Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spam-Bot Intrusion Caught — Now What?

Cliff posted more than 7 years ago | from the searching-for-peace-keepers-on-the-internet dept.

Spam 76

An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "

Sorry! There are no comments related to the filter you selected.

one word (5, Informative)

Jbcarpen (883850) | more than 7 years ago | (#18763397)

Spamhaus.

Re:one word (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18763477)

Yeah, report it to spamhaus. Then immediately after that, you can begin serving your six month no-internet sentence for letting your system become a spam zombie in the first place.

ATTN: SWITCHEURS! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763735)

If you wish Xcode would reformat your code for consistency, GTFO.
If you're overwhelmed by IB's multi-paletted interface, GTFO.
If you've ever typed a backslash outside of ASCII art, GTFO.
If you can't intuit your way from HyperTalk to AppleScript, GTFO.

Bandwagon jumpers are not welcome among real [imageshack.us] Mac [imageshack.us] geeks [imageshack.us] . Keep your filthy PC fingers to yourself.

Re:one word (-1)

Anonymous Coward | more than 7 years ago | (#18764685)

Screw Spamhaus. I'm sick of having emails bounced back because somebody's ISP is using their PBL 'feature'. It's essentially whitelisting. The result is false-positive hell based on zero evidence that they are making no attempt to clean up.

Re:one word (1)

cortana (588495) | more than 7 years ago | (#18765423)

If somebody's ISP is blindly rejecting mails due to nothing more than a positive Spamhaus hit then that's the fault of the ISP!

No accounting for idiots I guess! :(

Re:one word (2, Informative)

XenoPhage (242134) | more than 7 years ago | (#18765633)

If somebody's ISP is blindly rejecting mails due to nothing more than a positive Spamhaus hit then that's the fault of the ISP!
This is like discussing religion or OS preference...

What would you have ISPs do to stop spam? Spamassassin, properly tuned, does a decent job, but it doesn't solve the underlying problem. If an ISP allows *every* incoming connection and relies on spamassassin to detect and mark mail, then they have to ensure that there is sufficient storage for the spam. In most cases, the amount of spam incoming to a system is over ten times more than normal mail.

Using something like spamhaus helps out considerably because it does block a lot. Unfortunately, like every single other system out there, it has flaws. As with other approaches, the goal is to find a happy medium of sorts. The result is, however, that you can't please them all.

I've spent quite a bit of time on spam prevention for my own server and it's definitely not easy. I have about 5 tiers of spam detection at this point and, while it's catching about 99% of the spam, some still gets through. As a technically savvy user, I can deal with this and the level of detail required. For the normal ISP user, however, it's a different story. They don't have the technical know-how to tune their mail filters, nor do they generally have any interest in doing so.

So, until someone comes up with the perfect filtering system (which the spammers will likely adjust to within a few days), there's not much else to do. Personally, I don't have the time or money to deal with every single incoming spam and blocking some based on a well-known RBL is fine for me.

Re:one word (0)

Gr8Apes (679165) | more than 7 years ago | (#18766121)

There's really two parts to the solution to the spam issue.

ISPs are in a unique position to filter out the bulk of spam. They're apparently just too stupid to do so, which isn't surprising, considering what they pay their people. This could be a decent side job opportunity, so I'm not delving into this aspect any further.

The other half of the issue is the user email client. If email clients would use whitelists to segregate known good mail from the general load of crap automatically, that would be a huge step forward. The client would have a "general inbox" and the default inbox. The default inbox is where everyone in your address book or anyone you've ever sent an email to (second tier contacts in your address book) emails would reside. The "general inbox" would be for untrusted email.

Additional features on the client side obviously involve a significantly enhanced address book features that would divide your contacts into multiple tiers, perhaps even with automatic expirations to remove sent to people. I'm sure MS is capable of doing something like this, but the UI would probably suck to hell and back.

Re:one word (1)

networkBoy (774728) | more than 7 years ago | (#18767381)

Block port 25.
Done.

My ISP does this by default, and I sure noticed when they did as I could no longer reach my mailserver. A (not so) quick call to support got the port re-opened, but there is no reason why you can't have a block port25 by default and open on request. 99.9% of home internet users would likely never notice.
-nB

Re:one word (1)

Kazoo the Clown (644526) | more than 7 years ago | (#18774845)

ISPs are common carriers and as such have no business filtering ANYTHING. If they filter they will eventually become liable for misfiltering-- someday we should be able to depend on email as a secure (encrypted) and reliable channel, where ISPs won't even have access to the content, and anyway ISPs should simply get out of the censor & protect stupid users from themselves business. Get a decent spam filter for your mail client and shut the **** up about Spamhaus and other misguided RBL con games.

