RE: Disassembling botnets

["P.B. Wagenaar" <PB.Wagenaar () chello nl>]

Hi Commander Z!

Well it isn't your job to disable the botnet and close down irc servers. All
you can do is inform the ISP and report this all to the police. You are
right if you say that all this won't do you any good.

If you want to see some 'action', you should start a civil case against the
ISP hosting the IRC network. It might sound wrong, but this will wake the
ISP up and they will take the matter very seriously. Ofcourse you don't want
to make the ISP pay for what some hacker did, but this might make them go
after the hacker behind the botnet.

Send them a bill for your damages and wait for their response.

Philip Wagenaar
 
-----Oorspronkelijk bericht-----
Van: Z [mailto:commander_uk () yahoo com] 
Verzonden: woensdag 6 april 2005 2:17
Aan: incidents () securityfocus com
Onderwerp: Disassembling botnets

Hello all,
As a recent victim of a sustained DDoS attack I decided to investigate a
little further into the attack source. One of the compromised machines that
was attacking was serving files on a modified FTP server sitting on a random
port.

I downloaded the file, a packed/crypted .exe file (NAV didn't find anything)
that is obviously a DDoS agent.
Running in a simulated environment, I found the DNS name of the IRC server
it connects to, which at present resolves to an obviously compromised
machine on a residential ISP. I joined the IRC server using techniques
described in http://www.honeynet.org/papers/bots/ and found to my dismay
around 2,000 other compromised users on an obvious botnet IRC server.

Now, what are my next steps? Obviously if I complain to the ISP hosting the
IRC server they will just update the DNS name and move the operation
elsewhere.
The domain appears to use managed DNS hosting (ie no 3rd party nameservers
as best as I can tell), so would the registrar even consider taking it down
based on one report of a single A record pointing to a DDoS net? I really
want to have those responsible brought to justice, but based on my
complaints to previous ISPs of the largest attackers on the DDoS net, I'm
afraid all I'll get is a canned "We have informed the customer" or similar
response. It seems I'll only get one chance at this before they take off to
another box. I'd really like to get some kind of law enforcement involved,
but don't know where to start:
Me and my server are in different countries and this essentially a personal
attack on me - no businesses are involved.

Any thoughts or advice would be appreciated.

Thanks.


Send instant messages to your online friends http://uk.messenger.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

-- 
I am using the free version of SPAMfighter for private users.
It has removed 906 spam emails to date.
Paying users do not have this message in their emails.
Try www.SPAMfighter.com for free now!


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------