHOUT any suspicion cast his way????

If I would have done such a good deed (and it was a good deed in my book), I'd have probably been hauled off for questioning. That's the fear as to why I don't "get involved" trying to stop these jerks myself.

Better ways to stop them... (4, Insightful)

Otto (17870) | more than 8 years ago | (#14966973)

First, if you can access the botnet to the degree at which this guy claims to be able to do, then you can take control of it. And with any decent botnet, you can make the things run arbitrary code. With only minor analysis of the bot, you could make the entire network self-destruct without too much difficulty. Have it kill it's own startup on reboot sequence, then have it create a new RunOnce to delete it's own executable on reboot. Then shut down or force a reboot or just pop a message up on the screen telling the user he's been infected. As soon as somebody notices they'll likely reboot and possibly install updates and patches to their bloody machine.

This is less risky than the obvious angle of simply patching the box so it can't get infected, because you know that the bot is not supposed to be running on the machine in the first place. Patching the box might go bad or have other unknown consequences, but having the bot kill itself is not nearly as bad. And by possibly informing the user of the facts, you can still scare them into patching their box. Screw shutting down the botnet owner's connection, shut down the botnet itself. Take away their tool in one swift stroke. Make 'em have to build a new one, hopefully from a whole new set of boxes.

Re: Better ways to stop them... (1)

jimwelch (309748) | more than 8 years ago | (#14967109)

I can not even count the number of laws that this violates! (see line 2 below)

From shadowserver Mission Statement:

  Shadowserver is NOT
      A vigilante group
      A "hack the hackers" group
      A money-making venture
>> less risky
No, this is a big risk. The cure is worse than the disease!

Wrong (1)

mabu (178417) | more than 8 years ago | (#14967174)

Vigilantism is still against the law in this case. Computer tampering is computer tampering.

The solution to this problem is to put a few of these guys in jail. The solution is for the feds to get off their goddam lazy asses and prosecute these people. You don't poke around in someone's compromised computer, for good or evil.

What these people are doing is against the law and it has always been against the law. The problem we have is that the law enforcement authorities seem more obsessed with Tommy Cheech selling bongs online than they are real gangs of organized criminals who are interfering with commerce, privacy and national security. Go figure?!

Why the FBI doesn't act (3, Informative)

kilodelta (843627) | more than 8 years ago | (#14967009)

The FBI wants there to be a minimum of $20,000 of verifiable loss before they'll even send an agent out.

I know this from having been an I.T. guy for a state prosecutors office. We had to do everything ourselves and did we ever.

Re:Why the FBI doesn't act (1)

Tweekster (949766) | more than 8 years ago | (#14967129)

Simply make up a number... do it like the big corps do: Yes, that infect 500 of our machines at $2000 a piece... Hey it works everywhere else. you can easily bullshit like thtat and the FBI wont care or know as long as they get to be involved with a big money item like that. AT&T tried to do that years back claiming a document that was secret cost like $100,000+ to produce (they included the entire years salary of the person to type it, the computer, the printer)

Re:Why the FBI doesn't act (1)

enrgeeman (867240) | more than 8 years ago | (#14967570)

I remember that, the E911 document. I can't remember if it was $7 or $12, but it ended up that they were selling it for less than $20, for the full version, not the editted one.

Re:Why the FBI doesn't act (1)

Frobisher (677079) | more than 8 years ago | (#14967187)

Most of them don't have email addresses...

An analogy.. (2, Funny)

mattpointblank (936343) | more than 8 years ago | (#14967016)

So in a way, these guys are the Buffy (Season One) to the Botnet's Master? They "slay" the host machine, the source of the trouble, but all the undead zombies are left lurching and crippled, waiting for someone else to lead them, who of course, eventually shows up. ... so, can someone hook me up with the main Shadowserver girl?

Great fun for geek kids! (2, Funny)

Anonymous Coward | more than 8 years ago | (#14967034)

I used to do that back in the day.

1> Search for EXE's off the latest P2P network or skulk around in some IRC channel until a some chap offers it to you.

