Security Incidents mailing list archives
Re: Dismantling Botnets?
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Thu, 20 Oct 2005 15:30:43 +0200
steven () lovebug org wrote:
We can e-mail or call the abuse in an attempt to shut down the server in question. This probably works a little more than half of the time, but still doesn't solve the problem of the infected clients or tracking down the perpetrator. Do the ISPs/Hosting Server owners have responsiblity to attempt to remove the trojans from the infected machines? Many of the botnet trojans have uninstall/remove commands that they could theoretically issue.
This is possible. You have to find the password used by the attackers to "authenticate" themselves to the bots. And often you must have IRC-OP status on the server to change your hostname. Then you can execute commands and for example uninstall the bots from the victim's machine. But there are problems with this approach: What are the legal consequences? What about ethics?
Maybe that is asking too much, but what about trying to catch the person running the botnet? How often do these ISPs/hosting providers actually provide any of this information to the authorities? Even then what can and will ever be done?
Presumably the best documented case in this area is "operation cyberslam" (http://www.reverse.net/operationcyberslam.pdf). Unfortunately, most of the time the authorities don't prosecute the attackers...
Is there a place where current information can be given and it will truly be investigated and action will be taken?
I am one of the authors of the "Know your Enemy: Tracking Botnets" paper (http://www.honeynet.org/papers/bots/) and have some experience in the area of botnets. My advise would be to pass the information about the botnet to your local CERT. There are groups within the CERT community that handle this kind of information. They are quite successful and often can stop the incident. Just my 0.02 Euro, Thorsten
Current thread:
- Dismantling Botnets? steven (Oct 19)
- Re: Dismantling Botnets? Bryan Allen (Oct 19)
- Re: Dismantling Botnets? Thorsten Holz (Oct 24)
- Re: Dismantling Botnets? Jerry Dixon (Oct 26)