Re:one word (1)

Gr8Apes (679165) | more than 7 years ago | (#18782839)

That's another issue. I don't mind if you can opt in/out for a spam filtering service. It would certainly help people like my parents.

I agree with the improved client, but as long as MS Outlook (express) is the target (and yes, that includes Thunderbird) I'm not very hopeful about email. I also very much agree with secure channels, and that email alone makes mail trusted, as how could they encrypt if they didn't have a key. I've actually thought about something along this line for a while, but it's a tedious problem to solve. It can be solved, but with email clients being essentially free, there's little to no motivation to solve it.

As for spam filtering - reread what I wrote before you sling ****'s.

Re:one word (1)

yuna49 (905461) | more than 7 years ago | (#18770077)

I block a lot of mail at the SMTP level (about 40% of attempted connections), but I never use RBLs to accomplish this. Mostly I maintain an ever-growing list of IP blocks and reverse domains that routinely send spam. Where I do use RBLs is at the SpamAssassin level. Being listed on an RBL gives a message a big SA score boost here, but typically not enough per se to have that message get tagged unless it has one or more additional spammy features. Avoiding false positives (tagging legitimate mail as spam) is a serious no-no if you're filtering mail for others.

I still get legitimate messages that run afoul of the SMTP rules from time to time. Usually these are people who violate my "no mail from someone@aol.com unless it comes from a server named *.aol.com" type of rules. They're the ones who configure their home email client to send a message over their cable ISP's server with a From address in aol.com. If only we could educate people on the value of the "Reply-To" header....

Re:one word (1)

DrZaius (6588) | more than 7 years ago | (#18776539)

Actually you should probably have spam assassin use SPF and DKIM instead. It's actually designed to do stuff like "no mail from someone@aol.com unless the spf record says their sending IP is allowed to". Plus, the ISP's configure it so you don't have to. It's an industry standard.

Spamassassin has all that stuff built into it already. You may need to install some SPF and DKIM perl modules.

Re:one word (1)

yuna49 (905461) | more than 7 years ago | (#18782293)

I do use those as well. I'd just prefer not to have to process mail through SA that I can drop at the doorstep. Getting an email from some cable internet host in a foreign country that alleges to be from aol.com is pretty much a dead give-away that it's not legitimate. For the few times when such messages are real, the bounce message we send in reply gives instructions on how to contact us and report an error in blocking. This happens at most once or twice a month.

As for SPF, yes it might be an industry standard, but many, many domains do not have SPF implemented. Most of our traffic is with businesses that run their own servers, not large ISPs. Most of those places don't have SPF implemented.

Virginia Tragedy (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763445)

I guess it's time to repeal the second amendment, huh? ;)
Anyone who doesn't support gun control shares responsibility for this tragedy. Libertarians, Republicans- you all have blood on your hands today, every single one of you.

We will win in 2008, and you will lose your guns. And there isn't a damn thing you can do about it

:)

Re:Virginia Tragedy (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763721)

And there isn't a damn thing you can do about it
Except use our guns.

Try it.

Re:Virginia Tragedy (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763829)

You asshole, the very people you're depending on for '08 LIKE GUNS.

I'll go ahead and bite. Gun grabbers are the reason why the virginia campus was a gun free zone, meaning that CCW holders had to leave their's at home, and were completely defenseless when the shooter showed up. Gun grabbers are why the majority of the students were legally prohibitted from purchasing and carrying a means of stopping that violence because they weren't 21.

Have you considered the real world results of banning guns? Even if every gun in the world was magic'ed out of existence, and all manufactoring of firearms was banned, guess how long it would take for all of the private metal shops in the world to make more? Guess how much having a monopoly on firearms is worth? How much more in taxes are you willing to pay for the armoury's necessary to keep all law enforcement firearms safe and out of criminal hands? How much of a paycut are you willing to bare from the sudden influx of unemployed gun shop, factory, range, employees who would be out of work? Where will the money come from for enforcement? What are the citizens of a small town supposed to do if a police force decides to hold their entire town hostage at the county fair? What am I supposed to do if I come home to a man raping my wife with a chef's knife in hand? What am I supposed to do if I see you getting mugged by a gang armed with baseball bats and hammers?

The violent crime rate, and prison population would actually go up due to the steroids shot to the illegal arms dealing industry and the remaining constant of demand for death fueled by overpopulation and poverty.

You just don't get it. Gun control is a knee jerk reaction with no connection to reality. You don't know the facts, and you have no real world experience to support your beliefs. I've been friends with the types of people you're scared of, and I'll tell, gun control is the least of their concerns. Possession and distrobution charges aren't very high on their list either. They are more scared of their clients than the law, and are more scared of market prices than legality. They've been walking around the fences you want to reenforce for decades, and their worst nightmare is the lack of fence.

