Security Incidents mailing list archives
Dismantling Botnets?
From: steven () lovebug org
Date: Tue, 18 Oct 2005 19:58:47 -0700 (PDT)
Hello all, Every now and then there is discussion on the incidents mailing list about various backdoor/IRC bot trojans that effectively turn the machines into zombies. We have probably all come across infected clients and worked to remove the infection. Sometimes the infections are particularly nasty and involve multiple rootkits and spyware/adware installs that are nearly impossible to remove. These things have numerous ways to spread to include 0-day and old exploits, e-mail, SMB shares, instant messaging clients, and a number of other ways. Regardless of how it spreads, they generally result in a single outcome: a compromised machine that is under complete control of the attacker. This is obviously a major threat to a system's security and possibly to the whole network it is sitting on. So what is the appropriate action to take? Many of us will just remove the trojan or reblast/format the machine and be done with it. We might even take further steps for quicker detection and removal. Maybe we'll even go as far as to block some of the known/found networks on our firewalls. All of this provides for our best interest, but what about the rest of the Internet? Often there are tens of thousands of other infected clients on these servers. What do we do about the hacked servers and all of the thousands of infected clients? What is the right thing to do? Is there really that much that can be done? We can e-mail or call the abuse in an attempt to shut down the server in question. This probably works a little more than half of the time, but still doesn't solve the problem of the infected clients or tracking down the perpetrator. Do the ISPs/Hosting Server owners have responsiblity to attempt to remove the trojans from the infected machines? Many of the botnet trojans have uninstall/remove commands that they could theoretically issue. Maybe that is asking too much, but what about trying to catch the person running the botnet? How often do these ISPs/hosting providers actually provide any of this information to the authorities? Even then what can and will ever be done? Is there a place where current information can be given and it will truly be investigated and action will be taken? For example, in the past few days I have come across multiple botnets of 30,000-50,000 on each server. In one case I even suspect that the hosting provider might be facilitating the activity. For that reason alone I have avoided reporting this to the hosting provider. Is there a government source that actually takes the information, investigates it, and will actually make something happen? I think many of us have read the DDoS story on GRC.com before. This guy was actively being attacked and located the live botnet and still couldn't get the authorities to do anything (IIRC). Has anything changed since then? I know a lot of what I said is an on going debate, but I am really wondering if there is a good answer to all of this. Please write back if you have any thoughts on all of this and/or if you know of an entity to report to that cares. If anyone wants to discuss specific experiences with various botnets, also please feel free to contact me off the list you like. Thanks, Steven
Current thread:
- Dismantling Botnets? steven (Oct 19)
- Re: Dismantling Botnets? Bryan Allen (Oct 19)
- Re: Dismantling Botnets? Thorsten Holz (Oct 24)
- Re: Dismantling Botnets? Jerry Dixon (Oct 26)