Security Incidents mailing list archives
Disassembling botnets
From: Z <commander_uk () yahoo com>
Date: Wed, 6 Apr 2005 01:16:59 +0100 (BST)
Hello all, As a recent victim of a sustained DDoS attack I decided to investigate a little further into the attack source. One of the compromised machines that was attacking was serving files on a modified FTP server sitting on a random port. I downloaded the file, a packed/crypted .exe file (NAV didn't find anything) that is obviously a DDoS agent. Running in a simulated environment, I found the DNS name of the IRC server it connects to, which at present resolves to an obviously compromised machine on a residential ISP. I joined the IRC server using techniques described in http://www.honeynet.org/papers/bots/ and found to my dismay around 2,000 other compromised users on an obvious botnet IRC server. Now, what are my next steps? Obviously if I complain to the ISP hosting the IRC server they will just update the DNS name and move the operation elsewhere. The domain appears to use managed DNS hosting (ie no 3rd party nameservers as best as I can tell), so would the registrar even consider taking it down based on one report of a single A record pointing to a DDoS net? I really want to have those responsible brought to justice, but based on my complaints to previous ISPs of the largest attackers on the DDoS net, I'm afraid all I'll get is a canned "We have informed the customer" or similar response. It seems I'll only get one chance at this before they take off to another box. I'd really like to get some kind of law enforcement involved, but don't know where to start: Me and my server are in different countries and this essentially a personal attack on me - no businesses are involved. Any thoughts or advice would be appreciated. Thanks. Send instant messages to your online friends http://uk.messenger.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Disassembling botnets Z (Apr 06)
- RE: Disassembling botnets P.B. Wagenaar (Apr 06)
- Re: Disassembling botnets Felikz (Apr 06)
- <Possible follow-ups>
- Re: Disassembling botnets Harlan Carvey (Apr 06)
- Re: Disassembling botnets Jeff Bryner (Apr 06)
- RE: Disassembling botnets P.B. Wagenaar (Apr 06)