2> Take apart that self-extracting zip and look through the mirc script.

3> Work out where they're sending there zombies. Masquerade as a bot for a bit.

4> Figure out a way to issue commands to the bots if possible.

5> Figure out a generic command to issue that stops the bodged mirc from launching or removes it outright.

6> Send it and laugh like a crazy fool at those 74M3RZ as they curse you and you're silly bot killing ways.

Ahh, the folly of youth.

Sad...but true. (2, Interesting)

RagingFuryBlack (956453) | more than 8 years ago | (#14967064)

"Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."
I'm forced to wonder here. Why exactly won't Law Enforcement take care of a case that they're handed? I mean, last time I checked, someone handing you your entire case takes no effort whatsoever to investigate. If you take down some of these botmasters, you may see alot of people start backing off as they'll realise that people committing the crime are in fact being procecuted.

Then again, this is the US Government we're talking about here.

Re:Sad...but true. (3, Insightful)

CagedBear (902435) | more than 8 years ago | (#14967390)

They said it in the article. Data handed to the fuzz by a civilian isn't admissible before a judge. They can only use the information to aid in launching their own investigation, which of course requires resources.

Nintendo R.O.B. (1)

saboola (655522) | more than 8 years ago | (#14967092)

Call me when they start a group of hunters for the Nintendo R.O.B. [wikipedia.org] . They are the bots we should be really watching out for.

rerun (1)

psbrogna (611644) | more than 8 years ago | (#14967134)

Wasn't this an episode of Stargate: SG-1?

Re:rerun (0)

Anonymous Coward | more than 8 years ago | (#14967307)

Yes. Except MacGyver used real bots made of some pipe cleaner and retractable pen springs.

Unusual, but Not Impossible (4, Interesting)

Quantam (870027) | more than 8 years ago | (#14967165)

A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems.

As that means that there a large numbers of breachable OS X and Linux machines out there, that pretty much puts to death the myth that OS X and Linux are sufficiently secure out of the box.

Re:Unusual, but Not Impossible (1)

DevanJedi (892762) | more than 8 years ago | (#14967280)

I don't think many people make the claim that "Unix" and OSX are _sufficiently_ secure out of the box, though that may be the perception. Security is always _comparitive_; OSX is more secure than XP out of the box. Also, saying "Unix" doesn't mean much unless we are talking about a particular distribution of Linux or a particular variety of UNIX (BSDs, HP, Sun). In both cases, the out-of-the-box security varies vastly from distribution to distribution.

Re:Unusual, but Not Impossible (1)

Dan Ost (415913) | more than 8 years ago | (#14967484)

This has nothing to do with how secure the underlying OS is. These botnets aren't created by system vulnerabilities. They are created by users who execute untrustworthy code.

Re:Unusual, but Not Impossible (1)

drinkypoo (153816) | more than 8 years ago | (#14967613)

Well, actually, botnets ARE sometimes created through worms that exploit insecurities in the host OS. It's just that it's more commonly done the other way, and we have no way of knowing how these particular systems were exploited at the moment.

At what cost? (2, Insightful)

trazom28 (134909) | more than 8 years ago | (#14967263)

From TFA...

"Now 27, Albright supports his wife and two children..."

" "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." "

Anyone else consider this sad? He's putting so much of himself into the work.. when does he have time to be just "dad" ? If the start of all this was his father's suicide.. maybe he could use a few sessions to deal with his anger, rather than what he is doing now. I don't think it's worth the price.. but then again, I'm a father who actually ENJOYS spending time with his kids.

Re:At what cost? (1)

horngod25 (520622) | more than 8 years ago | (#14967380)

I was kind of thinking the same thing. The guy's spending hours and hours doing a job (for free) that does very little to eliminate botnets in the grand scheme of things. Meanwhile, his children are probably growing up with very little paternal influence. It sounds to me like this guy needs a SERIOUS lesson in perspective...