Gun control is like trying to wrap jello in rubber bands because you want the jello to disappear.

Re:Virginia Tragedy (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763839)

You're a goddamn douchebag. i'm a liberal (civil, non-democrat), and i'm keeping my guns. Mostly to keep whackjob partisans at bay - whether they be raging "every man for himself, might makes right" republicans and libertarians or "gun violence and other social problems will just magically go away if we say they're illegal" democrats. you're all a bunch of assholes.

peace to those injured and dead today. i weep for them.

fuck you for trying to make it political.

(/me takes the troll bait hook line and sinker.. sigh)

Re:Virginia Tragedy (0, Flamebait)

penp (1072374) | more than 7 years ago | (#18766379)

[quote]We [b]will[/b] win in 2008, and you [b]will[/b] lose your guns. And there isn't a damn thing you can do about it[/quote] And criminals [b]will[/b] still, well, be criminals and obtain weapons illegally. Banning guns won't stop crime committed with guns. This tragedy (my heart goes out to all of those affected by it) is an example of this. I'm a liberal, and I don't even own a gun, and I still see gun control as a stupid idea to control a bigger problem. And you're not helping the bigger issues here by trying to push your own agenda against guns by using a tragedy like this. Nothing to see here, off topic.

Re:Virginia Tragedy (2, Funny)

Anonymous Coward | more than 7 years ago | (#18766809)

[quote]We [b]will[/b] win in 2008, and you [b]will[/b] lose your guns. And there isn't a damn thing you can do about it[/quote] And criminals [b]will[/b] still, well, be criminals and obtain weapons illegally. Banning guns won't stop crime committed with guns.
So instead you're advocating a ban on angle brackets?

Re:Virginia Tragedy (0)

Anonymous Coward | more than 7 years ago | (#18766397)

You are an idiot. Fuck you.

Re:Virginia Tragedy (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18801037)

"Laws that forbid the carrying of arms . . . disarm only those who are neither inclined nor determined to commit crimes . . . Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than to prevent homicides, for an unarmed man may be attacked with greater confidence than an armed man."
-- Thomas Jefferson, 1764

"This year will go down in history.
For the first time, a civilized nation has full gun registration.
Our streets will be safer, our police more efficient, and the world will follow our lead into the future."
-- Adolf Hitler, 1935

Hmm, lets learn from the mistakes of the past and not repeat them.
Besides if you do take my guns and knives, I can still beat you to death with a rock.
Just try to outlaw rocks, go ahead.

We could always... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18763473)

...you know. /. it.

Re:We could always... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18763637)

I know not of this "dot slash dot" of which you speak.

Install linux. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18763555)

There, now that we got that out of the way . . .

Places to report to... (5, Insightful)

caitriona81 (1032126) | more than 7 years ago | (#18763565)

1) Don't contribute to the problem. Attacking botrunners directly, or vigilante action doesn't help, and may actually be harmful - by teaching them how to build better drones. See http://fm.vix.com/internet/security/superbugs.html [vix.com]

2) As for US gov't agencies, if you or the attacker seem to be in the US, http://www.ic3.gov/ [ic3.gov] is likely to be interested. http://www.cert.org/csirts/national/contact.html [cert.org] can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)

3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver (http://www.shadowserver.org) seems to be interested in researching and gathering intelligence on botnets also.

Re:Places to report to... (5, Interesting)

Anonymous Coward | more than 7 years ago | (#18763655)

Attacking botrunners directly, or vigilante action doesn't help

The spirited attack on and destruction of Blue Security [securitylandlives.com] and the spam flood that followed, does not support that assertion. Somebody wanted them gone badly, for a reason.

Re:Places to report to... (4, Interesting)

caitriona81 (1032126) | more than 7 years ago | (#18763993)

I should probably rephrase and clarify, attacking them directly without legal action to back that up is bad - ie, if you are going after a bot runner, it needs to be in a manner that not only takes away their toys, but also puts them in jail, for a long period of time. If you can't take away their freedom in the process, then you aren't doing us any favors by teaching them how not to get caught -- botnets, and their means of control get more and more sophisticated, with overall trends towards plausible deniability and robust survivable command and control networks, designed to either resist attack, or be reconfigured after the fact to retain control of compromised hosts.

This is a far cry from when botnets were controlled "in the open" on public IRC networks - the kiddies are clearly learning something with each iteration, and they are sharing that knowledge amongst themselves. Also of note is more use of packers, executable encryption and anti-debugger routines, which were completely absent from early botnet executables. Use of rootkits, as well as secondary backdoors (to regain access after the system owner detects the intrusion) are also on the rise.

