Re: Dismantling Botnets?

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

steven () lovebug org wrote:

> We can e-mail or call the abuse in an attempt to shut down the server
> in question.  This probably works a little more than half of the 
> time, but still doesn't solve the problem of the infected clients or 
> tracking down the perpetrator.  Do the ISPs/Hosting Server owners 
> have responsiblity to attempt to remove the trojans from the infected
> machines?  Many of the botnet trojans have uninstall/remove commands
> that they could theoretically issue.

This is possible. You have to find the password used by the attackers to
"authenticate" themselves to the bots. And often you must have IRC-OP
status on the server to change your hostname. Then you can execute
commands and for example uninstall the bots from the victim's machine.

But there are problems with this approach: What are the legal
consequences? What about ethics?

> Maybe that is asking too much, but what about trying to catch the 
> person running the botnet?  How often do these ISPs/hosting providers
> actually provide any of this information to the authorities? Even 
> then what can and will ever be done?

Presumably the best documented case in this area is "operation
cyberslam" (http://www.reverse.net/operationcyberslam.pdf).
Unfortunately, most of the time the authorities don't prosecute the
attackers...

> Is there a place where current information can be given and it will 
> truly be investigated and action will be taken?

I am one of the authors of the "Know your Enemy: Tracking Botnets" paper
(http://www.honeynet.org/papers/bots/) and have some experience in the
area of botnets. My advise would be to pass the information about the
botnet to your local CERT. There are groups within the CERT community
that handle this kind of information. They are quite successful and
often can stop the incident.

Just my 0.02 Euro,
  Thorsten