These guys need a grant. (0)

Anonymous Coward | more than 8 years ago | (#14967267)

Know what these guys need? A nice fat ass federal grant, since they're basically taking over where major agencies have failed.

If you've ever seen what kind of shite gets greenlit for grants, you know these guys are deserving of some sort of financial backing.

Easy way to shut down value of botnets (0)

mabu (178417) | more than 8 years ago | (#14967295)

Most botnets are used for spamming. An analysis of the majority of inbound spam clearly shows most of the traffic coming from unauthorized SMTP relays set up in broadband IP space. The main advantage to setting up botnets is to do mass-mailing from a large pool of IP addresses that have the best chance of getting around RBLs. Spamming is the primary revenue source for botnets and also the primary manner in which machines are infected.

Some ISP recognize this issue and are dealing with it. Some are not.

The solution is very simple: filter port 25 traffic from broadband IP space.

Let me repeat this, because it's real simple.. it's so goddam simple that we're now to a point where any ISP that doesn't do this should be considered grossly negligent and a spammer themselves.

Some ISPs are responsible and some are not. AOL is a good example. AOL started filtering port 25 traffic and this has a dramatic effect on the security of their clients, the performance of their network and the overall safety of the Internet at large. Other ISPs are working on this too, like Bellsouth. These are the good ISPs who recognize that this simple solution can create a dramatic reduction in botnet propagation and spamming.

On the other hand, you still have many ISPs who don't seem to give a shit and are part of the problem. I'm not talking about the foreign ISPs... we know they're irresponsible. TDE, Brazil, China, Korea... it's easier to just wholesale block their IP ranges [blogspot.com] , but domestic ISPs like EARTHLINK and Verizon continue to be a major source of spam and botnet propagation.

Earthlink particularly annoys me because they constantly advertise how great they are at keeping spam and viruses out. Ironically, they are one of the largest sources of spam, phshing scams and worms in the United States. Thanks Earthlink! Get your fucking act together you morons. Take a few of those goddam leprechans and pink unicorns you have hanging around and replace your existing IT staff!! Filter port 25 so we don't have to deal with spam, worms, system probes and wasted bandwidth from your badly-managed networks!

Filtering port 25 takes a lot of the incentive out of creating a botnet. Everyone who really understands the dynamics of the spam/worm problem recognizes this.

ISPs "Detect & Destroy"? (1)

BoRegardless (721219) | more than 8 years ago | (#14967353)

So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

Come on here. BOTs harm their systems, and they ought to be willing to put in the time to shut them off.

Then the end user of a BOT calls up, and the ISP say's "Reformat and reinstall your OS with appropriate anti-baddy software or we won't let you use our ISP.

Yeah, I know, they want the fees, but they don't want the extra bandwidth use nor the problems, and if the major ISPs blacklist BOTs, how long before we get rid of most of them?

For out of the country BOTs, well I would imagine there has to be a way. I don't care to ever receive anything from anyone in Rwanda, Uganda, or even Russia.

Re:ISPs "Detect & Destroy"? (3, Informative)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#14967624)

So why don't ISPs simply write software to allow them to detect and automatically disconnect BOTs?

Most major ISPs have software that can pretty much do that. I'm looking at some of it right now in another tab of my browser. The problems are operationalizing it so that it is not too expensive. The support costs for a couple hundred thousand calls asking why they've been shut off and how to go about fixing it and then confirming that it has been done would be very high. Maybe some big players could partner with another company. Get your PC cleaned, patched, and certified and we'll turn your internet back on. The problem with this is there are still a lot of old Windows boxes out there. No security patches are available. A new Windows OS is expensive and won't run on the machine anyway. So the ISP might save a little on transit, but they lose a boatload of customers and the steady revenue those customers provide.

Now some ISPs have plans to implement a notification of compromised machines with an automated system. It may help the problem and the ISP can bill it as a feature. But that is just one more escalation in the arms race. Next bots will be stealthy, mimicking other machines on the subnet, or just sending encrypted tunnels. Anyway, the short answer to your question is "money."

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>