Re:Places to report to... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18764469)

If you goddamn people keep on insisting on locking people up for causing an inconvenience, then I'm going to help teach them how not to get caught. Screw all you vengeful sons of bitches. I hope you get locked up for gliding through a stop sign, you stupid prick you!

Re:Places to report to... (0, Offtopic)

Nova1313 (630547) | more than 7 years ago | (#18765461)

people get pulled over for that all the time. Jersey stopping :) They get punished. So should these people. From behind, nightly from behind bars. So I would be more then happy if these people got screwed. It's a fitting punishment.

Re:Places to report to... (0)

Anonymous Coward | more than 7 years ago | (#18830785)

Yes, well I hope you,too get caught in their next fishing expedition, because your name closely matches the nasty spammer's. Then we'll see what size fits in your hole. You people are sick. Be grateful that there is no justice in this life. I guarantee you, people like you wouldn't like it. Damn all of you to hell!

Re:Places to report to... (4, Funny)

tacocat (527354) | more than 7 years ago | (#18764809)

I disagree. If you could determine the physical location of such bot herders and disclose that to the internet at large, I'm sure that there would be a final solution applied that people would be willing to turn their backs on. Especially if you could post photographs, names, and physical addresses.

Re:Places to report to... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18764973)

I find it ironic that your post too is spam. Just a Microsoft advertisement. Please stop. Mod parent down.

You could always try private sector... (4, Informative)

BinarySkies (920189) | more than 7 years ago | (#18763571)

There is an organization, ShadowServer (www.shadowserver.org if I recall right) that specializes in mucking about with Botnets. They'd probably have the right contacts and such to deal with that.

Re:You could always try private sector... (1)

plover (150551) | more than 7 years ago | (#18766459)

Shadowserver [shadowserver.org] is a group of security researchers that study malware. They actually encourage people to report new incidences of malware to their anti-virus vendors. I don't know if they accept direct submissions of malware, they're kind of a low-profile group. I think if they took submissions directly in any way, the botherders would probably flood them big time. But I don't know, you can try.

Note that they don't actually "do anything" to the botnets. They study them and gather information, but they leave the actual response to law enforcement.

Re:You could always try private sector... (1)

MentalRuin (927884) | more than 7 years ago | (#18793991)

What about the various organizations that run honeypots. They specifically set up computers to be infected by these bot-nets in order to investigate how they propogate and eventually get rid of them. I'm not sure if these organizations pursue prosecutions, but disbanding the bot-net is more important than prosecuting a russian hacker.

As an aside: How did you detect the infection?

I would think that ALL of the various A/V companies would be interested in your findings, as well.

In Soviet Russia... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18763621)

Spam-Bots catch you!

Re:In Soviet Russia... (1, Funny)

Varun Soundararajan (744929) | more than 7 years ago | (#18763751)

assuming he is in the US, here too the SpamBot has caught him. Do you mean that we then live in Russia?

--
No sig

Re:In Soviet Russia... (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18765399)

You can leave the "Soviet" out of this sentence to actually make it true...

What actions? (5, Insightful)

dbIII (701233) | more than 7 years ago | (#18763623)

Were the actions to install from scratch on a new disk / take a disk image to look at later + reformat + reinstall / poke around for a bit with the thing not on the network before reformat + reinstall / rely on external sources for info and just wipe the thing / or did you take the common and lazy approach now of just fixing the obvious damage and hoping the rest of the system is not compromised? The real pain is you can't even trust the backups in some cases especially if the people responsible for the machine ignore it most of the time - it may have been rooted for a while.

Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.

Re:What actions? (1)

lordmage (124376) | more than 7 years ago | (#18772607)

When this happened to my wifes computer I in turn locked out port 25 from her computer going out since I have an internal mail computer already. I also completely formatted her drive and she is now using linux.

She hates it but I could not trust her computer at all anymore.

All she ever does is yahoo mail, popcap games, and surf internet sites. The bot got on there and it was so well hidden only way I noticed was huge traffic on my router and you can see it going to certain sites and downloading the "tasks" for the computer.

I was wondering why download my porn was so slow.

Law enforcement comes to mind first (1)

jahurska (883728) | more than 7 years ago | (#18763635)

I would contact local law enforcement first, as they would probably know if there is any possibility of legal action. Also some law enforcement agencies have departments dedicated to cybercrimes and IMHO best way to contact those would be through local law enforcement. Be sure to inform that your computer was hacked or broken into, so that the incident is not mistaken as a regular spam emails.

If that fails (maybe because law enforcement does not have enough manpower to deal with it), then posting all information that you can find to a security oriented forum probably would incite some action. Problem is that with that approach the actual perpetrator probably will go free to create another bot-net.

