Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Disassembling botnets

From: Z <commander_uk () yahoo com>
Date: Wed, 6 Apr 2005 01:16:59 +0100 (BST)
Hello all,
As a recent victim of a sustained DDoS attack I
decided to investigate a little further into the
attack source. One of the compromised machines that
was attacking was serving files on a modified FTP
server sitting on a random port.

I downloaded the file, a packed/crypted .exe file (NAV
didn't find anything) that is obviously a DDoS agent.
Running in a simulated environment, I found the DNS
name of the IRC server it connects to, which at
present resolves to an obviously compromised machine
on a residential ISP. I joined the IRC server using
techniques described in
http://www.honeynet.org/papers/bots/ and found to my
dismay around 2,000 other compromised users on an
obvious botnet IRC server.

Now, what are my next steps? Obviously if I complain
to the ISP hosting the IRC server they will just
update the DNS name and move the operation elsewhere.
The domain appears to use managed DNS hosting (ie no
3rd party nameservers as best as I can tell), so would
the registrar even consider taking it down based on
one report of a single A record pointing to a DDoS
net? I really want to have those responsible brought
to justice, but based on my complaints to previous
ISPs of the largest attackers on the DDoS net, I'm
afraid all I'll get is a canned "We have informed the
customer" or similar response. It seems I'll only get
one chance at this before they take off to another
box. I'd really like to get some kind of law
enforcement involved, but don't know where to start:
Me and my server are in different countries and this
essentially a personal attack on me - no businesses
are involved.

Any thoughts or advice would be appreciated.

Thanks.


Send instant messages to your online friends http://uk.messenger.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: