Dismantling Botnets?

[steven () lovebug org]

Hello all,

Every now and then there is discussion on the incidents mailing list about
various backdoor/IRC bot trojans that effectively turn the machines into
zombies.  We have probably all come across infected clients and worked to
remove the infection.  Sometimes the infections are particularly nasty and
involve multiple rootkits and spyware/adware installs that are nearly
impossible to remove.

These things have numerous ways to spread to include 0-day and old
exploits, e-mail, SMB shares, instant messaging clients, and a number of
other ways.  Regardless of how it spreads, they generally result in a
single outcome: a compromised machine that is under complete control of
the attacker.  This is obviously a major threat to a system's security and
possibly to the whole network it is sitting on.

So what is the appropriate action to take?  Many of us will just remove
the trojan or reblast/format the machine and be done with it.  We might
even take further steps for quicker detection and removal.  Maybe we'll
even go as far as to block some of the known/found networks on our
firewalls.  All of this provides for our best interest, but what about the
rest of the Internet?  Often there are tens of thousands of other infected
clients on these servers.  What do we do about the hacked servers and all
of the thousands of infected clients?  What is the right thing to do?  Is
there really that much that can be done?

We can e-mail or call the abuse in an attempt to shut down the server in
question.  This probably works a little more than half of the time, but
still doesn't solve the problem of the infected clients or tracking down
the perpetrator.  Do the ISPs/Hosting Server owners have responsiblity to
attempt to remove the trojans from the infected machines?  Many of the
botnet trojans have uninstall/remove commands that they could
theoretically issue.  Maybe that is asking too much, but what about trying
to catch the person running the botnet?  How often do these ISPs/hosting
providers actually provide any of this information to the authorities? 
Even then what can and will ever be done?

Is there a place where current information can be given and it will truly
be investigated and action will be taken?  For example, in the past few
days I have come across multiple botnets of 30,000-50,000 on each server. 
In one case I even suspect that the hosting provider might be facilitating
the activity.  For that reason alone I have avoided reporting this to the
hosting provider.  Is there a government source that actually takes the
information, investigates it, and will actually make something happen?  I
think many of us have read the DDoS story on GRC.com before.  This guy was
actively being attacked and located the live botnet and still couldn't get
the authorities to do anything (IIRC).  Has anything changed since then?

I know a lot of what I said is an on going debate, but I am really
wondering if there is a good answer to all of this.  Please write back if
you have any thoughts on all of this and/or if you know of an entity to
report to that cares.  If anyone wants to discuss specific experiences
with various botnets, also please feel free to contact me off the list you
like.

Thanks,

Steven