In either case I would be interested on hearing how things progress.

Re:Law enforcement comes to mind first (1)

Anonymous Coward | more than 7 years ago | (#18763727)

I have yet to see the police do not do anything about computer crime. There has to be a major incident before things change as I see it.

Re:Law enforcement comes to mind first (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18765409)

Don't make me laugh. Law enforcement usually looks at you with a rather blank stare and says something along the lines of "And ... what should we do now about it?"

It's not that the nets would be unknown. Every security researcher worth his salt has a fairly good idea where those botnets are and how they work. The problem is, nobody with the legal muscle to do anything about it would care.

Call the police of course (0)

Anonymous Coward | more than 7 years ago | (#18763639)

Well, I suppose calling the police wont help as much if the attack didn't originate from your country. But to start, I would suggest gathering as much information as possible and forwarding it _inline_ in an email message thats gets sent to a level of government you feel most comfortable dealing with (ie: local, provincial, federal), and CC'ing the message to the authorities in the country to which the IP address of the machine that attacked you belongs to.

This will probably help things go along faster since you are publicly (and don't blind CC) connecting the authorities of both countries. And I advise you paste your research in a basic text only format initially inline in case the attachment flags the virus as spam or similar at the MTA level. At least if you get initial contact with the police, they can then instruct you where to send data files for things like packet captures after initial contact.

PS - Don't forget to be thorough, like in a court of law/Judge Judy thorough ;) (ie: date/time etc)

forward it! (0, Redundant)

Magic Fingers (1001498) | more than 7 years ago | (#18763643)

you can safely forward it to me.

Pecking order (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18763763)

Firstly, you check with your local IT department.

If no IT, check with SANS mailing list or cve.mitre.org for general characteristics

If you were leet enough to run an IPS/in-line SNORT, check your PCAP trace against the SNORT signatures.

If you got debugging skills, break the code down

If you done em all, contact the incident handlers over at http://isc.incidents.org/ [incidents.org] with your 15-page dissertation.

Once done, your hat has gotten whiter.

Name and shame (3, Interesting)

Anonymous Coward | more than 7 years ago | (#18763797)

How did you get the infestation? What did you download?

Re:Name and shame (1)

pookemon (909195) | more than 7 years ago | (#18764219)

It was probably just something that came down "accidentally" from one of those pr0n sites...

"Oh golly me, how did that happen..." ;)

Publicity (2, Insightful)

Debug0x2a (1015001) | more than 7 years ago | (#18763847)

Once they are reported to the proper authorities, make it public here what are signs of your computer being a zombie to them. Get as many people OFF of the botnet you can, and seeing as there are probably plenty of IT guys here, you may be able to get others to uncover more information about the spammers.

contact the ISP/registrar (4, Interesting)

sp1n (99710) | more than 7 years ago | (#18763875)

You have the bot herder address. To do the most "damage", get it shut down. Contact the ISP abuse department who hosts it. If there's a DNS name, also contact the ISP hosting the authoritative DNS zone and possibly the registrar, who may elect to terminate the domain. If you don't get a response from the ISP, contact their upstream provider(s) (if a smaller Tier 3 ISP).

Whois is your friend.

Re:contact the ISP/registrar (3, Insightful)

bernywork (57298) | more than 7 years ago | (#18764941)

Fantastic. Get the persons account shut down, like most people these days, who have multiple domains, internet links and everything else, he will be offline for what? A couple of hours? Your just going to piss him / her off.

No, the best thing to do here is kill the whole problem. All the machines in the botnet need to be cleaned and updated so that they don't get re-infected, otherwise they will get taken over by someone else (Yes, I know most people when they infect a system DO update it so that someone else can't take over, but they leave back doors). The person running the botnet needs to see the beak (Judge). It might be that the beak decides that a slap on the wrist is the appropriate action, but I think just cutting off one point of access / control of a bot net which I am sure that they have other control over is just silly.

Re:contact the ISP/registrar (1)

Nimey (114278) | more than 7 years ago | (#18766135)

Spammers tend to buy "bulletproof" hosting that will ignore takedown requests.

I say we lift off and nuke the site from orbit. It's the only way to be sure.

Re:contact the ISP/registrar (2, Informative)

mandelbr0t (1015855) | more than 7 years ago | (#18774265)

Usually you won't get anything from the ISP. I start with ARIN [arin.net] and move to RIPE, APIC as the search suggests. I run into one of two scenarios:

1) There is a properly listed contact for abuse reports to whom I send the complete relevant log entries in text format. I usually don't hear from them again, but I also don't see any further network abuse from that netblock owner.

2) The owner of the IP block is a complete and utter joke. Examples: they don't correctly configure their reverse DNS, so they will claim that you have the wrong IP address, they list an abuse contact that doesn't speak English, they send spam in reply to your abuse complaint (that actually made me laugh for a moment). In this case, you also won't hear anything, but you should probably go to the effort of banning such an irresponsible network at your firewall.

Generally you won't hear anything. You won't know if someone has seen or acted on your complaint. Just think of how many network abuse complaints a large, responsible network would have to deal with daily. There's also dozens of fly-by-nights that make it clear that they won't make their network behave no matter how much you complain.

Surprisingly, I've found that larger netblock owners are quite responsible. A threat to block their entire netblock at your firewall is an effective one, easy to carry out and perfectly justified. Just be sure to remove the block if they show that they have fixed your complaint.

Run Linux (1, Insightful)

SpaceballsTheUserNam (941138) | more than 7 years ago | (#18764095)

someone had to say it.

Rule 1 (0, Troll)

thegrassyknowl (762218) | more than 7 years ago | (#18764553)

Learn from your mistake. You got a spambot because you messed up your 1337 sysadmin skills. You need to figure out what you did wrong and how not to do it again.

Then, you need to stay on top of security issues. You run appear to run Windows so you'l have to work 10x as hard to do that. windows is a big steaming pile of goats shit when it comes to security. All the sh1t that MS claim protects you does nothing more than inconvenience normal users and slow their boxes down to buggery.

You're not likely to catch em so don't bother. Make some notes and learn for next time!!!

Depends on the country (1)

tacocat (527354) | more than 7 years ago | (#18764833)

The appropriate action probably depends on the country you are in and the country hosting the herders.

From a list of things to be done, I would contact the ISP last. They will probably contact the perpatrators directly and remove them from service, but that will do nothing to take them out of circulation. That requires something more. Alternatively, you might ask your ISP for advice on how to procede. But make it clear the intentions with them. They might not have a clue what you've captured.

Use your government (5, Funny)

tigersha (151319) | more than 7 years ago | (#18764889)

Easy.

Hack into the US Navy weapons control website.

Search for a file called "city-coords.txt".

Find out what the lat and long is of the spammer.

Change the line "Al Queda Base 4:xxx" to reflect the new coordinates.

Dress as Osama and make a press release with a big "Base 4" sign behind you. Use a good make-up artist if you want.

Two days leater and BAM!!! the spammer is gone. Your tax dollars at work for you!

Re:Use your government (2, Funny)

WrongSizeGlass (838941) | more than 7 years ago | (#18765101)

Um ... I think you forgot "Profit!".

Re:Use your government (1)

Opportunist (166417) | more than 7 years ago | (#18765427)

Who cares about profit when a Spammer dies? You have to see the global picture.

Tststs, always those little minds who only care about their personal gain, when the well being of the whole population is at stake. Ask what you can do for your country and all that shit, you know...

Re:Use your government (1)

Debug0x2a (1015001) | more than 7 years ago | (#18809527)

Also forgot ???

Re:Use your government (0)

Anonymous Coward | more than 7 years ago | (#18765183)

Two days? Like the US government could get a bomb onto a reported Osama location THAT quickly. =V

Re:Use your government (1)

Khakionion (544166) | more than 7 years ago | (#18765195)

So far, that's the best Iraq Strategy I've heard all year.

"An anonymous reader wonders...." (0)

Anonymous Coward | more than 7 years ago | (#18764951)

Yeah, right! C'mon Cliff, tell us what sites you were cruising when the bot got downloaded ;-)

config files (0)

Anonymous Coward | more than 7 years ago | (#18765065)

do bots have clear text configuration files ?
or were you just running nslookup/whois,... on the connections the bot made

The sad answer: Nothing (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18765451)

Clean your computer and go on with your life. Everything else is a waste of precious time, energy and nerves.

What could you do? You could inform your local law enforcement. Which will invariably end up in a file cabinet within moments because they have no clue how to deal with it.

You could go a step higher and contact your country's equivalent of some sort of "internet police". Most countries have that today. They will look at the info, find out where the spammer sits and depending on where he sits it goes different roads. Either he is in a country within reach, i.e. your country or one where Interpol/Europol actually has some muscle. In this case, they will maybe even go through the hassle of dealing with the provider hosting the spam controller, and within 2-3 weeks they finally got all the papers necessary to shut the machine down. A day later, the spammer opens up a new one and the party continues.

If the machine is somewhere in Russia, far east or some country ending in -stan, nothing is being done and it just continues from the same machine.

The spammer himself (or rather, the individual registering the server) is invariably sitting in some of the countries mentioned in the previous paragraph and thus untouchable anyway.

In short, the best you can achive is to annoy a spammer. Just in case the server switch wasn't due anyway because you can only use a spamcontroller for a certain amount of time before the ISP gets interested and starts to "persuade" you to move.

Was in similar situation (3, Informative)

mattr (78516) | more than 7 years ago | (#18765555)

I had my own server broken into for the first time, wasn't a botnet but a bank of america style phishing site. I discovered it when trying to make a subdomain with the control panel didn't work right.. the provider said they cleaned some out but couldn't be sure and then in fact I found the servers myself, in /root and /tmp disguised as other files. I mailed yahoo and google since both had email addresses being used, and told the isp. Guess what? I got no response from google, and none from the isp (they totally suck too, I've been down for a month after being told to erase the disk and they upgraded me - to Fedora Core 2! - and are so incompetent it is not even usable anymore. So I'm changing to a better managed hosting company rsn.)
I did get a thank you from Yahoo. But, the first one was clueless, ignoring the content of my letter. I got a second one from them saying thanks. But that they couldn't accept attachments. So couldn't send them the proof.

At any rate, what I did is erase the disk, restore from backup and some checked files, and lose a lot of time. There is probably little more you can do than simply report to one of the links below that you have a botnet address then as quickly as possible erase it.

I also found a number of commands changed in /bin however I couldn't tell if it was the crackers or the isp who did that. It was running out of date software, and though they failed lots of ftp login probes it looks like they got in through an out of use user's login somehow and promoted to root.

Moral of the story? If you use a managed hosting service, keep a FULL backup locally. Run tripwire or something similar, I will from now on. Use a hosting service that is not completely clueless. Do not try an upgrade or anything afterwards. Have a portable hard disk you can use - my ipod was very useful. The most annoying thing was having to spend lots of time on the phone with admins, and having my email and website hanging in the air. The answer is to immediately cut all your losses, get another system maybe on another provider. Possibly you could even do this with a local machine and dyndns temporarily but if you're busy the last thing you have time to do is mess with crooks. Best thing that came from it is I discovered several other hosting companies from friendly clients who helped me get my jobs done.

Re:Was in similar situation (3, Informative)

bleh-of-the-huns (17740) | more than 7 years ago | (#18766579)

Yahoo and google etc are not clueless, just over worked. I have worked security for large ISPs, UUNET (prior to MCI getting involved), AOL Time Warner, and a couple of others. They get far too many complaints to be able to respond to each, so you are lucky if you get an autoresponce, but don't expect them to contact you, there is just no time for it. The attachment problem is due to the fact that in many cases, complaints are placed into a tracking system, so instead of an attachment, you end up with uuencoded text, its a pain to have to reassemble that manually for every complaint, and if you hit up the security pages of those websites, they clearly state not to use attachments.

Unless the botnet has caused more then $5k in proven damages, with tangible evidence, law enforcement will not get involved, this is at the federal level, not sure about state and local, as they rarely deal with cyber crimes of this type, they prefer to deal with cyber stalking and threats to individuals in their localities. If you must report a botnet, report it to USCERT (run by DHS), they may not be able to get to the root if its in one of those countries listed, but they can research it, and they are capable, and if something can be done, it will be done in the background.

Re:Was in similar situation (1)

mattr (78516) | more than 7 years ago | (#18794363)

Thanks for your insight. I would value it as $5000 dollars lost but that is tough to prove, except for about $200 of telephone calls. The attachment problem is interesting, it sounds like someone needs an open source package so people can add this kind of functionality. I didn't even receive an automated response from Google, though.

As recent threads have noted it pays to spam, which is why this has grown into such a sophisticated industry. It almost (not quite?) seems like spending that time taking revenge on the phisher is more useful.. wouldn't google and yahoo (if they could get around liability) prefer to distribute a tool that admins could configure to drive a spike into hosts that deliver this junk? It's a matter of time...:) I can hope at least that there is an intelligent and calm triage process that is able to neutralize the most heinous incidents. Maybe they could teach ISPs something. My replacement server came with no iptables turned on and without even a compiler I could use to install some security software.

You can try law enforcement, but... (1)

Roadkills-R-Us (122219) | more than 7 years ago | (#18770927)

...don't get your hopes up.

A few years ago I installed a new release of a major vendor's OS. Unbeknownst to me, they had gone from a default secure model to a default open model. Before I finished checking out the security, someone had hacked in, installed a rootkit, and was using my system to attack a major financial institution. Their security guy contacted my ISP who contacted me. I yanked the ethernet cable, tracked everything down, saved the evidence (logs, binaries, etc), finished tightening the security, and hooked back up. I sent email to the financial firm's IT guy, and called the FBI's group responsible for such things. Neither ever bothered to get back to me. Maybe they got the guy anyway, but as far as I could tell, they just weren't going to bother.

Just to hit that nail on the head a last time (1)

pruneau (208454) | more than 7 years ago | (#18766581)

Reinstall everything from scratch and trusted media.

It's not because ou think you only have a spambot that there's no trojan/backdoor/rootkit lurking in the background.
Be paranoid: do no trust any executable code, and even not your (hopefully) backed-up data.

Otherwise, you might just end up putting back yet another future spam/DDOS/phishbot on the net.

What is this??? (1)

Bruce Dickinson (1089515) | more than 7 years ago | (#18767565)

Surfing the Web I have come across the http://www.infectedornot.com/ [infectedornot.com] site, which includes two online scanners that apparently scan the PC in a very short time. They also claim to detect more malware than any other antivirus installed on the computer. Supposedly these tools can detect viruses running on the computer. I tried one of them and was actually quite surprised at how fast it was. It didn't detect anything unusual, but asked me to use the second scanner which, so it says, can detect anything malicious on my PC, active or not. I was surprised at the distinction made between active and latent malware. Is it that there are viruses on computers waiting for a specific moment or action to activate? Also, the same page includes statistics showing how many scanned computers were actually infected. Not only that, it says that (about 40% of computers, or something like that) many of these had an antivirus installed. This makes me wonder: if, despite having an up-to-date antivirus installed you still have viruses, then, what purpose does the antivirus serve? The vendor says that it detects over 700,000 viruses, is this true or is it an exaggeration? Thanks and bye!!!

Re:What is this??? (1)

music2myear (702503) | more than 7 years ago | (#18768081)

Mark Hypponen reported in Nov. 2006 that there were over 200,000. Last I'd heard there were about 360,000 total viruses (for all OSes: 30,000 for Mac, 15 for Linux, etc). I'd second guess the assertion of over 700,000 viruses, even with differences in counting variants and definitions of malware/spyware/adware/viruses/etc... I'm not personally familiar with this service, but I've not found many online scanners that do a real good job of scanning, let alone removing.

I have extensive experience with malware removal in a variety of environs, the tool I used most (though there is no ONE tool solution, I'd usually take 6-10 work hours per infected system and 5-10 different tools depending on infection type) was a hacked version of the NOD32 engine that did not need to be installed. I'd copy the latest defs from an installation of NOD32 (be ESET), copy the directory to the infected system and run the executable. It would find usually 90-95% of all infections on the system, and unless they were really deep, it could remove them all too. I'd also run the sysclean.com from trendmicro (pccillin engine) and then specific fixes/removal tools for specific persistent infections.

Botnet mailing list... (1)

A-Slug (890855) | more than 7 years ago | (#18767629)

This is included at the bottom of the botnet mailing list:

--
To report a botnet PRIVATELY please email: c2report@isotf.org

All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo /botnets [linuxbox.org]

SANS (2, Informative)

gunnk (463227) | more than 7 years ago | (#18772169)

The good folks at SANS do their best to act as early warning and protection for the net. They'd likely be interested in helping break this up AND they have the appropriate contacts in government and law enforcement to do so.

You can contact them here: http://isc.sans.org/contact.html and see if they are interested or can direct you to the appropriate person or agency contact.

Report to their upstream providers (0)

Anonymous Coward | more than 7 years ago | (#18774171)

Any time I have caught IP addresses of spammers, botnets, flooders, etc I do the following: 1. perform a lookup on their IP to determine the netblock owner. 2. if they are spamming a site perform a whois lookup and write down the technical contact and info about their DNS provider and web provider. (perform lookups on those as well and document the contacts) 3. send an e-mail (usually to abuse, spam, and help e-mail addresses) for the contacts identified in step 2. Summarize at a high level what happened (including dates and times) and that you wish for an investigation and action to be taken against the violator in accordance with their Acceptable Use Policy and Terms of Service. Attach any logs (obviously evidence goes a long way versus random claims) and indicate the programs you used to log the information and any certifications you have to give yourself credibility. (ie; if you are a CISSP throw it in your signature... dont bother if you are an MCSE [troll]) :) I have done this numerous times for spammers and 9 times out of 10 I get e-mails back from the ISPs, upstream providers, webhosts, etc indicating they will look into it. Most of the time these are cheezy form letters but probably 2-3 out of 10 I get seem like "people" and they occasionally ask me for additional information or inform me that the "annoyance" was taken care of. On one of my e-mail accounts I do this religiously and I get very little spam anymore. Drastic? Maybe. Effective? Definitely. Until ISPs get better controls to mitigate (if not stop) spam, flooding, spoofing, virus promulgation, etc you have to nickel and dime the abuse@ email address boxes. :)

um (0)

Anonymous Coward | more than 7 years ago | (#18775407)

GO OUTSIDE
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?